Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, Tzuk is saying that he can't give an answer, it may bypass the sandbox completely or it may not, so I'm not sure what you mean with not accurate.
     
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    The virtualization aspect is achieved through a copy-on-write process. As far as I'm aware, it is independent of and not tied to the integrity levels. You can run as admin and still benefit from the virtualization.

    The problem with this though is that the virtualization aspect itself, while has proven to work in real-life cases (usually due to end-user not practicing safe hex), is not enough an obstacle or hurdle to an attacker if we look at it from a design perspective.

    Sandboxie may have it's own method of protecting the virtual file-system (apart from the restrictions placed on the sandboxed apps) but let's see...

    First of all, it is not hardware-enforced (even VM's with a separate layer of OS have security issues, more so when you enable Guest Additions) and with certain compromises required to achieve compatibility (such as clipboard sharing, or even direct access to certain resource), there is bound to be a way to escape & access the real file system.

    The true security boundary comes from the sandbox restrictions & access control. Concept of Least Privilege.

    These restrictions mostly rely on Windows mechanisms such as the restricted token, job & desktop objects and integrity levels. (*mostly because certain older methods are still used when running on XP if I remember correctly)

    The problem with Sandboxie on top of Chrome is not the virtualization. If it's only the virtualization aspect that's involved, we wouldn't have this discussion. Everyone would be happy. It would be an easy enough recommendation because there's virtually no trade-off (pun intended)

    The problem with Sandboxie on top of Chrome is that it messes with Chrome's own policy such as the job policy & integrity levels (WS mentioned earlier on regarding the medium broker - untrusted renderer barrier).

    Here is one example to demonstrate my point:
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=21113

    Although one of the said issues has been fixed (NtGetNextProcess is blocked starting in V4.19.3), it still does not excuse it from the fact that Sandboxie hurt's Chrome's sandbox. We have not even taken into account the DLL injection and Sandboxie's system service.

    With Chrome now using Win32k lockdown process mitigation (and AppContainer on Windows 8 and above), the browser is even more restricted than it used to be. Adding Sandboxie may help in certain cases (a positive outcome) but given what we know of how it works and the drawbacks mentioned, one has to consider if it is worth it after all.

    The crux of the debate lies in where one sees as priority. The sandboxing restrictions itself or the virtualization. Pick your poison.

    If you still see the virtualization aspect as worthy, then by all means place Chrome under Sandboxie's supervision. There are others here that just want to highlight this info. Please understand that it's hard enough to communicate this without feeling like one is being cornered, attacked or being treated like we know absolutely nothing of what we're talking about...

    P.S. I can understand enthusiasm for a program that has worked for oneself...but try not to get so tied up to the point of blind faith or see any mention against it as an attack on one's choice or the program itself. After all, we're discussing the interaction between Sandboxie and Chrome here.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    My friend X, I do believe Sandboxie is stronger and more secure now than ever before but I think that quote from Tzuk is as good now as it was when he said it, specially that below.
    Bo
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Exactly. We just don't know and shouldn't assume that Sandboxie will be bypassed by malware that exploits the kernel.

    Bo
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, and yes I agree with Tzuk, it's difficult to give an answer about this without actually testing it inside the sandbox. I've done a bit more reading, and the reason why OS kernel bugs are so dangerous is because they might be able to fool and bypass HIPS (and other tools), because they have direct kernel access.

    But I don't believe there is lot of malware out in the wild who can blast true all protection by exploiting some hole in Windows. Normally you will have to deal with ransomware, banking trojans, and rootkits, who all use standard methods to infect the system. So at the very least HIPS and sandboxing should be able to interfere with them.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Everything you said is true, but like I already said, it's a question of, would you rather rely on Chrome's sandboxing, or on SBIE's sandboxing. Let's say that SBIE does indeed interfere with Chrome's sandbox, then I'm not really worried because I know SBIE is still protecting me, plus I get some additional benefits of virtualization and data protection. In other words, if I could disable Chrome's sandbox I would do it, because I have enough trust in SBIE. If you think Chrome's sandbox is the better choice, then simply don't protect it with SBIE.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Thank you.

    I have already made that decision. Good for you that you have enough trust in SBIE.
     
  8. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    266
    If this is deemed O/T, my apologies to the OP.

    Is it because of their different methodologies that SBIE potentially doesn't effect Chrome's sandbox implementation yet does disable IE's protected mode?

    Oldish post but SBIE + IE reasoning ---

    http://forums.sandboxie.com/phpBB3/viewtopic.php?p=87326&sid=f02bf5388cc000da0c0abb090c3d9b22#p87326
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I suspect it's because IE's sandbox makes use of "AppContainer", apparently SBIE can't deal with this.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I never said you were wrong about your main point. I was just trying to say that it's not really a big issue to me.

    To clarify, it was not directed to you, but more of a general statement, people should make their own risk analysis.

    Stuff like:

    - How big is the chance that Sandboxie will get bypassed by real life attacks?
    - Is the Chrome sandbox really THAT much safer than Sandboxie's?
    - Would Sandboxie be able to safe me in certain scenarios (after browser exploit), where Chrome would fail? (Yes, most likely)
    - Does Chrome's sandbox weaken SBIE's protection? (No, it doesn't)
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    According to Tzuk, PM in IE conflicts with SBIE. Thats why PM gets disabled when IE runs sandboxed. I think it can be reasoned out of that, that Chromes sandbox does not conflict with SBIE. Otherwise, Sandboxie would do something about it.

    We never read about problems with Chromes sandbox. Most problem reports in the SBIE forum have to do with Chrome attempting to connect home for updates or for whatever.

    Bo
     
  12. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    195
    Location:
    Emerald City
    IIRC, (and according to Curt w/Invincea) constant tweaking and subsequent new (beta and so on) releases are an essential toil for perpetual Chrome compatibility resulting in serious "PITA" syndrome. As in "pain in..."... yeh, you know the rest. Wondering out loud how much Chrome's sandbox in the evolution of the browser as a whole is a contributing factor.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wouldn't say it's pure speculation. I'm certain that Sandboxie makes use of integrity levels, or at least v4 did when I last used it. The only parts I'm not certain of are the implementation details but they're mostly irrelevant.

    A medium or high process would run virtualized, but they would not need to. Sandboxie's driver could not enforce anything, as it is about enabling. The process would have proper authority to the file system. If there are some sort of hooks, they're separate from the driver, and can be unhooked.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    The curious and strange thing to me is that people like Curt from Invincea or any other participate in this type of forums to explain what we consider speculation.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No you're misunderstanding. Of course SBIE makes use of integrity levels (and other stuff) for isolation. But I'm talking about the part where you said that if you bypass integrity levels, SBIE is already defeated, and won't protect you any longer. You may or may not be right about that.

    I think you're totally misunderstanding me. The reply I wrote to you was more a bit of brainstorming. Like I said, in theory, you don't even need to use integrity levels to restrict applications. If apps run with medium or high privileges, SBIE should in theory still be able to virtualize the file system, registry and IPC, and should be able to block risky behavior (with HIPS), which means that it will still block certain attacks.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm confident that I am correct about that.

    I'm just trying to clarify. I consider this mostly brainstorming as well, I have no interest in arguing one way or the other because, as I said originally, I consider it all a moot point.

    Like I said, you can be high integrity/ admin and still be virtualized. It's just not enforceable, nothing's telling the attacker they *can't* write to the regular file system, it is essentially just suggesting that they don't.
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=21344

    I wouldn't expect them to say "Chrome does not need Sandboxie". That's the opposite of self-promoting.
    At most, the response they can give would be similar to Tzuk's (acknowledge the possibility). The alternative is to just let people speculate.
     
  18. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    To clarify, isn't that what I have been encouraging all of these while? Page 2, post no #38 & 39 Take note in particular: "trade-off" and "assessing risks"

    Risk analysis should begin with Chrome, not Sandboxie.
     
  19. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Look at my answer below to Mr. X.

    About this:
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=21344
    Mister X, you should have insisted more thoroughly on that Sandboxie forum, for more concrete answer-just yes or no. Why is it so hard to answer something like this-I mean it would not change anything for Curt and Sandboxie sales, if he is worried about that-just disable Chrome's sandbox to run it under Sandboxie-so that's the problem that can be easily solved.
    This is why I'd like to see Curt's concrete and definite answer about this once and for all to end these debates once and for all.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    The fact I didn't get any response on that topic makes me feel completely discouraged to push anyone there for a thorough explanation. Why? Because naively I forgot how the world actually works.
    In this world governed by interests and forces other than pure honesty I can't expect transparency from everybody. Me as a more or less educated person in security terms I "believe" to some extern the potential and robustness of my current security programs and feel just fine and secure, lol
    The key for me here is to not believe so blindly.
     
  21. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Than I will dare to ask, no problem, just not today, I don't have enough time, plus there is also a might-be reason that Curt actually does not know a true answer either.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    1 Yes you did.

    2 That depends on who you're asking. I wouldn't be surprised if most SBIE users couldn't care less about the Chrome or IE sandbox, as long as SBIE is working correctly. Performance issues, that would be a problem.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's weird, in your last post you wasn't so sure about it.

    That's what I have been trying to explain for the last 9 pages. It's a moot point, because it's already hard enough to hack Chrome and Sandboxie without the use of OS kernel bugs. Also, some people seem to forget, that when hackers manage to bypass Chrome (with browser exploit), it doesn't mean that SBIE will automatically also be bypassed. After all, they are targeting a hole in Chrome, not in SBIE. So "added attack surface" is not relevant at this point.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think you're wrong, virtualization is done by the driver, so if a process is under control of this driver, it's still contained. Of course, if you run with high integrity, it's easier to bypass protection, so that's why you need to make use of integrity levels in the first place. Or you could also choose to block risky behavior (like code injection and process termination) like HIPS do.
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    When Chrome is under attack, SBIE could save your system (although I didn't see much news about Chrome attacks ITW). In this case added attack surface is not relevant. OTOH if SBIE is attacked added attack surface is relevant (also didn't see much news about SBIE attacks ITW).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.