2016-03-10

Mining Sandboxes for Security

For the past three years, my students and I have worked on a novel and general approach to address software security.  This week at CeBIT, we're happy to spread some good news.

The concept of "Mining Sandboxes" protects against unexpected changes of software behavior and thus drastically reduces the attack surface of software systems. Our "Boxmate" prototype automatically mines program behavior by executing generated tests, systematically exploring the program’s behavior together with the accessed resources. The collected behavior rules form a sandbox, which at production time prohibits behavior not seen during testing. This brings several compelling features:

No unexpected behavior changes. The mined sandbox prevents behavior changes caused by latent malware, vulnerability exploitations, malware infections, or targeted attacks.

Closing the backdoors. The mined sandbox protects against backdoors that would not be discovered during normal usage.

No malware patterns required. The approach assumes no information about earlier or future attacks; it protects against known and novel attacks alike.

No training in production. In contrast to anomaly detection systems, all “normal” behavior is already explored during testing. The program is protected even before its first deployment.

No code required.  We require no knowledge about source or binary code, and thus can handle obfuscated, obscure, or adverse programs.

Want to get a brief overview of how it works? Here's a video, narrated by yours truly:


Conceptually, the techniques of Mining Sandboxes scale to arbitrary code size and can be applied to mobile apps, embedded systems, and server software alike.  Mining sandboxes is fully automatic, such that vendors, developers, and users can mine, inspect, compare, and exchange sandboxes at any time.  And for the testing researchers among us: This research leverages the incompleteness of testing to turn it into an advantage; and to actually produce guarantees from testing.

At this point, all of this is still research, so you cannot yet buy this in a shop near you.  And as with any big set of benefits, there's also drawbacks, in particular with legitimate functionality not found during testing – and there's still loads and loads of things to do.  But our first results with our prototype on real-world apps are more than promising; we have a nice paper coming up at the ICSE conference in May 2016, Austin, Texas.  And I am even more excited about this work than any other pioneering work of ours before, even more than say, Delta Debugging, or Mining Software Repositories – because if it succeeds, it would not only impact the lives of software developers, but actually address many of the software security problems we see in the news every day.

If this has captured your attention, you can read more about the project at its site: http://www.boxmate.org/.  Or you can visit us at the CeBIT computer fair in Hannover between March 14 and March 18 (Hall 6, Stand D 28); I will be on site Monday and Tuesday.  I'd love to get engaged in discussions!