Window Zones-- a new sandbox?

Anybody tried this. Seems a sandbox / policy restriction type software. Not tried so far.

http://landing.bytecrusher.com/wind...-_-Medium Rectangle-_-Virometer: mr48metr: WZ

 

Looks interesting. But how does it compare with all those other 'sandbox' type applications out there? Does appear to be very simple to use. Has apparently had a beta phase but I have not heard of it until now.

Anyone out there have any more detailed knowledge?

 

Yes I would like to get some feedback about this app, positive things are that it does not use that many resources, interface is also quite simple. My virtual machine did crash twice upon exit though, might be a conflict with SSM Pro.

But of course the question is how powerful is this tool? I have noticed that you can sandbox/unsandbox applications "on the fly" but does this basically mean that it strips admin privileges from processes, or is it a real sandbox?

 

Gave it a very quick test. It's real kernel based sandbox. A simple one that uses no virtualization, just imposes restrictions on the process that runs inside sandbox like blocking driver installs, blocking process modification (buggy btw), denying write access to Program Files folder, etc. Can be compared closest to DefenseWall, i.e. not that impressive IMHO.

 

Hi Kenjin

Thanks for the update. Can you provide some more detail as to why you think that it is not impressive? That would be very useful for someone who is not really into this sort of app, but is interested in using them in the future.

 

Tried it very briefly. Light weight. No slow downs at all and uses little resources.
It,s somewhat like GesWall and DefenceWall( with a bit of mixture of two). I threw some malware on it that were effectively blocked.

 

Still playing aigle?.

 

No, it,s gone alredy. Sorry

 

Anyone else with an opinion? Is this a truely powerful sandbox or is it all hype? I´m especially interested to hear about their patented technology that can move processes into and out of the sandbox "on the fly".

 

I've installed it under VMWare, but it doesn't works propertly for me. Can not move anything into the "Safe Zone". But, according their driver's size and structure I don't think it is 100% driver level defense (but it, naturally, need to be checked on propertly working WZ).

As about "patented technology"- half of it (move processes into "untrusted" zone on the fly) have been implemented with DW in 2005. Other half is highly dangerous staff- 100% insecured.

 

I work for the company that produced it, so I'll give you a little more info on exactly how it works. I'm biased, of course, but hopefully the info will be helpful! If you have other feedback, please post it to this thread and I'll make sure it gets heard for the next version!

What WindowZones does is create a sandbox zone called the "SafeZone". In the safezone any process that is launched within it (for example, by creating a rule to run IE in the safezone) is hooked -before- it can execute any instructions at the kernel level.

The token for the process is then inspected, and a new token is created for it. This new token will be a clone of the original except that any and all administrative rights will be stripped. This of course gives you the benefit of running the process as a guest, except you retain your original SID identity so that your favorites, links, etc all still work.

The original token is cached, so that if you want to revert the process, just drag it back to the Admin zone. Of course once a process has -ever- been in the admin zone you can't fully trust it (it could create new threads or tokens for later malicious use, but you presume a known app like IE won't intentionally do this).

One of the patent-pending features (by the way, its the lawyers that patent things and the marketers that mention it, as programmers we just thought it was a cool idea) is the ability to swap out tokens on the fly. This means you can move an app in and out of the sandbox without a restart, and the only change to the process is whether it will hold administrative rights... nothing else changes from the process's point of view. This is useful because you can keep IE in the safezone until you need, temporarily, to be in the admin zone so that you can install something like Acrobat reader. Do the install, then move it back to the safezone with no restart of the process.

We spent a ton of time on app compat, not in terms of hacks, but in terms of the underlying token management to ensure that apps just work. As you're likely aware, if you try to run Outlook with a restricted token (as created by the CreateRestrictedToken api) it doesn't work at all. With WindowZones, as far as we know, all apps work perfectly (except those that actually need admin rights, for example).

There is -no- process overhead, so no slowdown. It doesn't do any virtualization, because it relies on the NT kernel to do any security enforcement. Another nice aspect of this approach is that we couldn't "miss" anything. Whereas a virtualization approach has to hook all the important APIs, and you could forget one, we delegate all enforcement to the kernel itself, so in so far as the kernel does security correctly (and we assume it does), then WindowZones enforcement is reliable.

For the casual user, we recommend running just your internet-facing apps (Outlook, IE, Messenger, Napster, etc) in the safezone. You could run the explorer and Word and so forth in the safezone for more thorough protection, but personally I don't. To each their own!

Another, even more secure, way to use WindowZones is to actually make your account a guest account and run as guest (or limited user). Then at those times you actually need admin rights, promote an app. You then have to supply an account with admin credentials. This is more akin to the Unix approach of using SU, but it goes a step further because you can do it to a live process rather than only at launch, and move it back later. The once scenario we know this approach doesn't work is when your admin account does not have a password (such as under XP Home defaults), but we doubt that applies to many people here!

Hope this helps... again, I'm not the marketing guy, but I'll do my best to answer any questions or offer any help I can!

Thanks,
Dave

 

It does not work under a VM. That's a limitation of the license activation code, not WindowZones itself... my debug version works fine in a VM, for what that's worth

Note sure what you mean by "highly dangerous stuff, 100% insecured". But if you can expound on that, I'll try to address it.

Thanks,
Dave

 

The approach is very nice and shares similarities with GeSWall and DefenseWall.

 

Hi Dave

Thank you for the explanation. All very interesting. I understand what you mean by "For the casual user, we recommend running just your internet-facing apps (Outlook, IE, Messenger, Napster, etc) in the safezone. You could run the explorer and Word and so forth in the safezone for more thorough protection, ..." but it would be cool if there was some way of (i) identifying types or groups of applications that should be run in the safezone or, more importantly, being able to tell Window Zones to run ALL application in the safezone, ie, a panic option that you could hit if you felt there was an issue, were not sure what app was the cause and just want to make sure that everything is bolted down. Whether you could do this automatically for programs already running outside the safezone is an interesting question...but it would be cool and very useful.

 

What are the differences between WZ and programs like DropMyRights and RunSafe that make programs run with limited system access rights?

Thanks.
Lu Chin

 

I see. So WZ is basically like DropMyRights and RunSafe except the applicaton's security token can be changed on the fly rather than at program launch time. Protection wise it does not seem to offer a lot more than DMR or RS. Or maybe I am missing something.

 

Although it´s not mentioned, I guess WZ may have the ability to track objects created by sandboxed processes and the ability to protect critical/trusted processes from hijacking/tampering.
So, it´s basically DropMyRights without lost functionality.

 

As an example, I was never able to get Outlook to even run (when using exchange server) using any of the solutions out there that are based on the CreateRestrictedToken API. We spent months ensuring appcompat was very high. In terms of technical differences, other than those enumerated by others, I'm not really the person to speak to alternatives.

 

How will this work with Vista? Cause this is a very nice program, easy to use and it is filling the gaps 'on the fly' ... like advertised ....

but like I said .. how about vista?

Thanx in advance,

 

We released before Vista, so it was untested. With Vista making some sweeping changes to the security infrastructure, I imagine there will be issues that we can address in a future release if there's demand for it on Vista.

Vista of course contains similar functionality, but I found myself always clicking "ok" to their security prompts to the point where they probably didn't do much good once I'd learned the reflex. As I said, I'm biased, but I find the WZ model a lot easier, so it may indeed be that people still want it on Vista. That's something the market will have to decide though!

 

DefenseWall doesn't rely on Windows Managment and security tokens.

This means that if compromised process with low provilegse will be granted wiht high ones on the fly, this may case big problems.

 

WindowZones introduces no vector that didn't already exist if you were running as admin without WindowZones... WindowZones only ever -LOWERS- rights, and never increases them.

Now, just like SU on Unix, if you were running as guest and promoted an app to admin, you could intentionally create a bad scenario. But you're never any worse off than running as admin in the first place. Unless you specifically promoted a process, which you would have to intentionally do, and supply your username and password, that can't happen.

 

Thanks for the correction but I was talking about user-friendly "sandboxes" which aren´t too restrictive.

 

well, it seems to be impossible to use SSM and WZ together, however I think using them together would be perfect for my needs.

but everytime when I install SSM and reboot, it says Driver not found...

too bad, have been trying to contact them but probably have to wait.