Sandboxie and Chrome

Discussion in 'sandboxing & virtualization' started by IceCube1010, Feb 26, 2010.

Thread Status:
Not open for further replies.
  1. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Hi

    Is it overkill to use SBIE on Google Chrome in Win7 64? Doesn't Chrome have some kind of sandboxing of it's own?

    thanks
    Ice
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Chrome has its own sandboxing but don't see a disadvantage in running it under Sandboxie
     
  3. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    I think Chrome sandbox is more like for stability :D
     
  4. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    431
    I can't explain the detail, but I have read a statement by Ilya (DefenseWall) that the Chrome sandbox is not secure due to Windows vulnerabilities. I don't know if these vulnerabilities exist in Windows 7 however.
     
  5. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    thanks for the replies. SBIE and Chrome seem to run nicely together along with Avast 5.

    Ice
     
  6. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,134
    Location:
    USA
    I think Shadow Defender would be a good choice to run with Chrome rather than SBie. Just because SD works so simply and thorough. :)
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,449
    Location:
    USA
    .
    Here is a link to a detailed explanation of how the sandbox is implemented in Chrome:

    http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

    Based on this blog it doesn't seem like Chrome achieves the same degree of isolation from the rest of the system that Sandboxie does. But if you don't use Sandboxie and run with an admin account you get a lot of extra protection with Chrome.
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,539
    Location:
    localhost
    As far as I know current Chrome does not cover web plugins. So, still opening up to major risks. Better to have other sandboxing ;)
     
  9. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Where does Chrome have its own sandbox? I can't see any information or options on this and I certainly haven't noticed it all the time that I've been running it. All I see is some warnings when downloading files or visiting dangerous websites, etc. :doubt:
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Generally when browsing, not like sandboxie, but some things web-browsers automatically do are sandboxed (HTML rendering and JavaScript execution), so it wont save your ass when you go and download malware, wont protect from pdf exploits, but will reduce exploits and script-based trojan.

    See the link in Victek123's post.
     
  11. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    thank you for the link. Sandboxie works with Chrome. This combo seems good with Avast 5.

    thanks
    Ice
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    I think Chrome's sandbox relates to Chrome's engine and each tab running in their own memory space.

    So if one tab/page crashes/locks up, the engine and other tabs/pages don't crash/lockup.

    Sandboxie is way more secure.

    Crom2.JPG

    Chrome.JPG
     
    Last edited: Feb 27, 2010
  13. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    587
    Location:
    Italy / UK
    Actually Chrome sandbox is much more advanced than what described above.

    Every browser's tab is a separate process that runs using a very restricted token. If a new web exploit against Chrome is executed and executable code is run, it inherits process token. But it will be the restricted token, which wouldn't allow the malicious code going too far.

    Moreover, every separate process is run under a job object. This adds yet more security limitations to the process.

    Still all browser tab processes are run in a dedicated desktop. This is done to prevent shatter attacks and other similar kind of attacks.

    (There are still some other interesting things in Chrome sandbox)

    Chrome sandbox's structure is much more robust and effective than what it looks like.

    Though, we must be sure that the system is not compromised, otherwise all Windows security mechanisms could be useless

    As explained:

     

    Attached Files:

Thread Status:
Not open for further replies.