Yes, and this is a lot of work and not really worth it. Correct, but the point that I was trying to make is that current security tools are good enough to protect systems, even when the OS kernel is not that secure.
I'm talking about a scenario where Chrome's sandbox gets bypassed, and malware like banking trojans or ransomware manage to start up with at least medium privileges. Without SBIE, the malware can now inject code into the browser (sniff data), and encrypt files. With SBIE, it's likely that it will block code injection and will block (or virtualize) file modification. Because normally, the malware will not be able to disable SBIE's protection driver.
Not the case unfortunately. If malware has blown through Chrome's sandbox, it will have already blown past SBIE. The sandboxes operate on the same CPU privilege level and therefore will be defeated by the same measures. (And unless I'm reading it wrong, CWS' post above doesn't conflict with this. CWS clicked on a malicious executable, which means the Chrome sandbox didn't enter into it. If you tell Chrome to launch something, it will do so - a sandbox can't protect you from your own rashness.)
You doubt Sandboxie uses the driver for better isolation? read below. http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19163#p103750 Bo
I run as an administrator, dont use HIPS, firewall, antiviruses and nothing but Sandboxie and NoScript when browsing. Whenever I turn off my XP or W7, its clean. This is so not because I am skilled or lucky but because just about anything that runs in my computers, runs untrusted under SBIE. Bo
Sandboxed programs run untrusted. Thats what I meant. According to Curt, thats lower than low. Mr X, remember, "Trust no program" means: When you run a program in the sandbox, the program runs untrusted. Bo
But isolated too. After all, thats what Sandboxie is all about. Isolation, separating sandboxed programs from the system, files, registry and other programs. Thats the beauty of SBIE. Bo
Yes, the futex vuln that summerheat is the one I was referring to - futex was a whitelisted system call. Seccomp is great, but there's tons of attack surface exposed to any process that can do basically anything. Yeah, that's the one. Virtualization is enforced by Windows integrity, a drive is what enables the applications to selectively bypass the integrity levels based on the policy applied. The driver doesn't really need to be bypassed, it's what lets a process that needs to write to Medium integrity run as Low. What's required is bypassing the integrity controls.
Okay, right - I'm going to bow out of this discussion now. Not worth the inevitable argument. @Hungry Man Nice. futex is one of those things that sounds innocuous too. (Although maybe not in retrospect - I mean, a futex is a concurrency lock, and messing it up right might cause a race condition, which might cause all kinds of nasty...)
Here are some slides that show how different kind of sandboxes can be bypassed using kernel exploits [PDF]: https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf
Not really true because the attacker will not expect that you have another sandbox above Chrome's sandbox-so it will make things more complicated for attacker, plus sometimes Sbie can help even here to block exploits which Chrome's sandbox does not.
Gullible, if you are browsing protected by Sandboxie and all of the sudden, a webpage starts downloading malware or you click the wrong link and malware runs, it runs sandboxed. If it installs, it installs sandboxed. Sandboxie is a sandbox program, Chrome is only a browser with a sandbox. Comparing Chrome with Sandboxie is like comparing apples and oranges. Sandboxies role ends when you recover something out of the sandbox. Sandboxie wont do nothing for you if you recover malware and run it out of the sandbox. But anything you do in the sandbox, stays in the sandbox. Get that in your head. Bo
No one is talking kernel. I am talking regular malware, the type non Sandboxie users like yourself are exposed to everyday. But, if you know of any malware that has bypassed Sandboxie via a kernel vulnerability during the past 10 years, please name it or.... Bo
I think that it was malware using True Type font parsing vulnerability. Will try to find some reference.
OK, quick find using Google: https://threatpost.com/using-kernel-exploits-bypass-sandboxes-fun-and-profit-031813
I can post it here if you want. But that was a POC, by the same people whose link you posted a couple of days ago. No real malware. And to break SBIE,......it used a vulnerability that had already being patched by Microsoft. Really nice. Bo
It might have been POC, don't remember if there were any actual ITW exploits. But it's good to know limitations of security software that is being used. Not knowing about them can be dangerous, also. At the end Microsoft had to patch the vulnerability. Neither Chrome's sandbox nor SBIE could protect users against it.
It was a POC. Thats not a maybe. But i agree, we ought to be aware that we are exposed to that kind of vulnerability even if you use Chrome and or Sandboxie. But its also a good thing to know that this type of malware is so rare that at no time since Sandboxies creation there has been one that has bypassed Sandboxies sandbox. Bo