Computer Science ›› 2017, Vol. 44 ›› Issue (11): 246-252, 267.doi: 10.11896/j.issn.1002-137X.2017.11.037

Previous Articles     Next Articles

Windows Security Mechanisms Simulation and Sandbox System Implementation Based on Wine

DIAO Ming-zhi, ZHOU Yuan, LI Zhou-jun and ZHAO Yu-fei   

  • Online:2018-12-01 Published:2018-12-01

Abstract: We simulated two Windows security mechanisms,adress space layout randomization (ASLR) and user account control (UAC) Virtualization,based on open source software Wine.The two mechanisms make the Wine’s environment closer to the real operating system and safer.Based on the two security mechanisms,we further presented a relatively real sandbox system,which employs the wineserver mechanism and utilizes the .wine directory of Wine as the running environment for samples to detect the dynamic behavior.The experimental results show that the proposed sandbox system presents the basic characteristics of ASLR and UAC Virtualization.Compared with other sandboxes,our proposed sandbox system can not only effectively detect behaviors of unknown samples,but also has features like low resource utilization,good isolation and fast status rollback,which make it meet the requirements of batch deployment and operation.

Key words: Wine,ASLR,UAC Virtualization,Dynamic behavior detection,Sandbox

[1] GUARNIERI C,SCHLOESSER M,et al.Cuckoo Sandbox[EB/OL].
[2] Comodo Instant Malware Analysis[EB/OL].http://cam-
[3] JOESandbox[EB/OL].
[4] Maldun[EB/OL].
[5] Fireeye by Kingsoft[EB/OL].
[6] JANA S,PORTER D,SHMATIKOV V.TxBox:Building Se-cure,Efficient Sandboxes with System Transactions[C]∥IEEE Conference on Security and Privacy.2011:329-344.
[7] LI C,TU B B,et al.Design and Implementation of of Linux Application Sandbox Based on Multiple Security Mechanisms[J].Journal of Integration Technology,2014,3(4):31-37.(in Chinese) 李晨,涂碧波,等.基于多安全机制的Linux应用沙箱的设计与实现[J].集成技术,2014,3(4):31-37.
[8] CHENG X P,CHEN L J.Design and Implementation of Sandbox Module Based on LSM[J].Computer & Digital Enginee-ring,2014,42(8):1521-1525.(in Chinese) 程香鹏,陈莉君.基于LSM的沙箱模块设计与实现[J].计算机与数字工程,2014,42(8):1521-1525.
[9] Sandboxie[EB/OL].
[10] CHEN X,ANDERSEN J,MAO Z M,et al.Towards an under- standing of anti-virtualization and anti-debugging behavior in modern malware[C]∥IEEE Conference on Dependable Systems and Networks With FTCS and DCC(DSN).2008:177-186.
[11] CARPENTER M,LISTON T,SLOUDIS E.Hiding virtualization from attackers and malware[J].IEEE Security & Privacy,2007,5(3):62-65.
[12] LIU K,LU S,LIU C G.POSTER:Fingerprinting the Publicly Available Sandboxes[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.2014:1469-1471.
[13] LINDORFER M,KOLBITSCH C,C OMPARETTI P.Detecting Environment-Sensitive Malware[C]∥Proceedings of 14th International Symposium,RAID.2011:338-357.
[14] HSU C W,et al.Divergence Detector:A Fine-Grained Approach to Detecting VM-Awareness Malware[C]∥IEEE International Conference on Software Security and Reliability.2013:80-89.
[15] KATSUNARI Y,YOSHIHIKO H,T ATSUNORI O,et al.Vulnerability in Public Malware Sandbox Analysis Systems[C]∥Proceedings of 10th IEEE/IPSJ International Symposium.2010:265-268.
[16] Wine Develop Guide[EB/OL]. /winedev-guide/index.
[17] SHACHAM H,PAGE M,PFAFF B,et al.On the effectiveness of address-space randomization[C]∥Proceedings of the 11th ACM Conference on Computer and Communications Security.2004:298-307.
[18] LI L,JUST J E,SEKAR R.Address-Space Randomization for Windows Systems[C]∥Proceedings of Computer Security Applications Conference(ACSAC’06).2006:329-338.
[19] WHITEHOUSE O.An Analysis of Address Space Layout Randomization on Windows Vista[M].Symantec Advanced Threat Research,2007.
[20] Inside Windows Vista User Access Control [EB/OL].
[21] UAC Windows7 Tutorial[EB/OL].
[22] SAMI A,YADEGARI B,RAHIMI H,et al.Malware detection based on mining API calls[C]∥Proceedings of the 2010 ACM Symposium on Applied Computing.2010:1020-1025.
[23] QIAO Y,et al.Analyzing Malware by Abstracting the Frequent Itemsets in API Call Sequences[C]∥Proceedings of 12th IEEE International Conference on Trust,Security and Privacy in Computing and Communications.2013:265-270.
[24] FARUKI P,LAXMI V,VINOD P,et al.Behavioural detection with API call-grams to identify malicious PE files[C]∥Procee-dings of the First International Conference on Security of Internet of Things.2012:85-91.
[25] VirusTotal[EB/OL].

No related articles found!
Full text



[1] LEI Li-hui and WANG Jing. Parallelization of LTL Model Checking Based on Possibility Measure[J]. Computer Science, 2018, 45(4): 71 -75, 88 .
[2] XIA Qing-xun and ZHUANG Yi. Remote Attestation Mechanism Based on Locality Principle[J]. Computer Science, 2018, 45(4): 148 -151, 162 .
[3] LI Bai-shen, LI Ling-zhi, SUN Yong and ZHU Yan-qin. Intranet Defense Algorithm Based on Pseudo Boosting Decision Tree[J]. Computer Science, 2018, 45(4): 157 -162 .
[4] WANG Huan, ZHANG Yun-feng and ZHANG Yan. Rapid Decision Method for Repairing Sequence Based on CFDs[J]. Computer Science, 2018, 45(3): 311 -316 .
[5] SUN Qi, JIN Yan, HE Kun and XU Ling-xuan. Hybrid Evolutionary Algorithm for Solving Mixed Capacitated General Routing Problem[J]. Computer Science, 2018, 45(4): 76 -82 .
[6] ZHANG Jia-nan and XIAO Ming-yu. Approximation Algorithm for Weighted Mixed Domination Problem[J]. Computer Science, 2018, 45(4): 83 -88 .
[7] WU Jian-hui, HUANG Zhong-xiang, LI Wu, WU Jian-hui, PENG Xin and ZHANG Sheng. Robustness Optimization of Sequence Decision in Urban Road Construction[J]. Computer Science, 2018, 45(4): 89 -93 .
[8] LIU Qin. Study on Data Quality Based on Constraint in Computer Forensics[J]. Computer Science, 2018, 45(4): 169 -172 .
[9] ZHONG Fei and YANG Bin. License Plate Detection Based on Principal Component Analysis Network[J]. Computer Science, 2018, 45(3): 268 -273 .
[10] SHI Wen-jun, WU Ji-gang and LUO Yu-chun. Fast and Efficient Scheduling Algorithms for Mobile Cloud Offloading[J]. Computer Science, 2018, 45(4): 94 -99, 116 .