Sandboxie and Chrome

Discussion in 'sandboxing & virtualization' started by IceCube1010, Feb 26, 2010.

Thread Status:
Not open for further replies.
  1. IceCube1010
    Offline

    IceCube1010 Registered Member

    Hi

    Is it overkill to use SBIE on Google Chrome in Win7 64? Doesn't Chrome have some kind of sandboxing of it's own?

    thanks
    Ice
  2. Cudni
    Offline

    Cudni Global Moderator

    Chrome has its own sandboxing but don't see a disadvantage in running it under Sandboxie
  3. Noob
    Offline

    Noob Registered Member

    I think Chrome sandbox is more like for stability :D
  4. chinook9
    Offline

    chinook9 Registered Member

    I can't explain the detail, but I have read a statement by Ilya (DefenseWall) that the Chrome sandbox is not secure due to Windows vulnerabilities. I don't know if these vulnerabilities exist in Windows 7 however.
  5. IceCube1010
    Offline

    IceCube1010 Registered Member

    thanks for the replies. SBIE and Chrome seem to run nicely together along with Avast 5.

    Ice
  6. twl845
    Offline

    twl845 Registered Member

    I think Shadow Defender would be a good choice to run with Chrome rather than SBie. Just because SD works so simply and thorough. :)
  7. Victek
    Offline

    Victek Registered Member

    .
    Here is a link to a detailed explanation of how the sandbox is implemented in Chrome:

    http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

    Based on this blog it doesn't seem like Chrome achieves the same degree of isolation from the rest of the system that Sandboxie does. But if you don't use Sandboxie and run with an admin account you get a lot of extra protection with Chrome.
  8. fax
    Offline

    fax Registered Member

    As far as I know current Chrome does not cover web plugins. So, still opening up to major risks. Better to have other sandboxing ;)
  9. raven211
    Offline

    raven211 Registered Member

    Where does Chrome have its own sandbox? I can't see any information or options on this and I certainly haven't noticed it all the time that I've been running it. All I see is some warnings when downloading files or visiting dangerous websites, etc. :doubt:
  10. dawgg
    Offline

    dawgg Registered Member

    Generally when browsing, not like sandboxie, but some things web-browsers automatically do are sandboxed (HTML rendering and JavaScript execution), so it wont save your ass when you go and download malware, wont protect from pdf exploits, but will reduce exploits and script-based trojan.

    See the link in Victek123's post.
  11. IceCube1010
    Offline

    IceCube1010 Registered Member

    thank you for the link. Sandboxie works with Chrome. This combo seems good with Avast 5.

    thanks
    Ice
  12. Franklin
    Offline

    Franklin Registered Member

    I think Chrome's sandbox relates to Chrome's engine and each tab running in their own memory space.

    So if one tab/page crashes/locks up, the engine and other tabs/pages don't crash/lockup.

    Sandboxie is way more secure.

    Crom2.JPG

    Chrome.JPG
    Last edited: Feb 27, 2010
  13. EraserHW
    Offline

    EraserHW Prevx Moderator

    Actually Chrome sandbox is much more advanced than what described above.

    Every browser's tab is a separate process that runs using a very restricted token. If a new web exploit against Chrome is executed and executable code is run, it inherits process token. But it will be the restricted token, which wouldn't allow the malicious code going too far.

    Moreover, every separate process is run under a job object. This adds yet more security limitations to the process.

    Still all browser tab processes are run in a dedicated desktop. This is done to prevent shatter attacks and other similar kind of attacks.

    (There are still some other interesting things in Chrome sandbox)

    Chrome sandbox's structure is much more robust and effective than what it looks like.

    Though, we must be sure that the system is not compromised, otherwise all Windows security mechanisms could be useless

    As explained:

    Attached Files:

Thread Status:
Not open for further replies.