System and method to detect bypass of a sandbox application

US 10,574,672 B2
Filed: 07/01/2016
Issued: 02/25/2020
Est. Priority Date: 07/01/2016
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

receive data related to execution of a sandboxed process;

determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder;

determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and

block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to receive data related to execution of a sandboxed process, determine if a high privileged process was created by the sandboxed process, and block the sandboxed process from executing if the high privileged process was created by the sandboxed process and the data indicates the sandboxed process is attempting a sandbox bypass attack. In an example, the high privileged process was created by the sandboxed process if a resource folder is associated with a sandbox folder. In another example, the high privileged process was created by the sandboxed process if a resource folder was created by a broker process in response to a request by the sandboxed process.

Citations

16 Claims

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- receive data related to execution of a sandboxed process;
  
  determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder;
  
  determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and
  
  block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The at least one non-transitory machine readable medium of claim 1, wherein the high privileged process was created by the sandboxed process if the resource folder was created by an irrelevant broker process.
  - 3. The at least one non-transitory machine readable medium of claim 1, wherein the high privileged process was created by the sandboxed process if the resource folder was created by a broker process in response to a request by the sandboxed process.
  - 4. The at least one non-transitory machine readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, further cause the at least one processor to:
    - determine if the resource folder includes a resource to be loaded or executed by a sandbox broker.
  - 5. The at least one non-transitory machine readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, further cause the at least one processor to:
    - allow the sandboxed process if the resource is properly signed.

6. An apparatus comprising:
- a bypass monitor engine, having a hardware processor, configured to;
  
  receive data related to execution of a sandboxed process;
  
  determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder;
  
  determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and
  
  block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the high privileged process was created by the sandboxed process if the resource folder was created by an irrelevant broker process.
  - 8. The apparatus of claim 6, wherein the high privileged process was created by the sandboxed process if the resource folder was created by a broker process in response to a request by the sandboxed process.
  - 9. The apparatus of claim 6, wherein the bypass monitor engine is further configured to:
    - determine if the resource folder includes a resource to be loaded or executed by a sandbox broker.
  - 10. The apparatus of claim 9, wherein the bypass monitor engine is further configured to:
    - allow the sandboxed process if the resource is properly signed.

11. A method comprising:
- receiving data related to execution of a sandboxed process;
  
  determining if a resource folder is associated with a sandbox folder;
  
  determining, based on a determination that the resource folder is directly linked with the sandbox folder, that a high privileged process was created by the sandboxed process;
  
  determining whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and
  
  blocking the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting a sandbox bypass attack.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, further comprising:
    - determining if the resource folder was created by an irrelevant broker process.
  - 13. The method of claim 11, further comprising:
    - determining if the resource folder was created by a broker process in response to a request by the sandboxed process.
  - 14. The method of claim 11, further comprising:
    - determining if the resource folder includes a resource to be loaded or executed by a sandbox broker.

15. A system for detecting bypass of a sandbox, the system comprising:
- a bypass monitor engine, having a hardware processor, configured to;
  
  receive data related to execution of a sandboxed process;
  
  determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder;
  
  determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and
  
  block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting a sandbox bypass attack.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein the high privileged process was created by the sandboxed process if the resource folder was created by a broker process in response to a request by the sandboxed process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Li, Xiaoning, Li, Haifei, Sun, Bing, Deng, Lu
Primary Examiner(s)
Su, Sarah

Application Number

US15/200,983
Publication Number

US 20180007068A1
Time in Patent Office

1,334 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method to detect bypass of a sandbox application

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to detect bypass of a sandbox application

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links