Sandboxie technical tests and other technical topics discussion thread

CoolWeb, your knowledge is impeccable. But now, like I've said before, you've got to start trusting these programs or else, what is left?

I would like to add one thing to what is admittedly my opinion: now is the time to also start trusting YOURSELF!

Acadia

 

Hi, sorry for late reply but here's my search results:
autoexec.bat: it seems there was (or possibly depending on settings) it under root directory as a dummy file on Win7 (OS system file), but it seems currently no more exist.

boot.ini: completely replaced by Boot Configuration Data as NTLDR is replaced by Windows Boot Manger. No more exist.

config.sys: again, it seems there was or depends on settings, but it didn't exist on my system.

io.sys: no more exist.

msdos.sys: no more exist.

c:\ntldr\: no more exist.


ntdetect.com: couldn't find source easily.

So, unfortunately non of them will take effect on Win7. We have to replace this part for Win7 and later.

 

One point: in sandboxed environment, you don't need to elevate priv to change those usually protected folder/files/registry. And those change take actual effect on sandboxed environment. I confirmed I can change e.g. win32k.sys unless I set read-only w/out elevation. If I set read-only, I can't change even with elevation. I don't know what CWS want to, I don't have interest and it seems he don't understand making those components read-only doesn't stop kernel exploit. But I do not mess in this.

 

Yep, regular backup is part of common sense security and it is much more than just for security. It only take 20 min to restore from previous image for my system (I currently use Macrium, after using some others).

 

And I was not referring to kernel exploits, Yuki, just if read-only thing can be used for those locations that are unblockable with ClosedFilePath (like win32k.sys, drivers, kernel32.dll).
I believe it will enhance Sandboxie's protection against everything except kernel exploits and inside browser attacks.
It seems to me that Chrome has the advantage here since those locations I mentioned are unblockable for Sandboxie, however you cannot access those locations if you are using Google Chrome.
However, my greatest fear are drive-by downloads without user interaction/intervention by simply visiting exploited and infected web-pages.
I've seen several examples live.
But I'm not sure what's the next procedure when you get attacked by drive-by downloads, what happens next? Malware will install without you even knowing if anything is happening while you surf the net?
So far Sandboxie and Google Chrome (and I mean on Google Chrome's own sandbox, not vulnerable parts of Chrome like Flash Player and etc. that have been bypassed) have never been bypassed, so at least people should use them as another layer of protection against drive-by downloads without user interaction.

 

Do you talk about Sandboxie here or UAC thing?

 

Answering for someone else could lead to confusion, so apology would that happen.

I have not played with SBIE lately, but I guess . . . When you run SBIE without drop rights, application has access to admin level/elevated privileges. Yuki succeeded to change win32k.sys, but in fact changed the copy in the sandbox. He did not explain whether he bypassed UAC or had UAC disabled when changing win32k.sys, so my guess is that he was talking about SBIE.

 

False. For example, there have been several Adobe Flash zero-day exploits within the past few months.

There is a well-known way to bypass UAC without a prompt on Windows 7 or later if UAC slider is at default. I recently posted about another promptless way to bypass UAC on Windows 8.x even if UAC slider is set to maximum level. (I use UAC, and set it to max level; I use a standard account for everyday stuff though.)

 

This sentence in bold reminds me of an comic book character-Scarecrow. It's good thing that you can delete sandbox and everything is gone.

 

Well, Littlebits does say that UAC has been bypassed, however, he claims that it is harder to bypass UAC than Sandboxie (because UAC is part of OS and that's before it's much more rare thing (and also harder) to bypass UAC than Sandboxie, somehow I just don't agree with this.

 

Here are some explanations for win32k.sys and Google Chrome:
http://googleprojectzero.blogspot.com/2014_10_01_archive.html

About Google Chrome's security and future plans:
http://www.chromium.org/developers/design-documents/site-isolation

And here is complete explanation on Google Chrome and its own sandbox and how exactly it protects, what are its limitations, against what it can and can't protect and etc.:
http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

"Chromium's rendering engine contains approximately 1 000 000 lines of code (excluding blank lines and comments), whereas the browser kernel contains ap-
proximately 700 000 lines of code."

This is one of the parts I found (read under Arbitrary Code Execution):
"Although \number of CVEs" is not an ideal security metric, this data suggests that Chromium's division of responsibilities between the browser kernel and the rendering engine places the more complex, vulnerability-prone code in the sandboxed rendering engine, making it harder for an attacker to read or write the user's hard drive by exploiting a vulnerability.
Moreover, most of the remaining vulnerabilities would not have been mitigated by additional sandboxing, suggesting that assigning more tasks to the rendering engine would not signicantly improve security."

 

And what types of threats? For drive-by, start/run restriction will block them. For in-mem malware, changing those vital components is ridiculous boob. The main advantage in in-mem malware is stealthiness. But if it tried to change them then that usually causes UAC prompt. Even when user disabled UAC, still it obviously stands out for any decent AV. Thus completely kills the main benefit of in-mem malware. That restriction will only matter when attacker specifically target SBIE user, and in that case sure attacker can abuse those easier modification with little effort. Oh, BTW, why you still call Flash as vulnerable parts? Tho flash is surely near to security nightmare, didn't you see recent flash 0day exploits which couldn't run on Chrome due to sandbox?

 

Nobody but CWS fears those things as we all know non of ITW malware actually abuse them. But still digging those more and adding read-only makes sense. It's not uncommon practice in security field to take counter measure for even quite unlikely theoretical threats e.g. POODLE. Past and known facts are good reference, but we security conscious guys like to look more at future and unknown (as an almost h*bby...lol). So far I haven't experienced any negative effect by those read-only settings.

 

Thanks Kees, and sorry for not being clear. I use LUA with max UAC, but in sandboxed or redirected environment changing those components doesn't cause any warning or prompt. This is for compatibility sake. As sandboxed process runs in untrusted IL with anonymous user token, SBIE have to lower permissions in those sandboxed resources to keep as much as compatibility and usability. It's understandable.

 

Tho I agree to his claim about BIOS, OS, and application security following wat0114 (#992), there should be many caveats and exceptions. Many spyware and user-mode malware don't require elevation, so in this case UAC is no relevant. Code sig shouldn't be used as an barometer for legitimacy, actually there're many signed malware. His suggestion about SBIE recovery for combined installer seems to be almost a joke, SBIE can't specifically recover or not recover each registry change. List goes on... As some guys already commented, I don't understand why he compares apples with oranges. UAC is not even security feature, what brings security is use of non-admin user and UAC just makes UX with limited user account more comfortable. All those confusion would be introduced probably because he mostly speaks based on his experience. Interesting thing is when people who are in charge of malware removal start to discuss, often many disagreements and conflicts arises. This made me to hold myself back to speak solely on my experience as mine is even more limited.

 

Do you aware that I actually answered all of them? I read the paper, yup interesting one as well as --enable_win32k_renderer_lockdown in another link, good find. But as to quoted part, nothing new if you truely understood what I said before and can correlate them with those. It all matter of real understanding, and you're just repeating same things again and again with slightly and surfacially different look. I guess Pete will come in here.

 

So, what's the problem? I posted this as the credit to confirmations about everything what you said about Chrome and sandboxing in general. however, with one exception, by default Chrome does have access to win32k.sys, unless you do the trick with --enable_win32k_renderer_lockdown, that's all.

 

Yes, I did, Chrome was the only web-browser secure against these Flash player 0day exploits. Sure, UAC will help but if you have Sbie with restrictions without AV, but if you don't use UAC, if you only have Sbie with restriction, well whatever, I think DropMyRights can help here, don't know about restrictions thing, from what I've seen so far, DropMyRights feature in Sandboxie is better and more secure, and tighter than UAC; Sandboxie's feature DropMyRights is much more like AppGuard's protected Aps feature-it makes sure the "restricted" applications, processes, dlls, exes and everything else (inside Sandboxie) will always run in very limited environment.
Whatever, I will not post about this anymore.

 

I'm using Firefox and I can save images when I right click with it but if it is in Sandboxie protection I could not save images. When I right click and click the Save Image As...nothing happens.

What should I do? What possible restriction should I configure in order for me to save images when browsing the web under Sandboxie protection?

Actually, this happens after I installed Opera browser and use it. (I didn't use it under Sandboxie but instead use Spyshelter under restriction mode.) But even if I've already uninstalled and removed Opera still my Firefox w/ Sandboxie could not save images when right click. In the past before Opera I can right click and save images using Firefox w Sandboxie.

 

That's weird, I can save images w/out problem in SBIEd latest firefox. And if you haven't configured those restriction, it shouldn't be the problem. If not, test it w/ default sandbox.
I guess culprit would be Spyshelter. I don't know SS much, but make sure you white-listed all SBIE related stuff in SS.

 

Firefox tools>Options>General, make sure folder you set Firefox to save is one of the folders that you have added to Sandboxie Quick recovery.

Sandboxie control>Sandbox>DefaultBox>Sandbox settings>Recovery>Quick recovery, Add download folder.

If the above is properly set, check for conflicts with another program.

Bo

 

I've tried to do that but still nothing happens. I even tried to disable and exit my SpyShelter program but still the same.

Again, this thing happens only after I installed Opera browser. I couldn't figure out what things Opera have done to my pc why I couldn't save images in Firefox w/ Sandboxie.

 

Hi Sweater, try running Firefox in a new default settings sandbox. Perhaps a setting in your old sandbox is corrupted.

Sandboxie control>Sandbox>Create new sandbox

Dont change settings other than the ones in Quick recovery.

Bo

 

BTW, perhaps some of you guys have already read about this in another thread, but I'm considering to stop using SBIE as anti-exploit tool. Unless MBAE and HMPA will play nicely with SBIE, because then you've got double protection. That would be the best scenario. Of course, I would continue to use SBIE as software testing tool.

But another reason why I thought about this, is because Firefox was acting weirdly inside the sandbox (high CPU usage), it stopped after cleaning the sandbox, but then it started again after a while. A question: do you guys let your browsers have direct access to bookmarks and the profile folder? It bugged me a bit that after cleaning the sandbox, my favorites where gone, I forgot to make a back up. I could have prevented this, with the "direct access" feature, am I correct?