Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    Was running it with Drop Rights unchecked but forcing Chrome to run in the sandbox and using Start/Run/Internet restrictions. Just one sandbox, the Default Box. Might try again sometime.
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Try it without ANY (Start/Run Or Internet) restriction. You should be OK after doing so. The DefaultBox is fine but is best to run Chrome in its own sandbox so you can set it up with its own settings.

    Bo
     
  3. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    OK. Thanks for the tips. Will try that.

    Update: I think using separate sandbox for Chrome and removing Chrome as a forced app and removing the Start/Run/Internet restrictions is working. I no longer see the busy cursor. Rather than forcing Chrome to run in sandbox I created shortcut from within SBIE for the desktop. Did the same procedure for a separate sandbox for Outlook. I'm in business again!
     
    Last edited: Jun 1, 2018
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    On the latest Stable Chrome (67) and with the latest Nightly Build of Process Hacker (https://wj32.org/processhacker/nightly.php), PH now shows correctly that the Chrome security developers have enabled the Indirect Branch Prediction process mitigation on all chrome.exe child processes. This is only on the latest Windows 10 (1803 only, I believe) with the latest PH nightly and stable Chrome channel.

    IndirectBranchPrediction.png
     
  5. majorpain

    majorpain Registered Member

    Joined:
    Jul 22, 2016
    Posts:
    40
    Location:
    tennessee
    for google chrome or google chrome quantum do i need to do somthing speacial to enable built in sandboxing? also somthing i noticed till i seen this thread. Keyscrambler pro once i install it when i type in a google chrome window it automaticly closes the browser.

    anyways back to sandboxing. do i need to do anything to enable chrome sandboxing
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Chrome's sandboxing is enabled by default and the strength of it depends on the underlying operating system. So there is nothing that you need to do. Have a look at the following details (https://chromium.googlesource.com/c...8946013eb812c6d3975bec/docs/design/sandbox.md) and you will notice that the Chrome developers take advantage of newer sandboxing mitigations in the latest Windows operating systems. That link also explains quite a bit more.

    The only thing that you could take advantage of (if on Windows 10) would be some newer experimental options in chrome://flags settings.
    chrome://flags/#enable-appcontainer
    chrome://flags/#enable-gpu-appcontainer

    I'm pretty certain that AppContainer is used by default regardless on Windows 10 now and so therefore the flag will likely be removed at some point and wont be necessary. But AppContainer for the GPU process is quite a new development and worth taking advantage of.
     
  7. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Thanks for the GPU-Appcontainer flag, WildByDesign! I didn't know about it. :)

    BTW it is now 30 pages since people said: "Maybe yes, maybe no" to running chrome sandboxed. :)
    Did you end on a different consensus?
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    It remains a debated point, as far as I understand. I don't think there is a consensus.
     
  9. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    At the very least, if you run Chrome in appcontainer then don't bother using sandboxie on Chrome.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thank you for posting this information. I'm running latest Chrome beta Version 68.0.3440.68, and both of those flags were at "Default". I had renderers at "Untrusted", and now after enabling them both I have a gpu process and several renderer processes running at "Appcontainer". I'll see how things go.
     
  11. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    For me all chrome processes (Sandboxed) are running as untrusted. Do you mean actual graphic renderer or just like "rendering a web page?
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    The first one running under Appcontainer is "type=gpu-process", the rest are "type=renderer".

    chrome-Processes.PNG

    I've also got "Strict site isolation", "Top document isolation" and "PDF isolation" flags enabled.
     
  13. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Doesn't look like you run it sandboxed. If I do that there's a sandboxiecrypto.exe in the middle.
    BTW if you enable Top Document Isolation you're not isolating things, just increasing performance:
    That's why I disabled it.
    Thanks for the PDF isolation flag :)
     
    Last edited: Jul 19, 2018
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    You are right, I don't run a 3rd-party sandbox program. I believe Windows 10 already provides excellent sandboxing for Chrome. You're welcome for the flag.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. Unfortunately, I don't know since I did not participate in this thread early on and only followed this thread more recently.
    You're welcome. I've been using these AppContainer flags for some time now and luckily have not experienced any issues whatsoever which is great. Same goes for the Strict Site Isolation; no issues there either. There is still more AppContainer development coming for Chrome and also Site Isolation is going to also become more thorough as well. Lots of solid security related developments coming.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    BTW the potential issues involved with sandboxing Chrome only apply to light virtualization such as Sandboxie. The isolation method used by ReHIPS, on the other hand, does not diminish native Windows protection in any way. On the contrary, it is built on top of native Windows protection.
     
  17. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    shmu26 do you know if chrome firewall work the same?
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Sorry, I don't know what chrome firewall is.
    If you are asking about the firewall of Chrome OS, I don't know anything about it.
     
  19. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Oh man xD Sorry I meant Comodo firewall. I literally just woke up. xD
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That's a good question. I don't know how it works, looking forward to hearing from others. :)
     
  21. guest

    guest Guest

    ReHIPS mechanism is unique, Comodo use light virtualization
     
  22. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I don't like ReHIPS user interface. I wait till that has been overhauled.
    And Light Virtualization means it is also interfering with chrome stuff? And it sounds like it is "less secure" than sandboxie. Can you please elaborate :)
    Thank you
     
  23. guest

    guest Guest

    light virtualization : sandboxie, comodo, shadow defender, etc..
    full virtualization: VMs

    at least it is the way i interpret it.
     
  24. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Oh, that makes sense. :)
    ------------------------------------------------

    With Comodo Containment Chrome has three processes with Integrity: Medium, one with Low and a billion with Untrusted. Unfortunetaly,it appears to be impossible to copy-and-paste into Chrome if it runs in Comodo.


    What mitigation policies should I see in a best-security-scenario? (Since we just had this topic)

    This is for Untrusted processes:
    (Sandboxed)
    1. ASLR
    2. DEP (permanent)
    3. Images restricted (remote images, low mandatory label images)
    4. Indirect branch prediction
    5. Loader Integrity
    6. Module Tampering
    7. Non-system fonts disabled
    8. Signatures restricted (Microsoft only)
    9. Strict handle checks
    10. Win32k system calls disabled

    This for Low: (Not Sandboxed)
    1. ASLR (high entropy, force relocate)
    2. CF Guard
    3. DEP (permanent)
    4. Extension points disabled
    5. Images restricted (remote images, low mandatory label images)
    6. Indirect branch prediction
    7. Loader Integrity
    8. Module Tampering
    9. Non-system fonts disabled
    10. Signatures restricted (Microsoft only)
    11. Strict handle checks
    12. Win32k system calls disabled

    This for Medium:
    (Not Sandboxed)
    1. ASLR (high entropy, force relocate)
    2. CF Guard
    3. DEP (permanent)
    4. Extension points disabled
    5. Images restricted (remote images, low mandatory label images)
    6. Loader Integrity
    7. Module Tampering
    8. Strict handle checks

    It looks to be good to run Chrome untrusted or better low. Furthermore, it seems to be that Sandboxie increases protection, on top of virtualization, because it forces all processes to run untrusted. (No medium processes) Is that a correct observation?
    (Low processes inside Sandboxie have the same policies as Untrusted in Sandboxie)
    Is there a setting for this in Sandboxie? Can I enhance the policies somehow?

    ------

    I got one other question regarding AppContiainer: Even though I have #enable-gpu-appcontainer, #enable-appcontainer and #enable-site-per-process enabled, I still don't see AppContainer in Process Hacker when I run Chrome normal, outside a Box. Does that not appear in the Integrity Column? It looks to be there in your picture, @wat0114
     
    Last edited: Jul 20, 2018
  25. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Apparently that is wrong? #enable-top-document-isolation's description if confusing. On Reddit I found a post which says:
    https://www.reddit.com/r/chrome/comments/8ivdwd/chrome_flags_to_improve_security_read_now_d/
    I am still confused. Is it a good thing? But it sounds like it puts all iFrames together. Then why does having it disabled "defeat the purpose of #enable-site-per-process"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.