Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I wonder if this is really the case. To clarify, I'm talking about a Chrome exploit that's being used to bypass the sandbox. I don't believe that a Chrome exploit will automatically also be able to bypass Sandboxie. We already agreed with the fact that a OS kernel exploit will bypass both Chrome and Sandboxie, so that is not really relevant to this discussion about added attack surface.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not sure if I understood it all. But from what I've seen, all processes that are running under SBIE's supervision will run virtualized, even if they might elevate their privileges.

    I'm not sure how SBIE v4 takes care of this, but I believe that v3 always made sure that sandboxed processes could not communicate with apps outside the sandbox, so it would always block code injection and other risky stuff like driver installation. It acted like sort of a HIPS, and HIPS don't care with what privileges a process is running, because with the help of a driver they will still be able to control it. Normally, HIPS will also protect their own service and driver.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, if people look for holes to exploit in Chrome, the main objective is to run malware on the system via the browser. The bad news for hackers is that they may also have to bypass virtualization, anti-exploit and HIPS that is restricting the browser. My point is, even if you're able to exploit Chrome or any other browser, that doesn't mean you will automatically be able to bypass a tool like Sandboxie.

    For the record, this report tested Sandboxie v3, the new v4 is more robust.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It doesn't mater when it comes to this kind of exploits.
     
  5. Guys we had this discussion before: kernel exploits break the basement all other stuff is build upon.

    Any claims of protections or infections are just speculations, so needless to argue about.

    bailing out now also
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    One could argue its all speculation really. Thats how I look at it anyway. I speculate, what are the odds of <name the bad thing here> happening to me using <name security scheme here>? And if I speculate the odds are low, I proceed and don't look back, until I am forced to.

    Sul.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Same as my own philosophy...
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    To clarify, I'm talking about a Chrome exploit that's being used to bypass the sandbox. I don't believe that a Chrome exploit will automatically also be able to bypass Sandboxie.
    Exactly this is all true, I don't think GJ ralizes that huge difference between exploiting Chrome and Sandboxie both at the same time.
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Gullible, if you are browsing protected by Sandboxie and all of the sudden, a webpage starts downloading malware or you click the wrong link and malware runs, it runs sandboxed. If it installs, it installs sandboxed. Sandboxie is a sandbox program, Chrome is only a browser with a sandbox. Comparing Chrome with Sandboxie is like comparing apples and oranges.
    Exactly, you hit the nail with this example, this is by far the most obvious reason if someone uses Chrome and its built-in sandbox should also use Sandboxie on top of Chrome-Gullible Jones is obviously not aware of these situations which happen very often-even the most experience people get infected by your example here Bo and Sully's examples as well very often-especially if you need to download on daily basis or weekly or even monthly basis-and from time to time you will get infected even though the links are benevolent and not malicious.
    This is something Chrome cannot and will not ever/never protect against-this is why you need Sandboxie and AppGuard. for exploits take HMPA or MBAE-what you prefer.
    Besides, regarding exploits, both Chrome and Sandboxie protect against exactly equal number of exploits-because of the very fact they are both sandboxes.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    The fact is these exploits do not target Sandboxie and Chrome, they target directly into Windows kernel-so your point here is a mute point.
    If Sandboxie, besides could have mechanisms to actually prevent any form of modification of each and every single piece of real Windows entire kernel-that would be cool.
    Unlike Sandboxie, Chrome does not have these potential abilities, because it is only a web-browser.
    And because it is only web-browser, and because of the facts that all of the sudden, a webpage starts downloading malware or you click the wrong link and malware runs.

     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes those exploits do not target Chrome or SBIE but still they bypass protection of both of their sandboxes. Both sandboxes try to prevent something to get out of sandbox and they both fail.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I know, but that's not the point. I was just saying that some of the stuff that was written, about Chrome's sandbox being more robust, doesn't apply anymore, because SBIE v4 has implemented another sandboxing method, comparable to Chrome's.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Not the point, like I said in post #176, we shouldn't even be talking about kernel exploits, because that's not relevant in this thread. The main argument is about the risk that's involved when running Chrome under SBIE's protection. I'm saying that there isn't any true risk, and I already explained why.

    https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-8#post-2507266
     
    Last edited: Jul 17, 2015
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I'm talking about real life attacks, not theoretical stuff. In real life, malware will have to bypass a lot more than only Chrome's sandbox, it will also have to target other security tools directly, like sandboxes and HIPS. And even if you manage to exploit a hole in Chrome (or other browser), there is a big chance that the payload will not be able to run because of anti-exploit and anti-executable.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    OK, than I misunderstood your original post. I didn't see Chrome mentioned as being more robust in article you were replying to :confused:
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Every aspect of sandboxie's enforcement is, as far as I am aware, enforced solely by windows integrity levels. So a sandboxed program starts off with on rights. What Sandboxie does is -- through its filter driver I assume, (possibly hooking, there's multiple way sto accomplish this) -- it *enables* the process to do things, based on a policy. So the process can do nothing, and Sandboxie does things for it if it's something within its policy.

    If you bypass the integrity levels, there is nothing Sandboxie does to further contain you after that point. I can't confirm that, I really haven't looked at Sandboxie in a long time and I'm going off of memory. I'm assuming this is how it works.

    The file system and possibly some aspect of the network (probably through the filter driver still) are what is virtualized. A process still has rights within the system. Note that this is different from something like hardware virtualization, which emulates hardware.

    So in Sandboxie's case you are nto bypassing Sandboxie's code, as it is fundamentally about enabling processes. Instead you bypass Windows Integrity Levels.

    Food for thought.

    edit: To be clear, I am not saying this is good or bad. I personally think it's pretty much the right way to go on Windows.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    They bypass both, because they don't target it, they target Windows kernel that's why protection from both Chrome and Sandboxie is completely useless-why do you think they are called kernel exploits, bypass windows kernel and it's the end of story, bypassing these applications would be actually much harder (and why waste time on this) than just to find a bug in Windows kernel and bypass it.
    Bypass Windows kernel and you bypassed everything else, nothing can help you.
     
    Last edited: Jul 18, 2015
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Exactly, everyone seems to forget these facts, SBIE4 is basically like a copy of Chrome now, when it comes to security and protection level (they are on the very same level), than when it comes to security and protection mechanisms and integrity levels.
    The only real difference between Sandboxie and Chrome is what Bo posted the link of Curt from Invincea who answered it:
     
    Last edited: Jul 18, 2015
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes I know that. If you check my original post you'll see I replied to Rasheed187 who said that v4 of SBIE is more robust than v3. I just stated that this doesn't mater with this kind of exploits.
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    True very true too bad there is not something that checks for your own Windows kernel and sees it if it's not modified and of course to somehow lock it or block it from being modified-I don't even know if that's possible at all in the first place.
     
    Last edited: Jul 18, 2015
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, I also don't know if something similar could be possible. For now I would use Virtualbox to test such exploits.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It wasn't mentioned in the article itself, but I was referring to the infamous Bromium report. The funny thing is I asked for more info, but my comment didn't even show up. I've also searched the web for more info about this OS kernel hack, but couldn't find any. So either it's all talk, or they are not allowed to publish any info about it.

    http://blogs.bromium.com/2013/03/15/blackhat-eu13-are-you-playing-sandbox-roulette/

    Like I said above, I'm still not convinced if you can really bypass all security tools with a OS kernel hole. Yes, in theory it should be true, but let's say that you run malware with high or system privileges, does that automatically mean that HIPS can't stop any suspicious behavior anymore? You would think that this malware would also have to directly attack other security tools. But OK, this is a bit off topic.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, that's the problem, this should be asked to developers, because at this point it's pure speculation from both of us. But it's still interesting. I may be wrong, but in theory, stuff like sandboxing (with the help of integrity levels), monitoring API calls, and virtualization should all be able to work separately from each other.

    In theory, even a process running with medium or high privileges should be able to run virtualized. And you should also be able to block suspicious behavior from processes (sandboxed or not) even if they run with high or system privileges.

    That's why I'm not so sure if Sandboxie and other tools like HIPS can be easily bypassed completely, you would have to target their service, driver and user mode hooks directly, to make sure that they don't interfere with your malware. It's likely that if you can elevate your rights, you will still be stuck in the sandbox, at least when it comes to the virtualization part.
     
    Last edited: Jul 18, 2015
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hey Rasheed, here is the answer from one developer, Tzuk:cool:....Read numeral 2.
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=12029#p75185

    Bo
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    @bo elam
    But everything is in constant evolution/change. That info from tzuk is not quite accurate nowadays. Perhaps very clever devs can improve HIPS or any other technique to circumvent kernel mode vulnerabilities.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.