Application Sandboxes: A pen-tester’s perspective

Discussion in 'sandboxing & virtualization' started by BoerenkoolMetWorst, Jul 25, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Unfortunately it's not entirely in the developers hands. Windows has not made system call filtering, as one clear example, particularly easy. Before the sandboxes can improve Windows has to let them.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    That's too bad :( it seems as though a sandbox developer's skills can't be fully utilized as they're at least partly at the mercy of the kernel developers.
     
  3. What is the relevance? Sandboxie builds upon the OS foundation and mechnisms. See for instance http://www.sandboxie.com/phpbb/viewtopic.php?t=16201&sid=54a21ca30687f471767622baeb05eedd When there is a flaw in the fundation, the house goes down. This is not a restriction which applies to sandboxie, but it applies to all programs directly using the OS (not through VM). So attacking SBIE on being easily circumvented through kernel exploits is irrelevant (the bromium studies), as is saying Sandboxie will improve is also irrelevant.

    Only way to deal with this type of failure is to limit the attack surface. Adding a program which interferes with SSDT hooks etc creates a new link in the chain. Every chain has it weaknesses, therefore you are better of without Sandboxie when using Chrome Sandbox.

    Another point I could make is when Sandboxie also uses job objects and low-Il like Chrome to establish the sandbox, what is the use of adding code and increasing the attack surface?
     
    Last edited by a moderator: Oct 27, 2013
  4. ZERO ACCESS

    ZERO ACCESS Registered Member

    Joined:
    Oct 24, 2013
    Posts:
    12
    Location:
    Kernal32
    Tzuk needed here :D
     
  5. Please don't let this become anti-sandboxie thread. As said in previous post

    This is not a restriction which applies to sandboxie (or BufferZone), but it applies to all programs directly using the OS (not through VM). So attacking SBIE on being easily circumvented through kernel exploits is irrelevant (the bromium studies).

    Facts:
    1. No program running on top of the OS can compensate for flaws in that OS
    2. Two strategies to minimise kernel-exploit sensitivity
    a) reducing attack surface (best)
    b) intercepting behaviour/attck vectors which is/are common before most exploits are applied (better than no sandbox, but less strong as 2a).

    Because of B Sandboxie has a solid reputation in "of the shelve" exploits.

    I am not disagreeing with SBIE, merely people who think that by adding security code the security increases (which is simply not true).
     
  6. Sandboxie won't save you against a advanced adversary, I'm not sure what will honestly o_O If someone wants you bad enough they will get into your system that is all but guaranteed :D

    I've seen LIVECD's get nuked and VM's get exploited ~Phrase removed~ , to which people say it's impossible, but I've seen it done. So exploiting Sandboxie should come as no surprise.
     
    Last edited by a moderator: Oct 29, 2013
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    After reading your post I'm wondering, if SBIE is vulnerable to this-does it mean DefenseWall is also vulnerable, since it is a policy sandbox?
    Are Comodo Sandbox, Avasr sandbox also equally vulnerable as SBIE?
    And what about AppGuard, NoVirus Exe radar pro, VoodooShield?

    What about all kinds of antivirus/antimalware/anti-spyware/anti-exploit/firewall/HIPS software programs?
    If I put any of these mentioned software to protect, you will say it's totally useless because they all increase attack surface? Does it mean, since adding security codes security level reduces, having any of those that I mentioned software/hardware protection programs is a waste of time and money?

    Why be protected at all, if you're going to increase attack surface with larger code and therefore decrease security level?
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I still do not understand if I tightly configure SBIE on maximum level block access to all of the vulnerable parts of the system (XP Pro SP 3, which I still use it), than block start/run and block internet acces for all applications and vulnerable parts of my XP or any other system like Vista, Windows 7, Windows 8; you still say that SBIE would not protect me from malwares and all kinds of hacker techniques?
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    And what are the penetration/bypass techniques, I guess we're talking about hacker's techniques, right?
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    @CoolWebSearch: I don't know the specifics, but the point is people have a false sense of invincibility with sandboxes and they're layering the same kind of protection like Sandboxie on Chrome which only increases attack surface. There is a trade-off with any security program, but usually the benefits outweighs the drawbacks unless redundant.

    Your Sandboxie setup makes it more difficult for attackers, but it can be bypassed. One way is to inject malicious code onto the browser process (or whatever you whitelisted). Another is using a kernel exploit, which affects the operating system itself and therefore everything running in it.

    Please read the entire thread in detail for more information.
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Sorry guys, but I still need some more explanation-and I did read the entire thread, but you still haven't answered on the most important questions (I think):
    If you use this configuration on SBIE:
    ProcessGroup=<StartRunAccess>,firefox.exe(whatever browser you use)
    ProcessGroup=<InternetAccess>,firefox.exe(whatever browser you use)
    ClosedFilePath=%Personal%\My Downloads\(block your personal info from malware)
    ClosedFilePath=%Personal%\My Music\
    ClosedFilePath=%Personal%\My Pictures\
    ClosedFilePath=%My Video%\
    ClosedFilePath=\Device\Mup\
    ClosedFilePath=C:\WINDOWS\system\
    ClosedFilePath=C:\WINDOWS\system32\kernel32.dll(It could say kernel64.dll instead of kernel32.dll)
    ClosedFilePath=C:\WINDOWS\system32\t2embed.dll
    ClosedFilePath=C:\WINDOWS\system32\win32k.sys
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedIpcPath=!<StartRunAccess>,*

    Credits to Malwar!

    If you block access to kernel32.dll and to t2embed.dll and to win32.sys wouldn't this block all kinds of exploits no matter if you use Firefox, IE 11, or Google Chrome 30, and no matter if you still use Windows XP?

    Also, would SBIE 4 newest version block all of the attempts that those guys tested with that tight configuration above, which blocks access to kernel, t2embed.dll, win32.sys-I mean will it block when that tightly configured against OS Kernel exploits, OS user mode exploits, key-logging (it will when you enable start/run restrictions), Remote Webcam/MIC Access, Clipboard Hijack, screen scraping, network shares access, backdoors and other very real threats?

    Also, safeguy said the following:
    https://www.wilderssecurity.com/showpost.php?p=2259067&postcount=10

    Let me copy this what safeguy said that Sandboxie 3 was vulnerable to this POC, but Sandboxie 4 is not vulnerable:
    V3 utilizes kernel patching/hooks. V4 was redesigned to alter the permissions (like Untrusted IL on Vista and above) mainly due to Kernel Patch Protection. On XP, some hooks are still being used.

    So what does it mean; does it mean if I understand correctly is that Sandboxie 4 is stronger than v3 because of the operating system that SBIE 4 is used on; like Windows 7 or Windows 8, if it was used on Windows XP SP3 which I still use SBIE is a loser, would SBIE 4 still protect me against this POC that safeguy answered, on Windows XP?

    I must admit I still do not understand what does this all mean and I'm not sure if I understand this all correctly.
    Big thanks to all.
     
    Last edited: Oct 29, 2013
  12. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    You are welcome. Yes it would block a bunch of exploits with that config and certain kernel exploits. You can also disable recovery and whenever you download a file from your browser just go into the sandboxie folder in My Computer(or wherever you have it at) and copy the download out of there if you know it is safe if you do not know it is safe you can scan it with virustotal then move it out of the sandboxie folder, you can also use a password if you would like.:thumb: :cool:
     
  13. Yes ELITE hacker techniques together with social engineering stuff. It's complicated, we are talking the bleeding edge of research and malware writing here. These exploits would only be used in extreme cases or targeted attacks against high value assets. So your ordinary everyday user should be safe.

    Though it's funny to see someone try and exploit a LIVECD and then actually get r00t on it, it kind of makes you sad :( Nothing is safe, everything has an attack surface waiting to be exploited.
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Yes, big thanks Malwar; I will copy your SBIE configuration into my Sandboxie.ini file-big thanks for your configuration input!

    This is why I find hard to believe that Sandboxie 4's protection when tightly configured will be defeated, I mean if you block access to all user-mode/user-level and kernel-level holes and exploits, what a hacker can do exactly?

    I'm sure SBIE 4's protection with tight configuration can be overcome if ELITE hackers truly targeted, but I was always wondering would it be harder or easier to do this than do this to Google Chrome-newest version?

    And would attack surface still play the key role in overcoming SBIE that tight like others have shown or it would be impossible since you blocked access to all user-mode/user-level and kernel-level holes and exploits and you would have to use another more subtle or more advanced technique-that is the question.
    Can anyone answer me on these 2 questions?
    Big thanks to all.
     
    Last edited: Oct 30, 2013
  15. 1.Chrome does not protect against OS-exploits either, it has same weakness as an application virtualisation sandbox.

    2. Chrome allready has a sandbox with a minimal interface with the rest of the OS. This mininal sandbox interface makes it harder to exploit as other programs.

    3. When something has a strong sandbox, why would you replace it with another sandbox, given the fact that an application virtualization does not make the sandbox stronger, in stead it weakens the defense because of its increased frontier/attack surface

    3. Application virtualisation is problably as strong as the Chrome sandbox when it comes to protect mitigate against PDF, Flash, Javascript etc.

    4. Why a properly configured sandbox makes no difference when you are face with OS exploits. Start/Stop restrictions as example are implemented through hooking system functions. When there is an error in the layer beneath this start/stop restriction, the exploit usingthis error is outside the reach of the program using the system function.

    5. When there is no sandbox in place any additional protection should increase the security level. So AV's Sandbox, Anti-Executables are not useless.

    6. Application virtualization is perfect for use with Firefox, you will be able to mitigate all exploits in plug-ins like flash, javascript and pdf.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Are you saying that SBIE 4 (with application configuration and with sandboxing Firefox or anything else except with Google Chrome) with tight configuration equals Google Chrome 30 sandbox?

    So that would mean SBIE 4 and Chrome 30 would not be able to protect against anything if there is an error beneath this start/stop restriction-but if you block access to kernel32.dll, t2embed.dll and win32k.sys would this help?
    According to your words it will not help at all, because the error is in the layer below start/stop restrictions, right?

    But aren't start/stop restrictions and block accesses in SBIE4 on kernel level-how can error happen, and how can error happen below kernel level if there is no such thing below kernel level?

    Also, does it mean that this error below any layer will easily compromise and defeat all kinds of security options no matter what software/hardware security product we're talking about: AppGuard, DefenseWall, any antivirus/anti-malware/anti-spyware/anti-executable, HIPS, firewall and etc.?

    So, Appguard, DefenseWall, all antivirus, antimalwares, antispywares, HIPS, anti-executables, firewalls and all other software programs are very secure?
    Barb C said (if we can trust her) that AppGuard has been protecting multinational companies for 16 years without a single breach:
    https://www.wilderssecurity.com/showpost.php?p=2296332&postcount=3393

    What does it mean that Firefox with Sandboxie 4 is better/more secure than using Chrome because of the less attack surface?

    And yes, big thanks for the answers and explanations, I truly hope I'll get the full picture of how does this work.
     
    Last edited: Oct 31, 2013
  17. AppGuard, DefenseWall, Sandboxie are very secure, no question about that.

    Chrome has implemented a sandbox, IE also (only less restrictive), FF has no sandbox, so with FF (or any other browse with no internal sandbox) you are better of with Sandboxie of BufferZone. A sandbox is better than no sandbox.

    There are many ways leading to Rome, Chrome has taken the shortes route when it comes down to Sandbox implementation.

    Sandboxie has proven to be a solid solution, so use Chrome with Sandboxie when you like the additional controls, go ahead, we are making a big discussion on tiny differences.

    To put into perspective, driving a car has a risk (of getting an accident), still most of us have no fear of using a car.
     
  18. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Hi,
    Im a windows 7 home premium user and would like to know what SRP options are available to me please.

    Im aware of parental controls but is there anything else i have.

    Thanks.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Chrome inside Sandboxie works for me.
    I'm not too concerned about increased 'attack surfaces' (the phrase du jour of a few folks around here).
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I always thought that configuration in SBIE 4 will always solve the problem, including, the increased attack surface:
    https://www.wilderssecurity.com/showpost.php?p=2297936&postcount=105

    If this what you said in the link was true for tightly configured SBIE4 in the way Malwar has configured it, than we can say that increasing attack surface/adding security code is bad for Sandboxie, but unconfigured SBIE 4 is useless to talk about its security since it allows everything, when you block everything what you need to block with SBIE4 than if increasing attack surface/adding security code still beats SBIE4 than and only than you can say that increasing attack surface beats SBIE4.
     
  21. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    The config I use for sandboxie blocks all exploits(unless there was a flaw in sandboxie) and some kernel exploits.:) :cool:
     
  22. Well I was trying to put it into perspective, also the qualifications easy, medium and hard to bypass (mentioned in the 'tests') point out differences in a subjective way and theoretical manner. Pen-test should be the abbreviation for penetration testing, but theoretical subjective values make it a abbreviation for pencil-test)

    What scale is used to classify whether something is easy, medium or hard to bypass? Four, five or six digits after the decimal brake can make relatively huge differences, but in absolute value the differences are tiny.

    Considering the fact that I run no security software since 2010 and have thrown a lot of fresh malware samples on safe-admin, I can say Chrome's sandbox is outstanding. Done playing with Chrome's incredible strong sandbox, I switched to IE. Because IE's sandbox is weaker, I strengthened my SRP-rules from safe_admin to locked_admin (for time being one has to give malware a chance, just not to much :D )
     
    Last edited by a moderator: Oct 31, 2013
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Kees, I like the way you think, and the way you explain yourself. :thumb:
     
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Hmm, but if you said that your configuration blocks all exploits I consider that SBIE4 also blocks all kernel-level exploits-what do you mean by some kernel level exploits?
    I guess AppGuard is the most secure of all since it does not need sandbox to put restrictions, blocks all user-mode exploits and blocks all kernel-level exploits and has system-wide protection?
     
    Last edited: Nov 1, 2013
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.