Sandboxie technical tests and other technical topics discussion thread

Hi Mr Brian, I ll inform Invincea about the Firefox tips page needing an update.

Bo

 

lol Thanks Bo! Thought MrBrian was actually just kidding!!!

 

I'm going to install it outside of the sandbox, but I'm still trying to figure out which folders I need to copy to the "real" system. I don't feel like configuring Firefox all over again.

 

I agree, but you can also sandbox without virtualization, as for example AppGuard does. Actually, this is one of the reasons why I had so much difficulty to understand the concept of AG, because when I think of sandboxing/isolation I automatically think of virtualization. This is the main feature why I like SBIE so much.

 

The article defines virtualization as "the application of a hypervisor or similar technology to simulate hardware/software resources".

If the use of the term virtualization is restricted to the use of a hypervisor then Sandboxie isn't an example of virtualization. On the basis of that definition, I doubt that Shadow Defender could be said to be an example of virtualization either. Both Sandboxie and Shadow Defender are based on disk I/O redirection into a file system container (SB) or disk sector cache (SD) and neither involves the use of a hypervisor.

However, a wider view of what constitutes virtualization is also possible. Any time abstraction is used to create a virtual representation of a physical resource in order to achieve isolation from that physical resource, some degree of virtualization is involved.

Because Sandboxie uses disk I/O redirection to a container to create an abstraction of the file system and registry, from the perspective of an application running inside the sandbox, the application is fooled into thinking that it is manipulating the real file system and registry. This is therefore a specific example of a type of virtualization where the hardware/software resource being virtualized is the file system and registry in order to isolate sandboxed applications from the real file system and registry.

In many cases, a sandboxed application will already be installed on the system (e.g. browsers) but with Sandboxie applications that don't install drivers or services can be installed into multiple sandboxes and run, without first being installed onto the real system. This comes close to the definition of application virtualization given here:

https://en.wikipedia.org/wiki/Application_virtualization

 

You don't need to copy any folders. If Flash and Firefox are installed in the real system, there's no need to configure anything if you run Firefox in an unrestricted sandbox. If you run Firefox in a restricted sandbox, them you need to allow plugin container and Flash to run. Thats pretty much it, Rasheed.

Some sites require plugin container to have access to the internet to stream videos but not all do. In YouTube, you can watch videos without allowing plugin container internet access. So, you might want not to allow plugin container internet access in your every day Firefox sandbox but know that some sites wont stream the video if the plugin doesn't have access to the internet. For sites like that, I might run Firefox in an unrestricted sandbox if I really want to watch whatever the video is.

Bo

 

Regarding the difference between policy restriction and sandboxing, you might find this article by Kurt Wismer and the ensuing discussion with Ilya Rabinovich in the comments section interesting reading:

http://anti-virus-rants.blogspot.co.uk/2006/12/what-virtualization-can-and-cannot-do.html

 

Thanks .

 

@ Bo and pegr
Thanks for your replies. Interesting articles you found pegr, indeed. Then I consider in the case of Sandboxie as sandboxing as is, neither virtualization nor light virtualization.

 

Yes, I agree. Sandboxie uses virtualization to virtualize the file system and registry in order to build the sandbox, but this does not make it a virtualization product as such. The aim is isolation and containment, not system virtualization as it would be with full virtualization or light virtualization products.

A sandbox is simply an isolation area that can be a physically separate environment. It isn't necessary for virtualization to be used for something to be a sandbox. The key defining factor is isolation, not virtualization. Without isolation, there is no sandbox. As Wismer says, a sandbox must have an inside and an outside, creating a dual world. The only policy restriction features a sandbox has to have are those necessary to enforce the boundaries of the sandbox and prevent a breach.

Similarly, policy restriction should not be referred to as sandboxing because with pure policy restriction there is no isolation. Everything takes place within the same physical environment, albeit with differing privileges. There is no inside and outside as there would be with a sandbox. AppGuard is an example of a policy restriction program that uses neither sandboxing nor virtualization in its implementation.

Sandboxing, virtualization, and policy restriction are independent concepts, which can apply separately or together. Sandboxie is an example of a sandboxing program that uses file system and registry virtualization to build the sandbox and also has a rich set of policy restriction features, beyond what is necessary to enforce the boundaries of the sandbox.

We can also clearly see how these different concepts relate to each other if we step outside of computing for a moment and consider a hospital environment.

In a hospital ward, all the patients in the ward are together. However, they may be subject to different restrictions on their movements, diet, etc, based on their medical condition. We wouldn't normally consider this to be isolation though. The patients are all together in the same physical environment and are free to interact with each other subject to the restrictions imposed upon them. This is akin to how policy restriction programs like AppGuard work.

In an isolation ward, on the other hand, the patients are physically separated from the patients in the non-isolation wards. The only necessary restriction that will be placed upon them is that they will be prevented from leaving the isolation ward. Other than that, they may be free to lead relatively normal lives while their medical condition is being determined and treated. This is an example of sandboxing but, in this case, the sandbox is a physical isolation area, rather than a virtualized container as it might be in a computer system.

 

Well, Mozilla is to introduce sandbox to Fx is definitely good thing for its security and public interest, remember many people haven't ever heard of SBIE. If they finally bring Servo to desktop browser as well, it might be one of the securest browser.

I personally prefer to use already equiped native function rather than altering that by 3rd party product, so I will quit sandboxing Fx when it introduced its own sandbox and that have proven strong enough. However, I also understand others here disable sandbox (BTW, I'm sure when Mozilla introduced sandbox they'll provide on/off switch in about:config) for compatibility sake if they prefer SBIE. It's matter of choice.

But that is that. Sandboxing browser is just a small part of SBIE usage for me. There're still many programs which don't implement sandbox by nature, and I also use SBIE for not-security objectives such as testing.

Good explanation!
I know many people are confusing those consepts, but you clearly explained this matter. There're many different definition for term "sandbox" so when you use the word, you have to be careful for its def, but sadly not many people aware of this. For Google, sandbox is restriction. For AV vendor, sandbox is emulation. For SBIE, sandbox is redirection. But for all of them, isolation is the key.
You can remove virtualization part from SBIE if you want. Just add access block to all files/folders/registry and only allow direct access to necessary object. It's still sandbox but w/out virtualization. If you could add policy for those necessary access, it would be almost Chrome sandbox.
Virtualization like feature is actually not for security, it's for usability. But this usability brings another sandbox usage, such as install programs in sandbox, and consequently contribute overall security.

 

I think you are misunderstanding me. What I'm saying is that Flash will not work in a sandboxed Firefox, no matter if Flash is installed inside or outside the sandbox. So that's why I'm going to install Firefox on the real system, and after that I will run in it "forced". The bad news is that even after copying all files from the sandbox to the real system, Firefox still needs to be configured all over again. Now I'm starting to understand why portable apps are so cool.

 

Thanks this was interesting, I also agree with the fact that virtualization on its own can not stop malware from running, at least not with extra configuration. That's why I always combine it with HIPS and if possible anti-exploit. That's also why I came up with the idea to add a behavior blocker/anti-exploit feature (without alerts) to SBIE, as is already offered by Invincea FreeSpace.

 

Well, it doesn't really matter to me how you call it, I think of SBIE as a sandboxing tool with application virtualization capabilities. To me virtualization is the key feature, it gives you an option to contain exploit/drive by attacks and it gives you an option to safely test most software, without the risk of your system getting corrupted.

OK I see what you mean, so AppGuard, DefenseWall and GeSWall are not sandboxes, at least not in the strict sense.

 

DefenseWall and GesWall are sandboxing programs as much as Sandboxie is, they just get things done differently than Sandboxie. Sandboxie, DefenseWall and GesWall do, 1. Isolation and 2. restrict what untrusted/sandboxed programs can do to the system, registry, files and other programs. Thats sandboxing. I never used GesWall but I did use DW. In my mind, SBIE and DW are very similar, the only difference being that with SBIE, you delete the sandbox/untrusted files and with DW, the untrusted files remain in the system until you get rid of them or use a program to clean up.

Bo

 

I cant figure why you are having so much trouble with Flash, Firefox and SBIE.

In short, You do not need to copy any files from the sandbox to the real system. I cant even think what files you are talking about....because there are no files to copy, whatsoever. Don't copy anything.

Bo

 

If your wanting to keep a browser permanent it might be best to install it on the real system. If you want to test a
browser (newer version or different browser) then you could install the browser inside Sandboxie. As far as Flash
goes when I did use Firefox I had no problems with flash (outside of sandbox) running in a sandboxed Firefox.
I gave plugin-container.exe Start/Run Access in Sandboxie restrictions setting. I now run Flash (keep it updated)
in sandboxed Pale Moon (updated) without any problems. Once you have Firefox configured you could save your
profile as well.

 

Brilliant explanation of these different technologies in a down to earth understandable way.

I`ve learnt a lot following this discussion, fascinating stuff indeed.

Well done everyone involved.

Regards Eck

 

Sandboxie, DefenseWall, GeSWall, etc. could all be considered as using application-oriented access controls.

 

Sandboxing creates a separate environment in which programs can be run. According to the developers of GeSWall, GeSWall isn't a sandboxing program for exactly that reason. See this: -

http://www.gentlesecurity.com/docs/geswallfaq01.html#q4

The same is true of AppGuard. I believe DefenseWall too is referred to as Policy HIPS, not sandboxing.

 

Ilya Rabinovich from the link in post #532 considers sandboxing = policy-based restrictions.

 

From their website, they themselves call DefenseWall a sandboxing program. But in the past, the program has also been called as HIPS or Firewall next to sandboxing. DefenseWall is a beautiful sandboxing program.
http://www.softsphere.com/

Bo

 

They can call themselves what they want but that below is what sandboxing programs do.
http://www.gentlesecurity.com/docs/geswallfaq01.html#q5

Bo

 

I agree. Both policy restriction and sandboxing programs use application-oriented access controls. I note that in two places the abstract refers to "application restrictions and sandboxes". If the author had wanted to assert that application restrictions constitutes sandboxing, there would be no need to use both terms separately in conjunction.

AppGuard, DefenseWall, and GeSwall are similar types of program, based around the concept of application restriction, not sandboxing. Sandboxie, on the other hand, is a sandboxing program (with added application restriction features). The similarity between them is that they all use application-oriented access controls to implement their respective security models.

 

Actually, I thought they explained very clearly in Q4 why GeSWall isn't a sandboxing program.