Sandboxie technical tests and other technical topics discussion thread

No, PatchGuard is only protecting certain parts of the kernel, but apparently it does not protect against all kernel mode hooking techniques. These types of techniques can be used by rootkits, but also by security tools of course. I suspect that most security tools make use of IRP hooks, but I know that IAT/inline hooks are used a lot in user-mode, so perhaps also in kernel mode? Perhaps I will ask this on the SBIE forum. Here is some more info:

http://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/
http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/

 

You're right. I asked something alike at SBIE forums:
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=19839

 

Just for the record, Curt confirmed that Sandboxie has kernel-level driver on both 32-bit and 64-bit versions.

 

Would you run Google Chrome under Sandboxie?

 

Thanks for clarifying things, guys!

 

Absolutely. It makes also somethings like not making permanent changes to script blocker extension session settings work more convenient.
If we as members here are more vulnerable to some nazi type of hackers, than the normal SBIE users, is a thing all together different.
Targeted attacks are not so easy to resist, be it running Chrome with or without sandboxied.

 

Nothing ' Google ' gets installed on this machine. I'll stick with other browsers and Sandboxie.

 

Thats a good reason, Jarmo. To keep programs, their settings, etc, intact its one of the reasons why I run most of my programs and files sandboxed.

Bo

 

Here is what tzuk, the original developer of SB, had to say:
"So in my opinion, it is a good idea to combine Sandboxie on top of Chrome."

Found in this thread:
http://forums.sandboxie.com/phpBB3/viewtopic.php?t=11788&highlight=chrome

Acadia

 

Acadia.....

I know I would sandbox Chrome if I was a Chrome user. If I thought there was a conflict, I drop Chrome not Sandboxie.

Bo

 

I really didn't want to comment on this thread as it's mostly about Chrome whether to Sandboxie it or not. But I sure did like this post. Lol.

Totally agree. Been using Palemoon the last few years and before that Firefox. Satisfied with either one as both are excellent with Sandboxie.
One last comment, I say keep Sandboxie the way it is. No need for any extra bloat. Another thing, you can twist it, turn it, view it from the top, view it from the bottom, disect it, bisect it etc etc. and it will still come out as one of the best security programs you can use while browsing. Never been infected while using it and I do go into some controversial websites now and again. Peace, over and out.

 

First of all, there was Vupen exploit (calc.exe) that bypassed Chrome's sandbox in 2011. However, Sandboxie's restrictions enabled to block this exploit from start/run which proved the benefits and the advantages Sandboxie has over Chrome-this easily beats attack surface theory.

The same thing here is cmd.exe in Bromium Labs testing, you can talk about as long as you want, but the fact is there would not be any bypass if there was no access to cmd.exe, because that's what Bromium Labs used-that's what matters.

Yes, you could say that he can directly attack the driver, or if he well know victim's machine he'll prepare special payload to migrate to another process outside the sandbox, which don't need launching cmd-however, he didn't do that, because it's all theoretical or something else.

So far, I have not seen Sandboxie breached by something like this, while Google Chrome gets beaten from time to time.

About attack surface:
Attack surface means more code, more chances to make a coding error, hence more vulnerabilities and more exploit opportunities. Now it becomes complex: adding extra code increases the chances of a vulnerability, but adding more code also reduces the chances of a vulnerability to create a predictable flow of events. In theory, you and Hungry Man are both right, but it is a bit far fetched to state theory as a fact, because it is hard to tell what weighs in more.

Credits to Windows Security.

Also, regarding that Chrome bypasses-you said:

Like you said above for Chrome also stands for Sandboxie, whoever wants to have possibility to break through or break out of Sandboxie would need a very thorough preparation which requires time and would have to know Sandboxie and its driver in their cores, plus the OS exploit.
It would most likely need to have the same amount of time to break outside of Sandboxie.

Also, you said:

Obviously, kernel-mode hooking is more powerful than user-mode hooking (anyone who knows programming knows this fact), whenever you have Drop rights enabled inside Sandboxie, no poc or vulnerability has been able to overcome this (credits to Bo Elam, Bo posted this earlier in this thread, he confirmed this).
Plus, like you said kernel-level hooking won't be bypassed unless attacker get admin privilege, which is obviously harder to break through than with user-mode hooking where you need to take all counter-measures to block bypass one by one (like Chrome does).


Google Chrome (credits to Digital):

Digital also said this: You should notice that the targets communicate with the broker via IPC channels. This is necessary for a few reasons. First, hooks are installed into every target process, intercepting most system calls and re-routing each call through the broker, who ultimately says whether the call should be allowed. Chromium makes it very clear in their design document about the sandbox that this is not meant to provide security:

"The interception + IPC mechanism does not provide security; it is designed to provide compatibility when code inside the sandbox cannot be modified to cope with sandbox restrictions."


Sandboxie in contrast, does reinvent the wheel and gives you kernel mode sandboxing which is more robust.

How does Sandboxie protect me, technically?

All of the statements/posts below Windows Security posts are from Digital (an poster on Sandboxie forums).

Cheers and enjoy.

 

Yet almost every website you guys visit has Google something in it, whether you realize it or not

 

This is something I can't understand either, they google all the time no matter what they browse and and no matter what website they visit on the net, and they hate Google Chrome, it doesn't make any sense does it?

 

Though I don't know Windows' internals, you have to distinguish kernel, kernle driver, and kernel-mode.
PG actually protects all parts of OS kernel, but of course it doesn't prtotects 3rd party kernel driver, no wonder isn't it?
And so, wat0114 is correct.
IRP is a structure which is used for communication btwn a driver and other driver, or a driver and user-mode application. Structure is commonly used in C programming to correlates variables. So IRP hooking is not a direct hook to OS kernel.
Inline hooks can be used in kernel-mode especially for drivers, but I'm not sure whether Curt means syscall hook (IOW, Native API hook) when he said kernel-mode hooking (just as a caution, you shouldn't think it is different from inline hooks), as it seems to be not trivial to hook Native API on 64 bit. (Also if I understand correctly, Native API hook is not a kernel hook, but can be kernel-mode hook)
BTW, while usually kernel-mode driver is needed to hook Native API, it seems there's technique to hook it in user-mode.
http://www.malwaretech.com/2014/06/usermode-system-call-hooking-betabot.html
Also in following case he achieved protecting a process w/out SSDT hooking by utilize callbacks, of course in this case driver is needed (Callback is about drivers, please search by yourself).
https://stackoverflow.com/questions/20552300/hook-zwterminateprocess-in-x64-driver-without-ssdt
Maybe this is also interesting for you, but also see previous post of him.
http://deepflash.blogspot.jp/2014/08/deep-api-hooking-in-windows-7-64-bit.html
This is a 'deep hook' but it is in user-mode.
You'll probably remind of EMET's Deephooks and EAF+ if you know them.
What important is it can prevents trivial API hook bypass for malware by directly calling Native API.

 

Yeah, I also use SBIE in such a way, though in my case it is Firefox and Noscript.

That's a good point, except it also is off-topic somewhat.
Though I myself use Chrome with as much effort as I can to reduce privacy leak (settings, flags, command lines,..), still there's no complete for stopping that invasion (at least I sometimes have to invoke Google Update manually).
This is also the reason I alway use SBIEd firefox anytime when privacy matters.
I use Chrome only for everyday trivial web browsing as it is faster than Fx, but if I care privacy even more, I'll stop using Chrome.

Pete, you don't need to create or login Google account to use Chrome.
It may recommend you to do so, but no need to follow.
However for other reasons about privacy, if you don't feel any problem to use other browser, better stick it.

 

@cws
Now you irritated me. ( -。-)=3
I said I don't reply you in this topic, but still you ask!
Actually all your question are already covered by my posts, but ONLY IF you really understand them and beyond them―understand all in details!

I never repeat same things. I posted some links which I thought is understandable for everyone, but actually I researched a lot more.
I followed one Chrome bypass in all details with experts explaining it (in my mother tongue) and for other bypasses at least as outline. The experts admitted it's almost magic and I also thought so.
But who said that is no use for me. I just needed to know it in details.
[EDIT: To avoid misunderstanding, I could't understand all of the article. I just tried my best including additional looking up for terms and never skipped even 1 sentence.]

Now it's clear you even didn't understand what I said, if did, you wouldn't posted #298 because obviously memory-only-malware can do nothing in Chrome sandbox. What he can is at most communicates broker via pipe.
[EDIT2: Ah, all right, if attacker somehow find where the WebSecurityEnalbled flag is then he can steal main domain's Cookie unless --enable-strict-site-isolation is on or Chrome finally implement this by default, and he can send the info via XHR. In this case sandbox doesn't prevent this.]

More worse, you even say I can say anything I want! The fact is, more you know, more your saying is restricted as you can't betray facts and knowledge.
To be honest, Attacker always needs to launch cmd.exe to perform kernel-exploit is silly question. Even in that paper, he clearly states"Simply opening a carefully crafted web page using a browser on a vulnerable Windows system will suffice", you even haven't read it.

If I were you, I'll test by myself as Mr.Brian suggested. Oh, and I happened to post how to do this in #289 (well, I forgot to mention I firstly have to prepare vulnerable Windows), but if you have 2 Windows PC, no need to install VM & Linux. But I wouldn't. I have a lot of more important things. However I think it is not difficult, just need certain time to learn.

Please stop asking immediate & absolute answer and also stop caring about who said it or what title/authority he has, but try to understand things in real sense. If you're beginner, start from understand e.g. how buffer over-flow occurs. Maybe you need to also understand what heap or stack is, or possibly what the address is.

You also don't understand 'more powerful' and 're-invent wheel' means more risks.
And you can say "anyone who knows programming knows this fact" only when you actually programs and knows (regardless if it is true)! I can tell you don't. Me? yes and no. I can make simple programs via C or old BASIC, I also have a little experience about assembler for embedded devices, but it's far from telling such things.
But all programmer I could find says programming kernel-mode driver is very fragile and if you can avoid, you should.

Okay I can continue, but I really tired of such meaningless. Sorry I won't reply you in this thread unless it is definitely no-relevant with those.

[EDIT3: Sorry, I didn't know nuance the word 'noob' has. I'm not sure 'layman' is proper word but replaced by it replaced by 'beginner', I hope it is proper word.]

 

As far as I'm concerned, you won, hopefully I can trust you, this is a matter of trust when I read all your posts, since I don't know enough, so anyone can say absolutely anything and can easily fool me. I again started to read all your posts regarding Google Chrome and Sandboxie.
I trust you as someone who understands Chrome and Sandboxie and how they work, but like I said before I truly hope my trust in your posts is not meaningless.

Sorry, for heating this thread up in the end, it is my way to see if this what you said everything about Google Chrome and Sandboxie is all true, that's all.
Because there could be posters who only pretend to know everything about Google Chrome and Sandboxie, but from what I can see you're truly and expert in these areas.
My apologies, it's my time to simply shut up and read all your posts in this thread about Google Chrome and Sandboxie from the beginning to the end.
Also, I have to admit I hate theories and hypotheses, I'm a pragmatic, practical, scientifically-based guy who wants very strong, actually irrefutable, undeniable evidences for all the statements when someone says about an theme-this could be irritating like I irritated you and many other posters.
Like I said that's all from me, the only thing I will ask you will be if there are some new questions, but I don't think this would be the case in the next 10 days.
Well, ignore me, that's the best thing you should do, that's my personal advice to you, because sometimes even I irritate myself as well (yes, I do hate myself because of my such irritating character).

 

You should ask Hungry Man about this, as far as I remember there are workarounds where you can block this tracking, ads and everything else, Hungry Man knows this for sure, I think I'm going to ask him, but not now, because I don't have time any more the next entire week.

 

@CoolWebSearch

I understand being obsessed about exploits and sandbox escapes. This is something I am losing sleep over as well, though I haven't encountered a single one in more than eight years. The latter I always tend to forget. I just hope it stays this way for the foreseeable future.

 

If every website you visit does have Google something in it then what does that tell you about Google?

Don't use Google search engine and the main search engine I do use does not return results
from Google. Doesn't mean I don't use anything Google (Youtube) but try to limit my exposure.

There are things I don't like about Chrome just as there are things I don't like about Firefox.
If there are alternatives available that I like better and run well with Sandboxie then I use them.

I run sandboxed browser of choice with Sandboxie Drop Rights enabled or run under restricted user account.
(change default Sandboxie settings) Do testing of programs that Sandboxie is able to install inside
sandbox and/or use system wide virtualization along with image backups.

Prefer not to leave apps installed inside sandbox after testing and so I securely delete contents of sandbox.

 

@CoolWebSearch
One apology if I gave a feeling that as if I'm an expert, following FleischmannTV.
I'm not an IT expert, I just explained what I learned so far so can well wrong. And your question was good, stimulated me and gave me more learning. I appreciate that but simply it just went beyond the border for me. I'm a mankind who can be irritated if asked same thing again and again, but if my word offended you, I'm really sorry m(_ _)m

Now I'm surprised to hear the word "pragmatic" & "practical" from you and somewhat glad, as I've been assumed you're paranoid enough to warry about really unlikely scenario that you're targeted by national sponsored organization (or sth like that).
Let's focus on practical things i.e. common malware we can come across.
In this case, I can recommend sandboxing Chrome by SBIE, of course finally depends on your setup though.

Are you sure you'll never download & execute malware? IMO one principle of security is "Assume you're noob".
I already have layered security and only download reputable software from reputable website, always check sig and when it is the first time I download the software, throw it to Virustotal.
However my PC is not only mine and I think even myself can make mistake, how about when you're drunk or when sophisticated socialengineering is used? Some may say you shouldn't use computer when drunk but you can't restrict drunk person lol.
So in my case I forced Download folder thus I can draw SBIE protection potential w/out any redundance, however I think it might not work for everyone 'cause you can easily change download directory.
Also how about malicious docs? I don't know what protection do Office2013 on Win8 have, but at least on other conditions SBIE protection is better than Office Protected Mode (and Protected Mode can easily be disabled, sometimes you even need to disable).
I also think benefits of SBIEing Adobe Reader will excel any demerits at least unless you strictly harden AR, 'cause AR's sandbox is weaker than Chrome and have been bypassed more than once in real world (though in targeted attack only).

And SBIE have other benefits, one of them is privacy. By just emptying the box, you can dump all traces, even never-cookie. If you care about fingerprinting, you can change some of vital factors in SBIE, and after that your default setting comes back w/out any trouble. It doesn't eliminate all fingerprinting technique but still better than nothing. Note Incognito Mode or Private Browsing is not perfect, but you can combine this with SBIE.

There're still, though theoretically, possibility that SBIE may contain Chrome bypass exploit. This is not because SBIE is tougher than Chrome, but as Kees said, SBIE makes twist to exploitation, and we all know SBIE is not much adopted while Chrome is one of the most popular.
Well, in targeted attack that does not always makes sense, however considering Invincia is currently not much adopted in corporate environment (remember I'm comparing with Chrome), there'll be much less chance SBIE will be targeted.
As I said earlIer, I believe finally we'll see real Chrome bypassing as Criminals are evolving. You may hear this as a 'Cat & mouse game', but if once you know what the contents of this game is, you'll be surprised. Current use after free attack and many ROP techniques are much more advanced & complicated than old classic stuck over-flow, and the game should be called as 'arms race'.
Well, still in real scenario, it will only occur in targeted attack and most likely Google will patch within 24h so actually still no relevant for almost all of us.
However you might somewhat be relived in that case if you SBIEd Chrome. Remember additional attack surface which SBIE can make and possible weakning for Chrome security (I'm almost sure as broker having more IL than renderer is necessary. But I never comment on this) only matters in unlikely scenario.

I hope you finally understand comparing Chrome with SBIE for its robustness is meaningless for almost all of us. Why don't we focus on everyday security, it doesn't require theoretical knowledge and no need to be tech savvy, and security always should be so (though I like theoretical talk too and put a value).