Sandboxed Desktop new feature (work in progress)

I'm working on a new Sandboxie feature, which allows to run processes in an entirely separate desktop.
See DEMO: https://youtu.be/EMlhObEiYiQ
This allows to reliably prevent any screen capturing from within the sandbox, it can also be use to do the opposite and protect a private encrypted sandbox.
The feature is still very much a work in progress so don't expect a release anytime soon.

 

Only 15 views on the demo video is it so boring of a feature or is it the summer and people have better things to do?

Anyhow I need some advice, where should the checkbox for this feature be located?
As it can help eider to protect the host or to protect the box depending on the use case it is not so clear cut where to put it.

 

It's too hot to comment.

Will each box use its own desktop, or will there be a single desktop? Do users have the ability to interact between the normal desktop and the Sandboxie desktop, like copy and paste?

You can place this setting in the first tab that appears when the options window opens. (General Options > Box Options)

 

Yep, summer and travel till month's end
But I do like the suggestion by @busy

 

Currently Sandboxie creates a new desktop for each box.
Clipboard is implemented on the windows station level so yea stuff copied in to the clipboard on one desktop will still be there when you switch to an other desktop.

One of the issues I'm facing right now is that the start menu and context menus on the taskbar on the non default desktop are broken on windows 10 and 11,
this is not a Sandboxie issue as SysInternals Desktops (https://learn.microsoft.com/en-us/sysinternals/downloads/desktops) tool has the same issue (on windows 7 it worked just fine), seams that the modern UWP based UI components are not rendered by explorer.exe but by some other process which lives on the default desktop and does not get a new instance for a new desktop.

So we eider have to craft an own shell replacement for the sandboxed desktops or live with issues.
Strangely enough Open Shell menu while not being triggered on 10 seams to work just fine on 11 there only the context menus for the pinned items are missing.

 

Will it become sort of like a VM? Are there any other advantages to it, I don't see the point to be honest.

 

No, a VM is something completely different.

There are many advantages, you see windows does not support DACLs on UI objects.
This means you can not precisely isolate UI elements on the same desktop from each other.

With Windows Vista MS introduced UIPI (User Interface Privilege Isolation) but this is only a one way isolation, processes have a set Integrity Level Medium for normal, High for admin, Untrusted or Low for Sandboxed.
And everything with a higher level can access everything on its own or lower levels, this is not great.
For example we can not protect the windows of an encrypted private sandbox from being messed with by software running on the host.
And as mentioned for best isolation we need to drop the integrity level to Untrusted what brings a hole mess of issues requiring a lot of code to fix, as well as yet unfixed problems like HW acceleration in web browsers not always working in non green boxes.

Using a separated desktop which has an own DACL allows us to keep a higher Integrity Level without reducing the protection of host windows.

Some IMHO not resolvable issues is a reliable desktop capturing prevention, having sandboxed proceses on a separate desktop ensures they can not capture any screenshots of host processes.

Also without DACLs we cant isolate 2 boxes from each other, booth have Untrusted Integrity Level hence are able to send messages to each other windows.

All these issues can be resolved by giving each sandbox a very own desktop it can have full control over.

The downside is that at any point in time only one desktop per window station can be rendered, so its required to switch desktops and we can not display windows of multiple boxes or the host at the same time.

 

OK I see, so it's all about getting better isolation from other sandboxes and the real system. My concern is that eventually Sandboxie will become too complex, know what I mean? I think it should remain a simple app virtualization tool. It almost sounds like Sandboxie would act more like iCore Virtual Accounts, that's what I meant with VM.

https://en.wikipedia.org/wiki/OS-level_virtualization
https://en.wikipedia.org/wiki/ICore_Virtual_Accounts

Sounds like a major downside to me. But it's still an interesting idea.

 

Well its optional so no one is forced to use it.

 

That's true I guess. And would it work a bit like iCore Virtual Accounts? I don't know if you remember this app, it did have potential.

 

No I dont remember it, is there some info about it that would quickly show what it did and how it worked?

 

You can read about it on Wikipedia, see link. I don't think I ever actually used it, since I was already happy with Sandboxie. But I believe it wasn't a full blown VM like VirtualBox and VMware Workstation. I guess it used a seperate desktop in order to virtualize stuff, so that's why this feature you're planning to implement reminded me of this app.

https://en.wikipedia.org/wiki/ICore_Virtual_Accounts

 

Is this similar to what ReHIPS does?

 

The separate desktop feature is now included in today's insider build on patreon, for great patreons and above.

 

BTW, I have a technical question, but do you think it would be possible to make Sandboxie work in a ''virtualization only'' mode where it would only virtualize the file system and registry? With that I mean, the browser itself (Chromium or Firefox based) would still use the built-in sandbox, without Sandboxie taking over. But I assume that Sandboxie should always virtualize IPC too?

https://en.wikipedia.org/wiki/Inter-process_communication

 

Well if you use a green box that that cooperates with the Chromium or Firefox based own sandbox so you get a sandbox in a sandbox.

 

Sorry, but I'm not following you. The question was, if it would be technically difficult to make Sandboxie only virtualize file system and registry?

And way back there was this huge discussion on this forum about that Sandboxie may weaken the built-in sandbox of Chrome and Firefox, I don't know how you think about this subject. Back then I disagreed with it, because if you can escape the browser's sandbox, you would still need to escape Sandboxie too.

But a ''virtualization only'' mode would perhaps make browsers running in Sandboxie more snappy. Although it's still not clear to me if you could simply disable virtualization of IPC, it would of course be bad for security, but the browser's built-in sandbox should take care of that.

 

> The question was, if it would be technically difficult to make Sandboxie only virtualize file system and registry?
would be easy but not recommended.

you can use OpenIpcPath=* to not virtualice any IPC

> And way back there was this huge discussion on this forum about that Sandboxie may weaken the built-in sandbox of Chrome and Firefox

Using a yellow/blue or red/orange type box indeed disables some features used by Chrome and Firefox built in sandbox but by far not all.
Using a green/cyan type box does not do that and there the Chrome and Firefox built in sandbox runs with all its capabilities.

> But a ''virtualization only'' mode would perhaps make browsers running in Sandboxie more snappy. Although it's still not clear to me if you could simply disable virtualization of IPC, it would of course be bad for security, but the browser's built-in sandbox should take care of that.

You can try a green box with OpenIpcPath=*

 

So is it better to run Firefox in a sandbox with lesser protection and rely on the inbuilt sandbox? I currently use a drop-rights, probably, yellow sandbox.

I had problems with data protection in the past, but I should probably recreate all my sandboxes from scratch at a higher security level as they are many years old, and see which give problems. Can I stand the pain as things break though [rhetorical].

 

I would rather keep the primary sandbox as secure as possible, the browser own sandbox is only a additional line of defense.

 

Ok, agreed. But should I create a separate (forced) box for Firefox and run it so it uses its own sandbox, or keep using SB as before?

 

So are you saying that when you exclude browsers from IPC virtualization, then Sandboxie will only enforce file system and registry virtualization? And I assume you say it's not recommended because if the browser's built-in sandbox is breached, most of your protection is then gone if you whitelist IPC, or is this false?

So are you saying that Sandboxe does NOT interfere with the Chromium and Firefox sandbox at all? I always believed that Sandboxie basically took over at least some of the sandboxing.

 

I cant answer that, how were you using it before?
I would try to use one sand box per application and tune each box to the applications needs.

Yes

Well if the malware targets that case then its not good, if its regular malware oblivious to sandboxie its not likely to attempt an IPC based workaround.

Sandboxie does its own sandboxing, and to work in a non green box this means some isolation mechanisms employed by chrome/firefox have to be disabled.
If you are using a green box, you get a sandbox in a sandbox all mechanisms cooperate and do not interfere.

 

OK, so perhaps you can then add an easy to find option to disable IPC sandboxing?

What I meant is that if malware escapes from the browser's sandbox, then it could use code injection if IPC virtualization is disabled. But I wonder what SBIE blocks when IPC virtualization is disabled, would it still block malware from installing drivers? Would it still virtualize service installation? And I assume that file system and registry virtualization would still help against ransomware.

I believe this greenbox feature is only present in the newer versions of SBIE. But good to know that Sandboxie does sometimes disable certain isolation features of the browser's sandbox.

 

////////////////////
I think I know something about the cause of the problem.
Sandboxed access to some com server components is problematic.
Now although agent used cocreateinstance API series of com server component, but not use RoActivateInstance/RoGetActivationFactory agent.
I suspect this is the root cause of many problem. I have analyzed it, but I find it difficult to deal with the technical problem.