Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    The problem is there are 2 different schools of thought here. I realize I am in 1 category and there's another here. Since we can't see eye to eye, how about we settle it as me seeing the glass as half-full while you see it as half-empty.

    WS was right after all.
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    It would be nice to see that change. Maybe one day...:)

    For more than 6 years, I never had a problem, never a virus. Thats due to running just about anything that run in my computers untrusted, under Sandboxie. If I was a Chrome user, I would sandbox Chrome. It would be stupid on my side to let assumptions and theories keep me from doing whats proven to work so well for me and others.

    Swex, you are a Firefox user now. I cant even remember what a virus look like. In the more than 6 years that I used Firefox with NoScript under Sandboxie, never seen anything that looks like a virus. Its like they dont exist.

    By the way, my friend. I think I told you before, ESET works great with Sandboxie. Its been years since I read anyone reporting a conflict between SBIE and ESET.

    Bo
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I tell you what the problem with your posts on this matter is. You attempt to intimidate people from using Chrome under SBIE. I think that's wrong.

    Bo
     
  4. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Or another way to put it let's all agree to disagree. Sandboxie Chrome if you like...or run Chrome without Sandboxie if you prefer...simple solution. Which ever floats your boat.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    What makes you feel that way?

    I've said earlier on I couldn't care less if people still wish to use Chrome under SBIE. I even said I understand the benefits.

    If anyone should feel intimidated, it is me. I am putting forth my side of the argument as a lone voice....against so many "Chrome under SBIE" supporters.

    OP asked whether it would "help or hurt chrome's built-in sandboxing". I shared my POV on that subject primarily despite it being contrary to many others here. Just because I don't share the same views mean I am intimidating? What...is this a tyranny of the majority?

    If you still feel that's wrong, I can't change your mind. The only thing I can do is suggest you read your own posts since you are no better off yourself. You keep pushing in favor of Sandboxie literally everywhere as though it's a holy grail of some sort. I think that's fanboyism at it's finest...
     
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,935
    Location:
    UK
    Guys either agree to disagree or the thread will get closed.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I'm fine with agreeing to disagree.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Safeguy, in a way we agree in something. I believe Sandboxie works best on its own . I think Sandboxie works best when used with no other security program. My own reason being pretty similar to your own reasoning why it might be best not to use a sandbox on top of another sandbox.

    You ll read me recommending Sandboxie but you will never see me pushing people to drop using other security products. The only time I suggest to someone to stop using another security programs or to make changes in the way they use that security programs is when there is a known conflict and that's the workaround. Peace.:)

    Bo
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Bo, I'm glad you could see it that way. Finally, we can agree on something.

    Like you, I am not asking others to drop what they are comfortable with. I don't run real-time AVs or Classical HIPS anymore but you don't see me going all out against them. I am not asking others to drop Sandboxie either.

    I am merely encouraging others to be open to the idea that more is not necessarily better.

    Ultimately, it's up to the individual.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Safeguy, in this thread we seen examples of why sandboxing Chrome works. One was the real world case related to us by Sully. And the one in the article posted by Summerheat. I think you should not ignore that. There are times when Chrome fails (as all other browsers) and Sandboxie can save you.

    Bo
     
  11. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    maybe in reality if this were the case then sandboxie would be more suited to firefox or any other browser rather than using chrome.
     
  12. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I am not ignoring those examples. I was refraining from commenting since my opinion may not be favorable and invite some more heat. Buy hey, here goes anyways (this is not meant as an attack against anyone's practice whatsoever)...

    1. Sully's case

    1 possible reason why Chrome failed for Sully was because he ran as an admin 24/7 which goes against the concept of Least Privilege. People familiar with how sand-boxing is achieved on Windows would understand what I'm talking about.

    Another possible reason may have to do with Sully having the practice of not updating his OS ASAP...which would then affect the entire system's security posture.

    As for Sandboxie helping to save the day for Sully, notice that is not because of the sand-boxing (based on Windows security model, similar to Chrome) but because of the redirection (aka "virtualization"). It made it easier for him to clean up the "nasties".

    2. Summerheat's article

    It was an escalation-of-privilege exploit. It would most likely have worked against Sandboxie too as far as privileges are concerned.

    This is the reason why HM keeps emphasizing the limitations of sandboxing on Windows and how important updates can be.

    Just to be clear, I am not discounting the benefits or the possibility of Sandboxie helping Chrome users. If you read my post here, I am arguing that the virtualization in itself is not a security obstacle (more of a clean up tool) and that with 2 drawbacks, it is a poor trade-off from my POV.

    If you feel it's a worthy trade-off, let's just agree to disagree.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I can only say this. Sandboxie is the only application I have never personally seen fail. And let me quantify that to say, never fail to contain. There is a big difference between getting something IN the sandbox versus it escaping FROM the sandbox.

    I cannot say that about any browser, or any version of windows, regardless of whether the user is admin/user/uac. One should note that the majority of issues of this nature are because of the user, not because of the lack of security the browser/OS did or could have had. Socially engineered bad nasties are the usual IMO.

    But lets be honest, thier systems are problem free but they actually live within the Sandbox on a day to day basis, so its chock full of bad nasties often times (because they cannot help but click on the link when someone found their wallet, whcih is still in their back pocket o_O ).

    So in the end, if you have a keylogger in the sandbox, getting data rather than outside in your system, what is the difference?

    Its ALL ABOUT THE USER. And that is why I choose to focus on other things, because it really comes down to the driver behind the wheel, not the machine. And I cannot fix the driver :isay:

    Sul.
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I have never seen Sandboxie fail to contain either.

    The crux of our disagreements here lies in where we place our priorities on sand-boxing as a concept. I look at it as restricting access/privilege. Others value the containment.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Exactomundo! Bone stock w7 x64 sp1 with so many things NOT default it would make your head spin :) Admin 24/7, just like its been for what, 15 years or more?

    You are correct in much of that synopsis. However, theres also a lot at play that you don't know about (not even including the users actions), so its not quite that clear cut, but for all intents we can assume that is accurate.

    And yes, I use SBIE now as an environment I can easily clean up. I only remove what I want from that environment. And as I just posted, I have never personally seen that environment fail. But thats not saying much really, I've never seen a lot of things.

    Sul.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I don't believe it would even run in Sandboxie (Restricted sandbox) and if it ran, it would not install in the sandbox. I gave my personal POV in post 46, you replied to it but with something that had very little to do with the important part which was to answer Summerheats question.

    And the containment part, what really is what Sandboxie is about, is on top of all that. It cant be any better.:)

    Bo
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Like I said, it's because of you. Other people like Sully explained why it's still a good idea to run Chrome sandboxed. It's you who keeps nagging about the "added attack surface", even though most people don't disagree with that.

    In case you didn't notice, it was meant as sarcasm. In theory, anti-exploit tools also increase the attack surface. So let's stop using them, good idea?
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    We already agreed on that, at least when it comes to the mitigation of automated exploits. The point is that even without the "added attack surface", that you're so worried about, it's also possible to bypass Chrome's sandbox. Just like it's possible to bypass Sandboxie. And I do not believe that it's harder to hack Chrome. Interesting article, not specifically directed to you:

    http://www.zdnet.com/article/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/
     
  19. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Many of these guys who post things like "I would not sandbox Chrome if it was me" are actually Linux users. A sandbox program like Sandboxie is not available to them. That contains/virtualizes the browsing etc. programs when run sandboxed.

    These guys have their theories to back their words as the true nerds they are. It always makes me feel want to puke a bit.
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Bo, you are a die-hard Sandboxie enthusiast.

    I have no idea how to explain it further....my reply to your post had everything to do with Summerheat's question.
     
  21. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Come on. That's a cheap shot to take. Dividing into camps of Windows vs Linux users now? Implying that Linux users envy Windows users for not having Sandboxie?
    There are a few posters here who run Windows and Chrome without Sandboxie.
     
  22. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    No one said Chrome and/or Sandboxie are impenetrable. That is obvious. You keep repeating it as if I said otherwise.

    Like HM said, all it takes is a kernel vuln. I know for sure that one of these coming days, something would pop up that escape's Chrome's sandbox. I make do with what I have on Windows. Updates.

    To quote that article

     
  23. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Computer security as a disease... heh. Too true, though it cuts both ways. In my current life, my history of computer security obsession has been extremely helpful.

    That said, it's part of the reason I haven't been around much either. Not to point any fingers, but: a lot of people here seem interested in making an obsessively narrow study of desktop computer security, completely out of the greater context of computer engineering. And I don't fault them - I once did the same - but that's just not how it works.

    (I'd say that, if you're not interested in becoming an IT professional, you should stick with the antivirus suite etc., and obsessively studying something else... Except that's not true either. Currently I don't see any way to have reasonable desktop security, without a lot of internal knowledge of computers - something many people simply cannot afford.)

    Oh cool, you're back!

    Re "addressing these issues." As far as the kernel, I think Windows users are basically out to dry at this point. Likewise Android users unfortunately, due to vendors being absurdly stupid about updates (i.e. there aren't any, and you're not allowed to install your own firmware). Likewise Mac users, because Apple's attitude towards security is execrable. Linux I'm not so sure about either, by now, and the BSDs... err, yeah.

    From where I stand, the whole landscape looks bad enough for an experienced user. Let alone complete novices like many people I know.

    IMO, the whole industry suffers very heavily from the legacy of times past, and end users are the ones paying for it.
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Not really. I wrote what I believe would happen inside the restricted sandbox and posted Tzuks reasoning of why is a good idea to sandbox Chrome. You replied with something along what I write below.

    You said what he wrote was from 2011 and made it sound like version 3 was stronger than version 4. Nothing to with the exploit that killed Chrome. By the way, Version 5 is here now.

    I believe this new versions are stronger than version 3 was. I can see it ever day. I can do less now in the sandbox than what I was able to do in version 3. That is because things are more restricted now. There are programs that cant run in newer SBIE versions that ran perfectly fine in version 3. The reason for that is that sandboxed programs can do less now than before. When you use Sandboxie every day for a long time, Sandboxie makes sense. Cheers, Safeguy:cool:.

    Bo
     
  25. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Nope. Just nope. That's not what I meant. V4 is stronger than V3.

    When Tzuk wrote that post, the method of sandboxing used by Sandboxie was different from how it's achieved by Chrome so there is a possibility it might have helped or not with the exploit because of the difference.
    With V4 onwards, Sandboxie started using Windows own security model (partly due to KPP). As far as restrictions go, they are pretty similar and Drop Rights would not have killed that exploit since it was EOP.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.