Check Point’s SandBlast sandbox spells R.I.P for ROP attacks
Called SandBlast, the new software monitors CPU activity looking for anomalies that indicate that attackers are using sophisticated methods that would go unnoticed with traditional sandboxing technology, according to Nathan Shuchami, head of threat prevention sales for Check Point.
Traditional sandboxes, including Check Point’s, determine whether files are legitimate by opening them in a virtual environment to see what they do. To get past the sandboxes attackers have devised evasion techniques, such as delaying execution until the sandbox has given up or lying dormant until the machine it’s trying to infect reboots.
SandBlast thwarts the evasion technique called Return Oriented Programming (ROP), which enables running malicious executable code on top of data files despite protection offered by Data Execution Prevention (DEP), a widespread operating system feature whose function is to block executable code from being added to data files.
ROP does this by grabbing legitimate pieces of code called gadgets and running them to force the file to create new memory page where malicious shell code can be uploaded to gain execution privileges. This process has the CPU responding to calls that return to addresses different from where they started.
SandBlaster has a CPU-level detection engine that picks up on this anomaly and blocks the activity. The engine is available either on an appliance in customers’ data centers or as a cloud service running out of Check Point’s cloud. The engine relies on features of Intel’s Haswell CPU architecture, Shuchami says.
The appliance and service had already been available for Check Point’s existing sandbox offering called Threat Emulation, and for customers who had it SandBlast is an upgrade at no extra charge. For new customers, the service costs between $3,500 and $30,000 per year per Check Point gateway. The appliances range from $27,000 to $200,000. These are the same prices Check Point charged for Threat Emulation without SandBlast.
Check Point is also introducing a feature called Threat Extraction which makes it safe to open documents quickly before they can be run through the sandbox. It converts Word documents do PDF files, which neutralizes malware they may contain, Shuchami says. It can convert PDF files to PDF files as well to reach the same end.
This makes it safe to view the content of the documents quickly while the sandbox works in the background. If the user need the original, it would be available after the sandbox found it benign, he says.
Alternatively, Threat Extraction could remove macros, Javascript, links and other potentially malicious features, but that doesn’t make files as safe as converting them does, he says.