Sandboxie and Java

Discussion in 'sandboxing & virtualization' started by Page42, Jun 17, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    At one time when I used Kmeleon I made a script for it that allowed me to right click on a web page and open it in a specific sandbox. It would have been perfect for this purpose, so that when you come across a website that needs java, and you really wanted to use it etc, you could right click and start that webpage up in your 'java box'.

    The only drawback for me and multiple sandboxes is when I am not forcing something into them, I have to manually start them in the proper sandbox. Not a big deal really considering what SBIE allows me to do.

    Sul.
     
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Without a doubt, yes.
    But remember, I am not proposing that the JavaBox be deleted each time, simply because I wasn't proposing that Java be installed in a separate box. ;)

    Instead, consider the ease of this scenario... any time I need to have Java, I have a separate box wherein java.exe is given Internet Access and Start/Run Access. I have it set to auto delete.

    This way it is always emptied out, and there is no need to keep installing Java, and it is the only sandbox in which Java is permitted to run with my browser.

    I think I found a method... thanks in large part to the ideas you have put forth.

    What do you think?

    :)
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You are just going at it from a different angle, it is very much the same. The exception to this is that if you install java into the host OS, and you start a browser or whatever outside of the sandbox, and it uses java, then you are at the mercy of whatever it is that might happen.

    I don't think there is a problem other than that. My idea is to minimize the host OS exploitations while still maintaining ease of use. But really, I have had java installed many times on the host OS and do all of my browsing in sandboxie, using my standard restrictions, and have never to my knowledge been compromised. The important part is that the browser or activity using java is contained and that you understand certain activities that are sensitive should be kept strictly contained to a clean environment, IMO.

    Sul.
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Yes, that makes perfect sense.
    And this tends to lead to the multiple and varied sandbox philosophy.

    At present time, I have a sandbox for regular browsing.
    I have a dedicated sandbox for financial transactions.
    I now plan to create one for use with Java exclusively.
    I also have an Outlook Express sandbox, plus a media player sandbox and PDF viewer sandbox, although the media player and PDF viewer programs also can open in the regular browsing sandbox.

    As time goes by and my experience with Sandboxie grows and evolves, I will devise new ways of using it.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I was thinking about the web browser. Can't you whitelist plugins on a per-site basis?
     
  6. lws

    lws Registered Member

    Joined:
    Aug 28, 2009
    Posts:
    196

    Well....just for the h*** of it I just ran the Java sandbox. Restrictions, Internet Access and Start/Run Access I have Chrome.exe and java.exe only allowed. So this time I have "auto delete" checked. Chrome is not forced by the way. Now I want to go to my crossword site which needs java to run. I right click Google chrome.exe icon, window comes up and I click "run sandboxie " and sandboxie window comes up and I select "java sandboxed" from the menu. Chrome comes up sandboxed, I go to my crossword site and chrome asks me if I want to run java, which I do and voila java kicks in and am able to do the crossword. Upon finishing, and closing down Chrome, it automatically deletes. Java exe is still there in Internet Access and Start/Run Access along with Chrome.exe. ready to go again when needed. Nothing was lost and didn't have to reactivate anything. So did I do any wrong here ? Was it a mistake to autodelete ? Feed back is appreciated.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    And in the exception you noted above ("install java into the host OS, and you start a browser or whatever outside of the sandbox, and it uses java, then you are at the mercy of whatever it is that might happen"), when a browser is started outside of sandboxie (rare, because I force IE to start sandboxed), I do have OA configured to RunSafer on one of my computers. That's another security layer that can help. :)
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    More and more I create sandboxes for specific purposes. One aspect I really love about how SBIE works is that if I am using my Chromium sandbox, and I click on a video/music file, it is downloaded to my downloads directory, and normally whatever I execute in there (even from my Chromium sandbox) starts in my Downloads sandbox. This allows my to spawn a process from one sandbox that is forced into another with different rights/restrictions easily. If I were to download a video file, and then execute it from Chromium sandbox, and it lives in the downloads sandbox, it is actually ran within the Media sandbox.

    I absolutely love this program.

    Sul.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Verify. You do NOT have java installed to the host OS.

    You DO have java installed to the java sandbox.

    Depending on whether you have java installed to the host OS or not will determine whether you delete the contents of the sandbox or not, in this case. If java is on the host OS, you can delete the sandbox every time. If java is only installed into the sandbox, you do not delete the sandbox unless you want to reinstall java to the sandbox again.

    Sul.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know if you already do it, but you can prevent processes inside of X sandbox from reading files/folders in the operating system (outside of the sandbox) that you consider that shouldn't be accessible by the sandbox.

    As an example, I can forbid my media player sandbox from accessing my Chromium profiles. There's no point in allowing it. There's no danger in allowing either, but why not restrict it?

    Sandboxie allows to do a lot... Recently, I've found that I can force a program to run inside Sandboxie, without actually letting it run, at all. I force the program and then in the Start/Run access permissions I allow a bogus process. I have IE as the default web browser and forced this way. (I could block it in AppLocker, but Sandboxie makes it easier for whenever I actually may need to use it.)

    As I sure am and will as well!
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I'm going to have to take my time with this and try to understand it better, because I think it sounds super excellent. If I followed your lead with downloading to a downloads directory, then I wouldn't be running into the situation wherein the media player and PDF viewer programs are also opening in the regular browsing sandbox. But then again, I have configured SBIE to operate that way (I guess for convenience?) by granting the media player and PDF viewers access. Hmmmmm.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    To the best of my knowledge, with IE8.0, I am not able to do that.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    One of the best things that happened to me was using a downloads directory. Some of it was due to using SBIE, some of it to using SRP in XP. I used to download items to an archive location. As I started dumping firewalls and AVs, I had to focus on controlling what was happening a little more. At first I did not like having everything downloading without me controlling it (renaming, choosing destination etc). But as time went by I started to appreciate what I could do with a dedicated downloads directory, and how I could use it to my advantage, both with Sandboxie as well as many OS aspects. Now, I would never go back to not using it. It keeps me better secured, takes less time to manage my downloading, and keeps EVERYTHING that I download in one place. I don't always recognize what is in there because I did not specifically name them, but at least I know where it all is at and don't wonder "where did I tell that to save to?" anymore.

    Sul.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I don't already do that. I am somewhat aware (do you like that term... somewhat aware?) that the configurability exists, but I have not paid close attention to it. Maybe if I learned of more reasons for employing that strategy, I would feel compelled to use those restrictions. :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You know how it is said around here that you need to "layer" your security? That is basically what I do with Sandboxes. I don't lump everything into one sandbox, but rather be more specific, so that I can control just what will be allowed for media applications, or each browser. Sometimes it takes a bit of thinking to set everything up, but the end result is that I know, without a doubt, that if I am watching a video or listening to a song, unless it is viewed in a browser, it is starting in my sandbox, and I know exactly what will or will not happen within that sandbox, and I know whatever happens will stay there.

    It is how I layer things ;)

    Sul.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh, OK. :oops: You use IE and also Windows XP, which makes impossible to use IE9, since Microsoft doesn't provide support for XP, if I still remember well. :blink:

    Well, I know you didn't ask for it... But, you can, at least whitelist Flash player. If you go to add-ons manager and right-click the Flash player and choose More information, you can then remove * (which means all sites) and then you'll be asked whether you'd like to allow Flash or not.

    As for Java... it gets trickier... :( Java (in the add-on manager) does allow to the same as the mentioned above, but it doesn't work, at all. :mad:

    You could try to see OA settings and see if would allow to restrict Java processes access to specified domains/IPs (domains would be best) only.
     
  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Well said, Sul.
    I feel like I am moving more in that direction as well.
    The goal is to be safe, to have control, and yet still retain a decent degree of usability. :cool:
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Exactly! Those can be mutually exclusive very easily! That is exactly what I aim for, all of the time, and it is why I like to look at obscure ways of achieving it!

    Sul.
     
  19. chris1341

    chris1341 Guest

    How do you achieve that? I thought the forced folder superseded the forced program. If that is right how do you get a file in a forced folder to launch in a specific application sandbox rather than the folder box?

    I've left my folder rules quite open in terms of start/run - replicating my media player/reader etc box rules so I could run them from the download folder but if there is a way of the program taking precedence I can tighten that up.

    Thanks
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't know how I achieved that. All I know is that if I download a .txt file with Chromium, and then from Chromium execute it (from the bottom by clicking on it), it opens up in my "Downloads" sandbox. If I download an .mp3 from Chromium, and click it, it opens up in my "Media Player" sandbox, even though it lives in the downloads directory and is initiated by my browser.

    Sul.
     
  21. chris1341

    chris1341 Guest

    OK thanks I'll have a play about with it. Thought it was maybe some trick I was missing. I've maybe made too many assumptions about precedence without adequately testing.

    I take it you are allowing direct access to your download directory in Chromium?

    Cheers
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, I allow direct access, and that direct access applies to my main browser boxes as well as the downloads box and the media player box. Now that you mention it, that might be why it has worked. Never thought about it before.

    Sul.
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Maybe is it because you're forcing a folder?

    Because, if I force Chromium to its sandbox and open something with it, it will open in Chromium's sandbox (it fails because it lacks permissions, though).

    I'm not forcing the downloads folder, though. Hence my question. :doubt:
     
  24. lws

    lws Registered Member

    Joined:
    Aug 28, 2009
    Posts:
    196
    Yes java is installed to the host OS so I can delete the sandboxie every time. Thanks Sully for the response.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I force directories,yes. I also have certain rules in place depending on the box to deny certain things and often to allow direct access. It all depends. I think it is because of the direct access as chris1341 mentioned. That makes the most sense anyway without actually testing it.

    When I had a firefox box that was set to delete, I did not give that direct access, and it opened files downloaded within itself if I remember correctly. Firefox.exe was forced to that box btw.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.