System and method to detect bypass of a sandbox application
First Claim
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- receive data related to execution of a sandboxed process;
determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder;
determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and
block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to receive data related to execution of a sandboxed process, determine if a high privileged process was created by the sandboxed process, and block the sandboxed process from executing if the high privileged process was created by the sandboxed process and the data indicates the sandboxed process is attempting a sandbox bypass attack. In an example, the high privileged process was created by the sandboxed process if a resource folder is associated with a sandbox folder. In another example, the high privileged process was created by the sandboxed process if a resource folder was created by a broker process in response to a request by the sandboxed process.
-
Citations
16 Claims
-
1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
-
receive data related to execution of a sandboxed process; determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder; determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
a bypass monitor engine, having a hardware processor, configured to; receive data related to execution of a sandboxed process; determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder; determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting the sandbox bypass attack. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving data related to execution of a sandboxed process; determining if a resource folder is associated with a sandbox folder; determining, based on a determination that the resource folder is directly linked with the sandbox folder, that a high privileged process was created by the sandboxed process; determining whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and blocking the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting a sandbox bypass attack. - View Dependent Claims (12, 13, 14)
-
-
15. A system for detecting bypass of a sandbox, the system comprising:
-
a bypass monitor engine, having a hardware processor, configured to; receive data related to execution of a sandboxed process; determine whether a high privileged process was created by the sandboxed process, wherein the high privileged process was created by the sandboxed process if a resource folder is directly linked with a sandbox folder; determine whether the data indicates the sandboxed process is attempting a sandbox bypass attack; and block the sandboxed process from executing based on a determination that the high privileged process was created by the sandboxed process and based on a determination that the data indicates the sandboxed process is attempting a sandbox bypass attack. - View Dependent Claims (16)
-
Specification