Sandboxie+ Isoaltion modes and Data protection

I need your Input on the topic of UI design.

As you may remember I'm planning to create a new Privacy Enhanced Sandboxing mode https://github.com/sandboxie-plus/Sandboxie/issues/890
In the Privacy Mode sandboxed processes will be only able to read C:\\Windows\\*, C:\\Program Files\\*, and parts of the HKLM registry, all other locations will need to be granted explicitly access to be readable and/or writable.

As well as introduce in Application Container modes in which there is low to no security isolation for people which want to use Sbie for application containerization and deployment primarily.


Also as you know when creating a sandbox you can choose between 3 resets already
1.) Hardened - Drop admin rights enabled
2.) Default - well the new plus standard
3.) Legacy - a bit lower isolation and more classic presets


So to avoid confusion I was thinking it would be best to color code the boxes in the UI and also add a setting in the first tab of the general box option where this preset is displayed and enforced (i.e. other settings which would compromise the preset gets disabled)



The main issue is that we have not 1 but 2 aspects to the sandboxing
1. Is isolation: Hardened, Regular, Legacy, Lenient, App Container (NONE)
2. Resource Access Mode a.k.a. Privacy Mode

For the optimal customization these should be 2 independent settings, but I think this is not ideal and can't be represented with one color code.

So I was thinking about defining presets which configure both aspects at once

My current thoughts are as follows:

Hardened Sandbox with Privacy Mode
Hardened Sandbox
Private Sandbox
Regular Sandbox
Custom Sandbox
Legacy Sandbox
Lenient Sandbox
Application Container with Privacy
Application Container

So no idea what Color to use for custom and for Lenient, the only left is Magenta, I mean sure I could introduce additional colors but at some point its gets hard to distinguish.

Also I'm not sure what the Lenient mode should do people requested it for games and or video conferencing and desktop sharing, I mean it could be a mode which indicates full desktop access "OpenWinClass=*" and "NoAddProcessToJob=y" and may be a few more minor things like "OpenDevCMApi=y"

We could make the Regular sandbox and Custom Sandbox the same thing and drop the Legacy config all together as its currently only "UnrestrictedSCM=y", "OpenPrintSpooler=y", "Template=OpenSmartCard" as all the other security enhancements are also enforced for the classical build.

So may be I should make it like this:
1a.) Hardened Sandbox with Privacy Mode
1b.) Hardened Sandbox
2a.) Private Sandbox / Custom Sandbox
2b.) Regular Sandbox / Custom Sandbox / Legacy Sandbox
__.) Box configured without isolation, not denoted to be an App Container
3a.) Application Container with Privacy
3b.) Application Container
I think this selection of 6+1 modes is reasonably comprehensive, we have 3 basic modes:
1. Hardened
2. Regular / Customizable
3. App Container

And 2 variations for each
a. Privacy Mode
b. Normal Mode

as well as the not configurable display only mode when something is configured very insecurely without it being on purpose


So the promotion from variant b. to a. is automatically done based on the future "UsePrivacyMode=y" option

Promotion from mode 2. to 1. is governed by the "DropAdminRights=y" option

And for the App Container / Lenient Mode I would introduce a new setting "AppContainer=y" or should I be more explicit and call it "DisableSecurityIsolation=y"

So changing this preset in the drop down would set these 3 options accordingly and fix other settings if that are conflicting.



When the user would edit the ini section to enable a conflicting preset which lowers the security (increasing would be fine) the display would switch to the Magenta box display and the drop down would indicate idk. "Inconsistent box Preset" or something like this.



Well enough rambling my lunch break is over....

 

Well done will be helpfull for mine usage

 

Your brain works overtime!!

 

Extremely interesting @DavidXanatos - Keep up the good work. Your innovative approach is drawing me near. And i'm one not easily impressed. That is until I see something like this.

 

"or should I be more explicit and call it "DisableSecurityIsolation=y""

Yes this one - it just makes it more clear that enabling this option is security related and is going to lower an aspect of security.

Excellent job btw. I probably need a few more coffees to properly take on board the upcoming changes you've detailed above. It would also be really helpful to let us know with the next edition, which settings are enabled by default (without having to try and comb through the ini to figure it out, especially for those with less tech knowledge), and which are opt-in. Thanks!

 

"DisableSecurityIsolation" sounds to long but i guess "NoSecurityIsolation" is just as clear and short enough

Also these plans are for build 0.9.5 or 1.0.0 there is quite a way untill then, LOL

but an other think... we could have most of the compatibility of an unisolated app container mode, with quite some security as we still can filter file system access and registry access using the driver, as well as access to other processes using ObCallback ... so we could have a mode in between the hard core sandboxie mode and the pure app container mode.

Or assuming the filtering wont break anything I could make this the default app container mode with the option to disable it for a super insecure app container mode LOL

So there would be an other option "NoSecurityFiltering" LOL

I mean to bring it into perspective about what levels of security we are talking here, a App Container mode with filtering would be equivalent to the Comodo Sandbox,
which is okay as long as no processes inside run with admin or higher privileges, what they can if the users click on on a UAC prompt.
So using such a container with drop admin rights + fake admin to be able to install things, as well as system-less MSI mode would be still a quite decent protection.

 

Sounds like a great plan, really looking forward to these

What exactly does "Application Container" entail? Isolation of both registry and userdata? Is it possible to have an option for registry isolation only?

 

Application Container means that we virtualize file system and registry, but we don't change the process token or apply other more limiting restrictions, hence a process could potentially escape the virtualization if it would purposefully try to, the up side is that in this mode the over all compatibility should be greatly improved.

 

Thanks, then would you consider an option for registry isolation only without virtualising/limiting the processes? The rationale is to keep a clean registry but much more reliable/secure than PortableApps or equivalent.

 

Personally I am a great fan of different colors in software and often I miss them in user interfaces.

But here we obviously have to do it with seven different colours which will make it difficult for the users to see respectively to remember which color represents which mode.

The following explanation gave me an idea for a possible alternative:

What I see is that by chance every of these elements has a different initial letter: H - R (or C) - A (or AC) - P - N

So my idea is:
Perhaps these 6 basic situations could be represented by the appropriate letters (instead of a color)?
That means for example:
H / P
H / N
R / P
R / N
A (or AC) / P
A (or AC) / N

I think that users will more easily remember that e.g. "H" means "Hardened" or "N" means "Normal" and so on - instead of having to combine every situation with a certain color. (If necessary, additional constellations could indeed be characterized by different colors).

The problem is that I have no convincing idea where these letters should be placed so that they are easily readable. Perhaps within the icon? I only fear that then the dots won't be visible any longer clearly.

 

Very appreciated. Maybe one on each corner, no overlap.

I would accept 3 or 4 colors, but not 12, that is overkill, even dark/light blue is too much.

 

Ok I see
so how about
1.) Hardened Sandbox
2.) Regular Sandbox / Custom Sandbox / Legacy Sandbox
3.) Application Container

We avoid red and green and draw a rectangle around a box if it has privacy mode on,
or a large + sign indicating its a plus sandbox with privacy protection

 

Looks good!

 

Create New Box

Select restriction/isolation template:

• Hardened
• Default
• Legacy Sandboxie Behavior

Which one I should select for appcontainer?

 

appcontainer is not yet implemented its a upcomming feature around version 1.0.x

 

Thanks.

So, from those three current modes which one is the less restrictive?

 

hardened is most restrictive the others are mostly the same with minor variations

 

Default v Legacy (general) differences?

And how about different colours with a letter for the mode in it (H,D,L)? So long as the colours are sufficiently different, even if I can't initially remember the differences, it should be enough to prompt me that there is a difference to be aware of. The likely problem for me is going to be the empty/full recognition.

 

My old geezer crappy slow third-world lappy lol, is struggling with chrome + sbie 0.9.3 legacy mode which I consider less restrictive. Struggles with chrome in a way that it takes ages to fully open and load its gui.
By any chance do you have an alpha or the likes version to try even a less restrictive mode?
Anything its better than browsing naked.

@DavidXanatos

 

Interesting stuff, I remember months ago you was already thinking about this. So basically it's a bit of a less secure sandbox, but it will make more (trusted apps) run correctly inside the sandbox.

 

Like the idea, how about just frame it, here is a new Pizza. Like container, legacy, with Firewall, hardened. (16x16x256)

 

I think that drop shadow makes the text harder to read and it looks very small

 

This is the smalles size we need, bigger is always easier, so I did the smallest 16px x 16px, which would be in list view. The text is the setting in my grabber and only as description here. Point was to demonstrate with 16x16 if that would work and I think it does. But that is only me. (I still like my Sandman too)
@DavidXanatos if you want to make it really crazy, allow custom icons. However I think that would destroy the reconginzing of the tool, which should be there. That's also why I think the old Pizza is quite important, also as hommage to the original.

 

Bring back the pizza!

 

+1