Application Sandboxes: A pen-tester’s perspective

Discussion in 'sandboxing & virtualization' started by BoerenkoolMetWorst, Jul 25, 2013.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    But how do you actually test that malware samples against Google Chrome 30, and have you tested them against tightly configured SBIE4?
    I still don't understand how does Chrome block malware, when I surf on Chrome it doesn't make any real difference than Firefox or IE.

    I need to ask you something: I also don't run anything on my XP for protection, I always use Firefox with Adblock Plus, NoScript, Public fox with password protection which blocks all unwanted downloads and if something is downloading, it is instantly blocked because it requires my password to download anything, than I also use Google Chrome with Adblock plus, i also use that version of Firefox's NoScript and I always surf in Incognito mode just in case.
    I have router enabled on maximum inbound firewall protection plus windows XP firewall maximum protection-is that enough?
    The only real problems are removable drives, for that I use NoAutorun application, and also autorun is disabled, but I don't know if it's enough.

    On another computer I use SBIE4 tightly configured (however I have added configuration that Malwar mentioned which I was not aware of and I did not know of) for everything mentioned and of course router's protection on maximum level.
     
    Last edited: Nov 1, 2013
  2. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I wonder if hackers can beat AppGuard and how easy or hard it would be?
    This is what Barb C (if we can trust her words) said about AppGuard:
    https://www.wilderssecurity.com/showpost.php?p=2296332&postcount=3393
     
    Last edited: Nov 1, 2013
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    You test drive-by installs, very rare in real life. As for tojans or whatever you manually downloaded, that's fully under your control. It doesn't matter if the user has Sandboxie if they will run it unsandboxed anyways. If you don't run it or sandbox the executable via right-click, what's the advantage of sandboxing the whole browser other than more control?
    That is some extremely technical testing that very few can perform. But, as shown by the Bromium Labs and (at least my) real-life experience, it's a negligible difference. That's why I don't sandbox Chrome, there's redundancy, incompatibility (with other security programs more specialized for exploits and possibly more), a bit lower performance, and a daily 5 second wait.
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Drive by installs are not so rare as you believe J L. I am not sure if Chrome sandbox might have prevented them, I guess so. One can never be so sure.

    As to Sandboxing Chrome, it has no performance impact at all.

    Also you can test Chrome extensions inside SBIE same as with any other software, before installing them to your real system (browser). I have now one Chrome extension installed that disables Avast webshield for Chrome working.

    I agree with you though that if you run/prefer some security software conflicting the other, like for instance Sandboxie then you better stick what makes you happy.
     
  5. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I guess increasing attack surface is the answer. But what I'm interested is also USB protection-you're using Panda USB Vaccine?
    But what happens if you use computer vaccination instead od USB vaccination?
    What's the difference?
    How do you protect your USB and all other removable drives?
     
  6. guest

    guest Guest

    Windows 7 Home Premium doesn't have group policy editor, so no SRP. See here.

    But wait, there are workarounds for that. You can try a registry tweak or PGS.

    Takes a few extra seconds until all required files and folders to be virtualized and ready to use, though. Plus additional five seconds or so if you are using the unregistered version.

    Can be done with Shadow Defender (and similar programs), VMs, or even another computer as well. Or just create a backup of the system, try those extensions, and if you don't like them, restore.

    Why does everyone only pay attention to Sandboxie? No love for DefenseWall and Comodo's sandbox? o_O
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Perhaps you are missing something but don't know.

    GZ, you can try extensions using SD or a VM but the convenience of doing it using SBIE is unmatched. Let me give you an example. I use Firefox so if I want to try an extension, I just install it and after deleting the sandbox, the extension is gone. That simple, you cant do that using SD or a VM.

    Or if I like to install Java temporarily. All I have to do is run the installer in a sandbox, then run the browser. Now I can use my browser with Java. After I am done with Java, delete the sandbox and back to normal.

    Bo
     
  8. guest

    guest Guest

    True, it's simple. I just said that it also can be done with other methods.

    I am missing anyone here discussing about DefenseWall and Comodo's sandbox as much as Sandboxie.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    You want to know about DefenseWall? Try it. Is a great program and I recommend it. I never used it to try extensions but I guess you can use it for that. Your browser is installed as trusted but runs untrusted. If you install an extension, it would install as untrusted. After you done with it trying it, to get rid of it, you uninstall it and your system remains as if you never had it on. Thats how it would be if you used DW.

    If you decided you like the extension and want it in your system, you can run the browser as trusted and reinstall the extension.

    Bo
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Yet you're sure they're not so rare as I believe? I don't layer the same kind of protection to be sure, unless you harden Sandboxie to barely usable levels for negligible difference in real life.

    There's always an impact when you add code, especially on weaker systems.

    I prefer Chrome portable for that task, although there never was a problem with uninstalling extensions normally. Plus, AX64 Time Machine (and Parted Magic's Clonezilla) has my back.

    Different tools for different tasks. I still use Sandboxie for other programs.

    I just disable Autorun for my system manually, there are a few ways to do that. Nowadays, it's not as exploitable by default anyways, since there's a prompt instead of running executable automatically.
    USB vaccination disables autorun on the flash drive itself, so it won't spread anything automatically on any computer it's connected to. I just remove the autorun.inf, although that doesn't prevent re-infection. Computer vaccination just disables Autorun on the system for you, making you immune against those types of viruses unless manually executed.
     
  11. Just clicking website links, sometimes executing to see whether they bypass deny execute for Basic User (when I was on Safe_Admin, with IE I am now on Locked_Admin this also blocks processes startef from user folders for Admin).

    On XP you better use Sandboxie, because XP does not have Low/Untrusted Integrity Levels which is crucial part of Chrome sandbox (see below). On XP you better use Sandboxie 3.76 because SBIE v4 uses low IL's which your OS does not facilitate.


    How Chrome/Adobe Sandbox Works works
    1. Restricted Token
    Before broker process launches a renderer process or sandboxed plug-in process, it removes all rights from that object, next assigns a restricted token, meaning it runs with LOW-rights IL (Intergrity Level). So the Integrity Level sets a hard wall between different operating area's (container's) on system level.

    Low IL process is unable to change objects running as Basic User (with medium level IL). Medium level IL (on Vista and higher) can't touch High level IL. Medium rights IL is sumlar to Basic User, High IL is simular to Admin. When a medium IL wants to change a High IL object, you will get an UAC prompt (when you run as Admin).

    This still leaves the renderer (child) process open to side-by-side attacks (process with same rights), because high rights processes are alllowed to change other high rights, medium rights and low processes, medium rights are allowed to change medium and low rights and low rights processes are allowed to change other low rights processes.

    2. Job Object
    There are a lot of ways processes can be started and communicate to each other. With the parameters Chrome uses to the communication on User level is restricted: e.g. the ability to launch only one user process, restricts access to other program windows, close Windows OS etc.

    3. Alternate Desktop
    This closes the last hole on messaging level, this way keyboard, screen etcetera can't be read by processes on other desktop. Windows itself uses it for the UAC-prompt, the dark secure desktop (prevents keyloggers to read your credentials).

    Google bought greenborder
    Before they launched Chrome, Google bought GreenBorder. A program simular to Sandboxie and BufferZone. They had the knowledge to launch a browser with a sandbox based on program virtualisation, in stead they decided to build it upon policy containment. Difference between them: assigning a job objects removes all doors at user level except one (policy containment), so the program only has to watch one door. The start/stop mechanisme in Sandboxie hooks all system functions which allow another process to start (simple terms has to watch more doors).
     
    Last edited by a moderator: Nov 2, 2013
  12. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Every kernel exploit that I know of my config blocks. If I find out anymore kernel exploits I will post here and give you my config for them.:) :cool:
     
    Last edited: Nov 2, 2013
  13. guest

    guest Guest

    Based on the readings I've got, I agree. I just don't see DW to be mentioned as much as Sandboxie, that's all. DW discussions are mostly in the older threads. Although the fact that it still doesn't support 64-bit OS might be the reason.

    It'd be great if DW was included in this test. I probably got it wrong, but it sounded like DW is a type B sandbox (IL restriction).

    I admit that I alluded Comodo's sandbox because I want to see it fail, though. :D :argh:

    I can't. I'm on 64-bit. :(
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)

    PGS link appears Void. Know of another one? I suffer ATM from having only the OEM windows 8 version but if i find a way to install that snap-on what a defense advantage that would be.

    SRP!!
     
  15. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    CoolWebSearch: Here is the new config, block access to these files:

    ClosedFilePath=C:\WINDOWS\system32\drivers\
    ClosedFilePath=C:\WINDOWS\system32\cmd.exe
    ClosedFilePath=C:\WINDOWS\system32\notepad.exe
    ClosedFilePath=C:\WINDOWS\notepad.exe
     
    Last edited: Nov 2, 2013
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Big thanks for this detailed explanation, but I still think that enough powerful/efficient/creative/innovative configuration enables to block all exploits, even kernel ones-if you know what you are doing.
    Two questions:
    You said:
    On XP you better use Sandboxie, because XP does not have Low/Untrusted Integrity Levels which is crucial part of Chrome sandbox.
    What would happen if I use Google Chrome and test fresh malware against Chrome on windows xp, what would happen since windows xp does not have integrity levels?

    Second; Why would I use SBIE4 if SBIE3 is vulnerable to exploit that safeguy posted:
    https://www.wilderssecurity.com/showpost.php?p=2259067&postcount=10

    So SBIE4 not only is immune to this exploit, but also it does not use windows hooks anymore? how does it than protect exactly-SBIE4 relies on its own kernel-level hooks?
    And what would happen if I use SBIE4 on windows xp since windows xp does not have integrity levels?
    It seems to me when it comes to protection and attack surface I just don't see any real difference bweteen Chrome and SBIE4 when it comes to security, privacy and protection.
    I mean just look at Malwar's configuration of SBIE4, it beats all the exploits, which proves my point: greater configuration, better and more rock-solid security.
    Everything (in SBIE4) can be configured to be protected, I cannot say this for Google Chrome 30.
     
    Last edited: Nov 3, 2013
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Big thanks Malwar, I truly appreciate this, I will add this in my SBIE configuratin and be happy with being rock-solid secure.
     
  18. This one? http://www.fileswap.com/dl/HwZW8nzKLe/
     
  19. OS-exploits will bring down any program running on that OS, this has really nothing to do with Sandboxie in specific, see the link you so kindly provided yourself http://www.sandboxie.com/phpbb/viewtopic.php?p=75473&sid=a9cf26ce8082451b1a9a94d7f1dece80

    Depends on the exploit, but you would be a brave man for sure.



    I will pass and again refer to Tzuk (since he is the one who really knows).

    I will pass and again refer to Tzuk (since he is the one who really knows).
    Just run Process Explorer and see whether V4 on XP runs Firefox or IE or Chrome in LOW or UNTRUSTED integrity levels.
     
    Last edited by a moderator: Nov 3, 2013
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    For once I have to say I'm not some fanatic if you can prove me that configuration and restriction in SBIE cannot beat and fill whatever exploit we're talking about I'll stay corrected.
    But so far I have not seen anyone proving me wrong, so far I was reading that SBIE's protection can be penetrated-but when it is NOT configured-that's a key difference.
    If anyone/anything/any exploit/any malware could beat SBIE's tightly configured protection like installation of malwares or opening and exploit and than both malware or exploits beating SBIE's defense mechanisms, than we can say SBIE has been bypassed, evertyhing else is a moot point.
    Personally, WS, I think this is fair, don't you think it's fair?

    Ok, big thanks for this.
     
  21. For your information: Tzuk is the developer of Sandboxie, he says that kernel-exploits are the 'end of game' for any (security) program, so when you are not a fanatic this should add some weight to your insight in this matter.
     
  22. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Fair enough, that answers all of my questions, but are you saying that also Malwar's SBIE4 configuration cannot protect against kernel-level exploits? How sure is this?
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    From discussions with Hungry Man, no it can't protect against the exploit this thread is talking about:

    Reason. The files being blocked don't need to be accessed. I also thought if say Firefox couldn't write or write to memory that would block it. Not true. The problem is the code injected into the Firefox process by a well written script, can make direct calls to the system. If it attacks a kernel flaw, successfully game over.
     
    Last edited: Nov 3, 2013
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    This is probably the clearest answer so far and big thanks for this answer, however does this mean something like AppGuard, DefenseWall or anything else what we use for our protection from our computers for that matter also cannot protect against kernel-level threats/exploits?

    I mean, Barb C said (and if we can truly trust her) that AppGuard has not been breached for the last 16 years (and she means on large corporations and government agencies, not home computer users), here is the link:
    https://www.wilderssecurity.com/showpost.php?p=2296332&postcount=3393

    I mean if AppGuard has never been breached and if we can truly trust Barb C, than I guess there is an answer to protect against kernel-level threats/exploits!?
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    First the thanks is to Hungry Man for the answer not me.

    Second I did ask Barb about this and she put it to there security designer. The answer was yes and no, and it was a convoluted answer. Barb also confirimed that the lastest tests which she hasn't been able to release yet, do block Kernel Exploits, but whether they block this specific kind of attack which depends on flaws in the kernel I don't know.

    Hungry mans recommendation for Firefox was No Script and/or Emet. I am in the process of adding both.

    Note also this exploit has yet to be found in the wild, but i suspect that may only be a matter of time.

    Pete
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.