The more I think I think about it, the more I like the concept of virtualization. I like the idea of freely surfing without worrying too much because all the nasties will simply be trapped in the sandbox. So applications like sandboxie and greenborder have a lot of appeal.

But could malware break out of the sanbox is the question? Could the sandbox get full? How about somethiong at the kernel level, could that break the sandbox? Just really thinking out loud here and would appreciate feedback from the technical people that really know.

I don't really know a lot of this but... a malware on kernel level cant be executed inside sandboxie, ask at sandboxie forums for more info: http://sandboxie.com/phpbb/

I read several technical articles that speak of new strains of malware that are able to recognize when they are in a sandbox, then are able to penetrate your defenses and get to your system. I don't have a link or reference as it was several weeks ago that I read the articles. Every one of the articles said that a more secure methods was running as limited account. A couple suggested using "DropMyRights" to run browser and email in limited mode. After reading those articles I downloaded DropMyRights and began following their advice. I know the two methods (sandboxing and limited account) are similar as far as not allowing malware system priviledges, but there are still a lot of differences, which I'm not technical enough myself to explain. If I can find the journal articles again I'll provide the links, as they are very interesting reading.

I think the question is whether you're going to run everything you download in the sandbox. If not, then that's one way malware could still potentially infect your system.

-{ Quote: "I think the question is whether you're going to run everything you download in the sandbox. If not, then that's one way malware could still potentially infect your system." }-

I wouldn't do that at all. Just call me skeptical. I finds it hard to believe that a siftware can create a truly isolated place on my hard drive that no malware can escape from.

I actually really love the concept because you aren't relying on your antispyware vendor keeping up with signatures and trying to stay ahead of the bad guys.

I think that, in principle, a real virtualisation sandbox, designed to isolate (and not to guess) and running at kernel level is the safest tool available nowadays.

Some of the limitations are as follows:
- the quality of the code. A poor code can of course let holes behind or bugs leading to a misbehaviour of the sandbox.
- the balance between usability and safety. In this case, chocices are made by conceptors to let potential threats in order to keep an easy use of the product.
- the potential weaker protection of trusted processes accessing internet through vulnerabilities...

A good product well designed is almost imunising the system against all common threats (due partly to poor coding of nowadays malwares focusing on money earning).
But of course, vulerabilities can be found in sandboxes and therefore can be as well targeted by hackers.

Some programs may need to write directly to the disk, for example it is not desirable to download the e-mails to a sandbox and delete them on the server. For Sandboxie that can be configured in Configuration -> Sandbox Settings -> Set File Copy Options, or manually (Edit Configuration) using OpenFilePath (http://www.sandboxie.com/index.php?OpenFilePath) and OpenKeyPath (http://www.sandboxie.com/index.php?OpenKeyPath).

Hi, folks: I am using DeepFreeze home edition. Is it a sandbox/virtualization app? I am under impression that it might be one of the safest apps of its catagory(correct me if needed). During DF's frozen state, it freeze the whole drive C, creating an insulation wall w/ nearly zero permeablity(permeating nothing). Therefore any damadges created within sandbox is surely and safely contained. I like to have some DF users to concur my findings or some experts to rebuke my statements(sort of). Thanks.:)

-{ Quote: "I think that, in principle, a real virtualisation sandbox, designed to isolate (and not to guess) and running at kernel level is the safest tool available nowadays.

Some of the limitations are as follows:
- the quality of the code. A poor code can of course let holes behind or bugs leading to a misbehaviour of the sandbox.
- the balance between usability and safety. In this case, chocices are made by conceptors to let potential threats in order to keep an easy use of the product.
- the potential weaker protection of trusted processes accessing internet through vulnerabilities...

A good product well designed is almost imunising the system against all common threats (due partly to poor coding of nowadays malwares focusing on money earning).
But of course, vulerabilities can be found in sandboxes and therefore can be as well targeted by hackers." }-


A bad code, yes i think that would be one weakness, aside from something that no sandbox could prevent, inherently.
For this i would like the opinion of some knowlegeble Wilders dudes and dudettes.

But for the trustes processes, there is no protection, remember, they are trusted. Defined by you or the program's default.

Thanks ejr, i was thinking of starting a thread like this if none would.

On my WinXPpro System, with Sandboxie, it had no problems with Firefox, but with Internet Explorer (6) it would lock-up after a few pages opened and the last time, it closed the AntiVir Umbrella (Guard, Active Protection).

BufferZone (version 1.90-11 free single app.) seems to work fine, but I did notice that one Tracking Cookie (Excite.com) got outside the "Virtual" Folder and on the un-boxed Cookie list.

-{ Quote: "But for the trustes processes, there is no protection, remember, they are trusted. Defined by you or the program's default." }-

This is not true. For DF, GB, Geswall, BZ, an untrusted process can not contaminate a trusted process. So trusted process are very well protected from the untrusted world. That is even the aim of this protection! For example, keyloggers often can listen other untrusted processes but have no access to trusted ones.

But in the same time, trusted programs are not protected from buffer overflows. Of course, the system legitimately thinks the trusted process performs an usual operation.

"the potential weaker protection of trusted processes accessing internet through vulnerabilities..."

I probably didn't understand you right. But you said trusted processes accessing the internet, so they're not isolated from the system. I didn't say they weren't protected from untrusted ones.

I found this to be an interesting read from the makers of 'Bufferzone'.

http://www.securityfocus.com/columnists/410/1

Hi, folks: nice link,tabacco, thanks. According to BZ's creator, BZ is an application-level virtualization app. Does this imply that some of sandbox/virturalization apps may be something else? such as kernel-level ? Has anyone been able to identify most(if not all) of these apps as application-level or kernel-level? If most or all of these are indeed application-level, then I may have a legitimate concern. W/ Vista comes into stream early next year, the word"kernel" has been mentioned many times. Most security software firms are very much concerned w/ this "K" word. My primary concern is that if malwares' point of entry into our machine is at kernel level, which is lower than application, then BZ and its alike just looks alike a piece of junk, defenseless to say the least. I think we need exerts to explain all this to us. Please.

-{ Quote: "Hi, folks: nice link,tabacco, thanks. According to BZ's creator, BZ is an application-level virtualization app. Does this imply that some of sandbox/virturalization apps may be something else? such as kernel-level ? Has anyone been able to identify most(if not all) of these apps as application-level or kernel-level? If most or all of these are indeed application-level, then I may have a legitimate concern. W/ Vista comes into stream early next year, the word"kernel" has been mentioned many times. Most security software firms are very much concerned w/ this "K" word. My primary concern is that if malwares' point of entry into our machine is at kernel level, which is lower than application, then BZ and its alike just looks alike a piece of junk, defenseless to say the least. I think we need exerts to explain all this to us. Please." }-

Quote taken from article - "Could you describe the architecture you designed in more detail?

Eyal Dotan: Virtualization is done through a kernel module. A Windows Service instructs the kernel module on what policies to implement. In the corporate version, policy rules come from a BZ Server. In standalone versions, these policies come from the GUI Administration interface which the user can use to alter the pre-configured settings in the limited number of scenarios where that might be necessary".

Sounds to me that 'Bufferzone' operates at the 'Kernal Level' doesn't it?.

-{ Quote: "But you said trusted processes accessing the internet, so they're not isolated from the system. I didn't say they weren't protected from untrusted ones." }-

you're right. But untrusted and trusted processes can communicate. In the framework of a buffer overflow, a simple command can "force" an application to perform unwanted actions, and it is seen on behalf of the trusted application itself. That's why trusted applications are susceptible to buffer overflow. This is a limitation of such virtualization hips.

On th other hand these same trusted processes are not sensitive to injection, classical attacks, deletion, keylogging... They are not isolated from the system but still from the outside.

-{ Quote: "kernel-level ?" }-
From what I understand, kernel level application are simply denied the right to execute inside sandbox, or whatever you call it.

-{ Quote: "My primary concern is that if malwares' point of entry into our machine is at kernel level..." }-
The point is that BZ and its alike have first hand. They primarily decide what other applications have the right to do. Installing a driver being forbidden by default for untrusted processes (from within sandbox), it will be impossible... except if the sandbox has itself a vulnerability and if the untrusted application "knows" of it, i.e., uses it to go out of sandbox to install the driver. Of course, if the application runs outside the sandbox (therefore trusted), and if this application is a malware, sandbox becomes useless, but this shouldn't happen, except with complicity of user himself.

Now i understand fully what you mean.:thumb:

On a side note: reading my first reply to you, note that i wasn't saying you're not knowledgeable, or otherwise. I'm just trying to lure others to join and give their thoughts on the vulnerabilities of sandboxes alike. You didn't even mention this, but i like to settle my statements. If i think i'm not being correct, i stand corrected;D .

-{ Quote: "Sounds to me that 'Bufferzone' operates at the 'Kernal Level' doesn't it?" }-

Fully ring0, as DW!

Hi, folks: hi, BZJet, thank you for the info. On post#16, you mentioned that kernel level application are simply denied the right to excute inside sandbox. Does this mean that malwares(kernel-level) do get chances to be planted outside sandbox, such as system files etc,if sandbox app doesnot sandbox these files? How about those kernel-level HIPS or antispyware real-time scanner(also kernel-level), do they get green light to stay active within sandbox? Any info will be appreciated.:)

Hi Perman,

First, to make things clear, I am only a simple user, and don't have deep technical knowledge, so I must confess that I reach the limits of my understanding of such tools.

By kernel level appication, I meant program trying to install a driver.

-{ Quote: "kernel level application are simply denied the right to execute inside sandbox" }-
I should have said: an untrusted application can only run inside sandbox. So an untrusted application, so running inside sandbox, is simply denied the right to execute (install driver).
Furthermore it can not install or create program outside the sandbox.

-{ Quote: "Does this mean that malwares(kernel-level) do get chances to be planted outside sandbox, such as system files etc,if sandbox app doesnot sandbox these files?" }-
No.

-{ Quote: "How about those kernel-level HIPS or antispyware real-time scanner(also kernel-level), do they get green light to stay active within sandbox?" }-
What for would you install and / or run security tool inside sandbox? It is trusted. I have Antivir, installed and running outside sandbox. Maybe you ask to know if you can use it for testing purposes. Well, you can but it won't be as powerful and complete as a real virtual machine.
I will test and come back to you about installation of such programs inside BZ sandbox

-{ Quote: "I will test and come back to you about installation of such programs inside BZ sandbox" }-

I downloaded Norton and tried to install it. Impossible because microsoft windows installer (necessary for norton install - it is a msi file) was not found by the setup program.

Then I tried to install defensewall inside BZ (I am sure at least that DW installs a pure driver) and guess what, DW install showed up a window saying that setuo couldn't install driver.

Hope I gave correct and useful info.

Hi,BZJet, thanks a million!:)

-{ Quote: "Hi, folks: nice link,tabacco, thanks. According to BZ's creator, BZ is an application-level virtualization app. Does this imply that some of sandbox/virturalization apps may be something else? such as kernel-level ? " }-

By "application level virtualization" he means Bufferzone virtualizes applications.

He is distinguishing his product (as well as defensewall, sandboxie etc) from Vmware, Virtual PC etc which virtualizes whole machines up to and including the Operating system.

-{ Quote: "By "application level virtualization" he means Bufferzone virtualizes applications.

He is distinguishing his product (as well as defensewall, sandboxie etc) from Vmware, Virtual PC etc which virtualizes whole machines up to and including the Operating system." }-
Hi, folks: Thanks for the further clearification. So I can assume DeepFreeze is a drive-level virtualization app ? Because it virtualizes(freezes) the whole drive C; Is there any pros and cons in comparision with these two types of apps. I notice that member who posts #10, did get a tracking cookie outside the BZ sandbox, and how could this happen? Can you educate us? Thanks.

I guess Deepfreeze is good if you don't download software often. If the computer is relatively static, it's perfect. Everything stays the same after reboot.
I still don't understand if you can save files. Probably yes, it would be silly if you couldn't. But i don't have Deepfreeze, so i'm not sure. This is what i understood so far.

Hi,folks: Using DeepFreeze is like having a borrowed /disposalble Pc. During Frozon State the whole partition/drive is virtualized. Any changes/alterations will stay there, until rebooting. Therefore, it is safe to assume that files addition/registry modification and so on, can not be saved. The one I am using is standard edition, while enterprise edition may have more options and flexibilities. DF is indeed a very very secure, safe application, as I mentioned many times before, each PC should have equipped w/ this baby from day one. Just my wish.:)

-{ Quote: "Hi,folks: Using DeepFreeze is like having a borrowed /disposalble Pc. During Frozon State the whole partition/drive is virtualized. Any changes/alterations will stay there, until rebooting. Therefore, it is safe to assume that files addition/registry modification and so on, can not be saved. The one I am using is standard edition, while enterprise edition may have more options and flexibilities. DF is indeed a very very secure, safe application, as I mentioned many times before, each PC should have equipped w/ this baby from day one. Just my wish.:)" }-

As previously stated, DeepFreeze is a fine program for protecting 'Static' systems and if this is your case, it will suit you well. For others, who are constantly trying different programs and setups, DeepFreeze would be somewhat of an inconvienance especially for programs that require a reboot to complete the install. So as far as pros and cons go, it depends on your needs.

Given that we are currently in the sandbox/virtualization is "the cure to all our problems" craze, I think it behooves me to raise a caution. Here's an interesting article by Roger Grimes

http://www.infoworld.com/article/06/11/03/45OPsecadvise_1.html

Entitled "Seven shortcomings of virtual security
Don't be fooled into thinking virtual security technologies are a panacea for your malware woes"

Some highlights

-{ Quote: " I’ve reviewed several of these types of products, including GreenBorder, Linux jail programs, and Microsoft Windows Vista’s file and registry virtualization technology. And many of us often use Zen, VMware, or Virtual PC virtual machine sessions to safely browse the Web." }-

No mention of our forum darlings Sandboxie or Defensewall (though he might have tried them too), but Bufferzone seems to be a good enough representative.

-{ Quote: "No sandbox product is foolproof. I've yet to meet one that could not be easily circumvented. So, while they might give you a moderate amount of protection early on, if the sandboxes gain widespread popularity for protecting the masses, they will be hacked and circumvented. It happened to Java, and it will happen to Vista’s file and registry virtualization protection.

I’ve been able to defeat every product I’ve personally reviewed with minimal effort. The vendors often claim that their products are foolproof and don’t need constant updating “like those sorry anti-virus scanning products.” Then I run a battery of malware tests, and usually a well-known worm, spambot, or adware program breaks out of the virtual jail and modifies the host. Some take a bit more effort, but all have fallen within an hour of trying." }-

I know he is supposed to be an expert instructor on hacking, but within an hour seems too easy... Or is he really that good?

-{ Quote: "Most virtual protection products don’t respond well to encoded attacks. Hackers and malware writers often encode malicious HTML commands into hexadecimal, double-byte, dotted decimal notation, or Unicode, instead of the ASCII text we, and protection products, expect. In many cases, the end result is that slight modifications to malicious commands are not detected or prevented." }-

Not sure about this one. Have to test.

-{ Quote: " Many, if not most, of these products contain their own vulnerabilities -- buffer overflows, bugs that crash the system, hard-coded passwords, and so on. You end up trading one set of bugs for another. " }-

Well that's hardly surprising. I'm sure we beta-testers can root these problems out and prevent buffer overflows :)


-{ Quote: "Virtualization applications also complicate support and troubleshooting events. When the underlying OS or app is updated, the sandbox or virtualization product often has to be updated as well. For example, say you install IE 7 or Firefox 2.0 and some previously functioning application or Web site no longer works. Is it the new browser or is the third-party security app not working with the browser?" }-

Never seen this happen. But hey it could happen...

-{ Quote: "In my "Where Windows Malware Hides" document, I specify more than 130 file and registry locations where malware can hide to spread in Windows. Most sandbox protection products only protect against a dozen or so file and registry locations." }-

Not sure about this one, it appears only in the electronic version but not in the print version copy, either he added it later to the electronic copy or he removed it from the print version. Not sure which one is more current..


I know that the current dogma in this forum at this time is that Sandbox+virtualization is the obvious,correct and only solution, so don't kill me..... just bringing an alternative opinion here from a fairly well known expert on security...

There is no better computer security defense than having a known, good, safe data backup, right?...

-{ Quote: "There is no better computer security defense than having a known, good, safe data backup, right?..." }-

Well it's more like your defense has already failed.

-{ Quote: "Well it's more like your defense has already failed." }-
I disagree.

Different points:
- I prefer having a defense missing few sometime than one (antiviruses) missing half all the time.
- There is no proof of what is written. The specialist should show his tests so that we can judge by ourselves. Scientifically speaking, something is true when it can be reproduced. Concerning BZ, I know some of the limitations, and some bugs, but I tried to break through with usual (yet simple) methods, and it looks OK so far.
- To finish, you have to be targeted. Who would specifically target me and my virtualization defense? Who would spend even 30 min. to do so?

BTW, it looks like every existing and yet to come defense has already failed...

Nice analysis DA, that article was interesting to read, but I would sure like to see some proof that these sandboxes can easily be circumvented. ::)

Back on post #10 (11Dec.) I had made the statement: -{ Quote: "...but I did notice that one Tracking Cookie (Excite.com) got outside the "Virtual" Folder and on the un-boxed Cookie list." }-and I have just run my BufferZone Protected Internet Explorer, for which Excite.com requres minimum security settings,
this is the current "cookie" status.

There are the cookies that I would expect (they are 1 or 2KB Text Documents) located within the BufferZone
C:\Virtual\Untrusted\C_\Documents and Settings\a\cookies\a@adopt.euroclick[3].txt a 1 KB Text Document and inside the Red Border.


The C:\Documents and Settings\a\Cookies also has a list of cookies modified by todays visit and they are all listed as:

C:\Documents and Settings\a\Cookies\a@adopt.euroclick[3].txt.virtual a 3 KB Shortcut and all of these (and the folder) are also inside a Red Border.

So I think I had misunderstood the Virtual Folder setup and the Red Border Protection which seems to have also been provided to the Cookie Folder that I assumed was not protected since it was not under 'Virtual\Untrusted' tree.:-[

BufferZone has given my IE Browsing complete isolation from the looks of that structure above and I regret doubting that fact before.:'(

-{ Quote: "Nice analysis DA, that article was interesting to read, but I would sure like to see some proof that these sandboxes can easily be circumvented. ::)" }-

One way described by Sandboxie's author:

-{ Quote: "It's possible for a system to contain kernel mode code containing unknown vulnerabities. For example, third-party hardware drivers may not handle some data properly, and this could allow their abuse in a way that lets an application gain access to kernel mode.

For example: This link (pdf) (http://research.eeye.com/html/Papers/download/StepIntoTheRing.pdf)describes abusing a firewall to gain kernel mode access. (The particular firewall was fixed, but the principle remains.)

The abusive application could even be sandboxed, but if it can abuse a system component to gain kernel mode access, then the application can easily bypass Sandboxie and any other system protection tool.
" }-

I don't really buy the writer's claim that he can defeat any sandboxing/virtualization software with 'minimal' effort. Talk is easy. Show me the proof. Ilya Rabinovich beat an older version of Bufferzone a while back and admitted, I think, that it wasn't easy, and he definitely knows what he's doing.

I will agree that nothing is 100% safe these days, and as a security software gains in popularity there are those who will work night and day to find a way to beat it - and they eventually will. Hopefully, with constant upgrading, the security sandboxing/virtualization folks can keep a half step ahead of the malware writers.

Let's face another fact:

What DA said could be accepted as is if, and only if 80 or 90% of users had a sandbox or virtualisation security program. In this case, hackers would spend time to break through to eventually gain money.

But the real world is different. Why spend time and energy on breaking sandboxing technologies, when you have millions and millions of computers which barely have a simple antivirus (updated) and no firewall?

I think I have a rolls royce of security, not only because it is a very efficient way to keep malwares out of my computer (as any other kind of hips actually), but also because the level of knowledge necessary to gain access on my computer is far beyond the possible gain of money a hacker can expect by doing so. So that I just make myself sure I will not be in the target of anybody.

Good point, BZJet. An ideal example of one of the millions is our next door neighbor. She recently bought a computer with the Norton trial. It wasn't installed, just the .exe sitting on the desktop. She thought she was protected since Norton was there!!??? My wife ran the install and she's good for another month, then we'll have to explain to her why she needs to either buy Norton or remove it and install something else.

But, it wasn't but a few years ago that I was just as dense and still am about some security things.

If someone knew how a program was coded (structured, built,designed, etc.) of course very possible to blast through a sandbox. Which is why a layered defense is necessary to try and stop whatever code or script that tries to execute as a result of a discovered vulnerability in a program. Even if hackers were to find vulnerabilities in a sandbox type program, If the user has a good layered defense, the hacker would still need to get pass all the other stuff, I have yet to experience such a breach on my box. :)

-{ Quote: "Even if hackers were to find vulnerabilities in a sandbox type program, If the user has a good layered defense, the hacker would still need to get pass all the other stuff, I have yet to experience such a breach on my box." }-

Absolutely! And try as they may, you can put up a very formidable gauntlet (Layered Shielding) that any series (version) of malware/rootkit will have a devil of a time just to reach the half-way point if it even can.

I always have said and still say that untill the day comes that they can master a hijack of the electrical current itself they are going to continue to be limited in how far they can advance even their best efforts of malware/intrusion code into a PC fully equipped with the latest security shields (updated) and in doubles in some instances, like mine. ;D

Includes Shadowing/Sandboxes, AS, AV, HIPS in all forms many they be now. It pays to not put all your eggs into a single basket when it comes to these matters.

I don't know enough about them, some people know a lot more,

www.techsupportalert.com/security_virtualization.htm

Chill guys.

The question was whether it is possible to "blast through" the sandbox, and the answer is yes obviously.

Whether you have being hacked in the past or not, has no bearing on the question of whether sandboxes can be defeated, as you said, probably no one has tried yet on your system so pointing to that fact seems self defeating.

Neither is the question on whether the "gods" of layered defense can protect you.

In other words no one is saying you are going to get hacked. The question is whether the sandbox can be defeated, and the answer is it can and was and will be in the future!

Seriously, people here need to get a grip and stop this whole defensive , "I'm not going to get hacked no matter what cos I got a super invincible fortress setup " raving reaction whenever somone points out that nothing is 100% or something could possibly be beaten.

No one is saying you are going to get hacked!!!!

-{ Quote: "I don't know enough about them, some people know a lot more,

www.techsupportalert.com/security_virtualization.htm" }-

This person doesn't know as much as many are crediting him. But YMMV.

-{ Quote: "Which is why a layered defense is necessary to try and stop whatever code or script that tries to execute as a result of a discovered vulnerability in a program." }-

One more point here. It is very important also to have many security vendors available and active: big, madium and small. In case if malware writers will find the hole within one vendor product, it always will be possible to be protected with other vendors one. In case if there will be one huge security vendor and no competition at all one small security hole will lead to hundreds of millions infections within a couple of days.

Absolutely correct, Ilya. I can also add that having many vendors keeps each one working harder to make the best software. I wonder how many will drop by the wayside now that Windows Vista is out. I've heard and read that Microsoft won't give the needed info to some to be able to develop software for Vista, Blink being one because they exposed a security hole in Vista.

-{ Quote: "One more point here. It is very important also to have many security vendors available and active: big, medium and small. In case if malware writers will find the hole within one vendor product, it always will be possible to be protected with other vendors one. In case if there will be one huge security vendor and no competition at all one small security hole will lead to hundreds of millions infections within a couple of days." }-

ABSOLUTELY UNEQUIVACALLY CORRECT!

Thanks Ilya for making that perfectly clear spoken/posted by a most revered & respected developer as yourself. :thumb: