Is Google Chrome truly that vulnerable?

@ SLE

1 Browsers should never be trusted in the first place. All the HIPS that I have used trust only essential Windows OS processes.
2 This happened only in the AG thread.
3 Yes I am immune to critic which is baseless and probably triggered by "fanboyism".
4 I agree, we should stop with this OT discussion.

 

Voodooshield said uac is useless because most of his clients turn uac off, so when you are no client of voodooshield and have UAC turned on you should not worry IMO. On your XP Pro yoiu can use SRP (just learn to use gpedit, it comes with xp pro) and free MBAE, you will be fine

 

Hi, Windows_Security and everyone else, I'am asking if you still maintain the same approach about Google Chrome:
https://www.wilderssecurity.com/threads/how-secure-is-chromes-sandbox.296413/

Here is your post:
https://www.wilderssecurity.com/threads/how-secure-is-chromes-sandbox.296413/#post-1852236

"It totally isolates the code you are running in your browser using the OS internal mechanism: simply brilliant.
Only coding errors (exploits) in the underlying WIndows OS or inside the components Chrome itself uses could cause intrusions, it is that strong.
It is a theoretical near 100% (practical 100% is impossible, because every man made software or product could have errors)."

Do you still consider all of this to be true about Google Chrome, or you changed your stance after all of these years to this, present day?

"Charle Miller quote on Chrome security: There are bugs in Chrome, but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox."

I guess you don't need Google Chrome to supervise it, run sandboxed by SBIE4, like Hungry Man said, because you don't earn or lose anything for both sandboxing applications (I mean on both SBIE4 and Google Chrome)?
Supposedly, running Google Chrome sandboxed by Sandboxie4 will make either of these 2 sandboxes weaker than if you run them separately?

Also, like Matthijs5nl said:
"
Chrome's sandbox is indeed a strong security solution (especially with --safe-plugins), but not against all types of threats. You can't compare it to Sandboxie for example.
Chrome's sandboxing is very strong against exploits and drive-by downloads, but not against ordinary malware (trojans etc.) and phishing threats. Microsoft's SmartScreen filter is unmatched in that area.
That is why I have always hoped that Internet Explorer 9 would feature the same sandboxing techniques as Chrome does, however IE9 only partially sandboxes. Since the combination of Chrome's sandboxing and Microsoft's SmartScreen filter would be unbeatable. Combine that perfect browser with built-in security measures (Windows Firewall, operating system hardening with assistance from EMET), backup and a system image and an on-demand scanner (Hitman Pro is the perfect candidate) and you have have bulletproof protection."


And do you think adding Malwarebytes Anti-Exploit Premium is a good idea, since Hungry Man in its own blog (but it's older version of Malwarebytes Anti-Exploit) will only increase attack surface

Since you said, that adding more code could also be beneficial, since it create sandbox more secure, even though it's mor complex, I personally think complexity of the code is the real danger here, since the more complex it becomes it will become more vulnerable (you said that this is theoretical from Hungry Man's point of view, and it did not have been proven in practice), even those parts of the code, which were secure before the code became greater and more complicated-what do you think, all?

Watt posted this on Hungry Man's blog which describes on how exactly works Malwarebytes Anti-Exploit:
http://www.insanitybit.com/tag/exploit/

Just for the record, I'm using Malwarebytes Anti-Exploit premium with Google Chrome, regardless of this, since I like to have a bit more and yet simple solutions for security.
Big thanks to all in advance.

 

@CoolWebSearch
Personally I agree with most what was written in your post. I prefer simplicity when it comes to security and same as you, I think that more complexity can present more danger.
When I choose security software I consider benefits and possible problems a software will bring to my computer. If there are only small benefits or possibly big problems, I usually decide not to use that software.

 

Actually Hungry Man posted that. i just linked to it

 

Big thanks, hqsec for your support, this is the key I was talking about if we talk about complexity in general, not just computers, it has never brought anything good, only more problems (if we look back to history for rise and fall of all civilizations, the longest and the most secure and the most prevailed societies were the simplest societies, the same goes for science and technology more complex it becomes, the more vulnerabilities it possesses-fact), the same facts are present computer security.
More code/codes, bigger code/codes means/mean more holes/exploits/vulnerabilities to fix with again more code and again more code means more holes/exploits/vulnerabilities.

 

I truly apologize for this, Watt, I didn't mean anything bad, my honest apology for misquoting you.

 

Just wondering if the following is really true about Google Chrome:
"It totally isolates the code you are running in your browser using the OS internal mechanism: simply brilliant.
Only coding errors (exploits) in the underlying WIndows OS or inside the components Chrome itself uses could cause intrusions, it is that strong.
It is a theoretical near 100% (practical 100% is impossible, because every man made software or product could have errors)."

And is, everyhting mentioned here above, the same and true for Sandboxie4, I wonder if chrome.exe is more exploitable than SBIectrl, or SbieSVC and whatever processes are for SBIE4?

Because according to Curt from Invincea:
4) Security has been tightened in other areas as well.
Can this be more specific?
Nothing has been exploited. But, we don't want to give the bad guys any ideas. Especially while users are on older versions. While everyone thought we were on vacation, we've been reviewing possible security holes.
We also have had an independent software security company going through all of the code.
As Sandboxie and FreeSpace become more and more popular, we must prepare for the Sbie-targeted attack -- before it occurs.

It looks like that Sandboxie code for now is secure, since it has not been exploited.
But the main question is can SBIE4 isolate the code like Google Chrome does...

 

I would not say isolation is near 100%. It's good, but while the capabilities of the renderer may be limited, the attack surface of the system from the renderer is not quite.

 

Hi CWS. Specifically, Sandboxie version 4.13.2 took care of the potential issue described in the link below. So you don't worry. If you are using version 4.13.2 or above, whats described in the link doesn't concern you. Also, using an earlier SBIE version is safe against this potential problem as long as Drop rights is enabled or if the Windows remote management service is disabled. Relax, buddy.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=19407&start=15

Bo

 

That's okay, no harm done. I just don't want to take credit for someone else's handiwork

 

Yes, I think it even has become better with LOW instead of UNTRUSTED as lowest integrity rights level and its own flash and PDF versions. I am only using UAC (deny elevation of unsigned) and Software Restriction Policies with it '(deny run of basic user in user folders) with
a) my own PC a tuned version of AVAST (using hardened mode as whielist for admin)
b) on wife's laptop WSA (she shops on internet, so really like the secure banking/shopping mode), with UAC set to silent

On the Asus t100 which I use as laptop (with mini mouse) when on business travel I still use IE8 (l have bought the cheap 32 GB SSD version) without WindowsDefender but with AppGuard and UAC set to silent denying unsigned to elevate (wife is also using it on our holiday, with Classic shell 8.1 it behaves like Windows 7).

For knowledgeable PC user a freebie combo of EMET an MBAE for browsers is available, so computing will only become safer and safer IMO. Also think that the PC based intrusions will emerge to webbased intrusions.

 

Yes Chrome is very strong with Windows integrity levels, and not to deflate anyone's billowing sails by taking the wind out of them, but Linux does, of course, take things to another level altogether that Windows simply can't match, although obviously this would require a change in direction in the use of a preferred O/S.

 

I once tried Ubuntu. I need outlook for business, wine just gave me to much problems accepting meetings by mail with outlook. Excel and Word open source versions are fine, but powerpoint files also become a mess when they have coroporate identity templates/macros. Powerpoint and Outlook problems prevent me from moving over to linux.

 

Yeah, Office incompatibility is so often the show stopper for most.

 

Open MS Office online in Google Chrome, or any other browsers on Ubuntu. It's free and work well on Linux. For outlook, did you have a chance to check out outlook.com?

https://office.com/start/default.aspx

 

Thanks for the link, I use outlook.com on windows Phone and use the plug-in to synchronize with outllook (desktop), so I have one agenda for appointments. When I tried I could not find a way to accept appointment requests send by my customers (via exchange).

I am beyond point of no-return now, because I am on windows and office for everything (Desktop Win7, Huawei Phone win 8 RT , asus transformer t100 win 8.1)

 

Just wondering, does Google Chrome 37 use user-mode hooks or kernel mode hooks?

 

...?

Neither. It uses built in Windows security mechanisms. It doesn't have to hook anything.

 

Well, I did know that Google Chrome uses built-in Windows security mechanisms, but I thought you need to have hooks (kernel-mode level or user-mode level hooks, whatever) in order to fully use Windows security mechanisms.

 

Hooks use mechanisms provided by Windows as well, but that's a different set of mechanisms. Chrome uses existing Windows system calls for sandboxing. Kernel hooks allow you to intercept system calls yourself, and force checks on what they're doing using your own code.

The advantage of using hooks is that you can do things the Microsoft engineers didn't think of. The disadvantage is that you need a custom kernel driver, and all the issues that entails.

 

It does use hooks, I believe, and they're userland AFAIK, but it's not important. Those hooks are about enabling the renderer, not restricting it. So the renderer process makes a call to do X but X is denied by integrity, so the broker hooks it, validates it, and does it for it.

At least that's what I assume. I could be way off here, can't remember the Windows stuff.

 

The main reason why I brought this is because I remembered your debate with Digital from Sandboxie forums, Digital's last sentence was:
http://forums.sandboxie.com/phpBB3/...sid=57e1f654966f02964274d64c2f14b327&start=15

"Anyone with common sense will tell you that Kernel mode hooking (Sandboxie) is more powerful than usermode (Chrome). Since you say that you have a programming background, you'll know that to be true.

Or this:
Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented.

The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy.

Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox.

Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program.


Google Chrome:

Design principles

Do not re-invent the wheel: It is tempting to extend the OS kernel with a better security model. Don't. Let the operating system apply its security to the objects it controls. On the other hand, it is OK to create application-level objects (abstractions) that have a custom security model.
Principle of least privilege: This should be applied both to the sandboxed code and to the code that controls the sandbox. In other words, the sandbox should work even if the user cannot elevate to super-user.
Assume sandboxed code is malicious code: For threat-modeling purposes, we consider the sandbox compromised (that is, running malicious code) once the execution path reaches past a few early calls in the main() function. In practice, it could happen as soon as the first external input is accepted, or right before the main loop is entered.
Be nimble: Non-malicious code does not try to access resources it cannot obtain. In this case the sandbox should impose near-zero performance impact. It's ok to have performance penalties for exceptional cases when a sensitive resource needs to be touched once in a controlled manner. This is usually the case if the OS security is used properly.
Emulation is not security: Emulation and virtual machine solutions do not by themselves provide security. The sandbox should not rely on code emulation, code translation, or patching to provide security.

Sandbox windows architecture

The Windows sandbox is a user-mode only sandbox. There are no special kernel mode drivers, and the user does not need to be an administrator in order for the sandbox to operate correctly. The sandbox is designed for 32-bit processes and has been tested on Windows 2000, Windows XP 32 bits, and Windows Vista 32 and 64 bits.

Sandbox operates at process-level granularity. Anything that needs to be sandboxed needs to live on a separate process. The minimal sandbox configuration has two processes: one that is a privileged controller known as the broker, and one or more sandboxed processes known as the target. Throughout the documentation and the code these two terms are used with that precise connotation. The sandbox is provided as a static library that must be linked to both the broker and the target executables.


Other caveats
The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

Sandboxie in contrast, does reinvent the wheel and gives you kernel mode sandboxing which is more robust."


From my perspective, right now, this is getting more and more confused to understand minute after minute the more I read about both sandboxes (Sandboxie and Google Chrome).
Cheers and big thanks in advance.

 

@CoolWebSearch: that bit about userspace is simply incorrect, and I have no idea how the poster arrived at that conclusion. Chrome's sandbox makes use of Windows system calls that are handled by the kernel. Integrity levels and desktop objects are kernel features; likewise chroot and setuid/setgid on Linux.

And there is always, always risk of being circumvented. Sandboxie is pretty secure stuff (for Windows anyway) but it doesn't make your OS invulnerable. Even mainframe OSes like z/OS have occasional vulnerabilities.

Edit: maybe this will help make things clearer...

The kernel is not the "core" of the OS. It is the workhorse. It is what does the heavy lifting of file I/O, memory management, and anything else that involves use or allocation of hardware resources (including for security purposes).

When Notepad opens a file, it is making a system call. When Firefox connects to a website, it is indirectly making a system call (involving the TCP/IP stack). That stuff is all done through the kernel. Most kernels would be better referred to as arbiters or something like that, since it gets the idea across better, IMO. Almost any useful program asks the kernel to do something at some point.

Anyway since most things that are worth doing maliciously really take place in the kernel, the kernel is also the only thing that can reliably stop them. Reliable methods of blocking system calls have to be done from kernel space, which is why chroot() etc. are system calls.

Sandboxie fits in by loading a driver that modifies existing system calls, so that they first jump to some kind of check on whether they should run or not, and only jump back to the rest of the function if the check turns out okay. This a different mechanism for doing a similar thing. It might be better in some ways, it might not be, but both methods take place in kernel space.

 

I'm quite busy, but I see GJ has posted, and my guess is that what he's said is accurate.

From what I remember of that conversation Digital was not clear on how these things actually worked, and I was bored of trying to have a discussion about it. If I have time over the next few days I'll give a better response.