Sandbox, Virtualization, and Lockdown Technology

If you think of a sandbox as a "virtual workspace" the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.

One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product I used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.

In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system's hardware.

A company called SoftGrid has its SystemGuard™ - "because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them."

Windows Servers include this technology. From my WinServer2003 notes: "The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution."

Tiny firewall uses sandbox technology.

Another group of programs use the ‘sandbox’ idea to protect the system:

Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:
http://www.sandboxie.com/

ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:
http://www.shadowstor.com/products/ItemPage.aspx?ItemID=83&ProductID=4

Drive Vaccine claims to write-protect the HD and create 'Scratch Space'

Yet another program - Deep Freeze - 'locks down' the system but doesn't use virtualization.

These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.

In other threads some people write that they run such a program + firewall and little else.

It may be difficult to understand why one would not load up with detection software, rather, depend primarily on a sandbox or lockdown program with little else. I know four who have such a security setup. All came from the early days of Windows when there was very little anti-malware software, and one’s security was based primarily on making intelligent decisions. Today, more people are questioning certain types of detection technology, as ErikAlbert did in a recent thread:

---------------------------------------------------------
Definition/heuristic-based softwares do NOT have a future
and I'm not going to repeat myself, I've explained this
already in other posts.
---------------------------------------------------------

Pretty strong language. But a friend who works in an institution that uses Deep Freeze on all of the work stations predicted several years ago that lockdown and virtualization (sandbox) technology would be implemented more and more in different ways as new programs develop, and eventually be the foundation for a security setup.

This evening in the AntiMalware by Trustware thread Eyal Dotan, the author & CTO of AntiMalware, wrote:

----------------------------------------------------------
...what AntiMalware's BufferZone does is virtualize
untrusted processes "Write" access to FileSystem & Registry
-----------------------------------------------------------

For those who have experienced problems and conflicts with various ‘sandbox,’ ‘lock-down’ or ‘virtualization’ programs, most people using them (ShadowUser and Deep Freeze especially) stress starting with a clean system. I would uninstall all AV/AT etc programs, then install SU, AM, Sandboxie or whatever - use that as the foundation - and then add other programs to see at what point you have conflicts.

You may eventually decide you don’t need much above this foundation. See:

Rate your Security Software

For those that use one of the above programs (or something similar that I've omitted) I am interested in how you decided upon the particular program and how it fits in with your security setup.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

I ran into Sandboxie over at Spyware Warriors forum and decided to give it a go several weeks ago.

ZAP,Winpatrol and Vet av are my realtime security agents along with a router firewall.Ewido and Giant(Msantispy) as on demand.Msvp hosts,Firefox and Spywareblaster also.

Sandboxie installed and runs no probs after an initial warning from ZAP.Executed Scoundrel simulator through sandboxie with all tests being constrained within the sandbox.

Regtest was able to reboot my pc but the reg changes seemed to be contained.Upon reboot Regtest and I think ZAP locked horns which resulted in a black screen.Booted from hdd-1 and restored from a ghost image made that day.

I'm not that tech savvy,but Sandboxie seems to do everything stated and I hope some of the spyware experts would give it a good workout and let us plebs know just how good or bad it really is.

Haven't tried any similar apps so can't comment on how they performed on my machine.

 

I quite agree...virtualisation/sandbox programs will gain more and more acceptance as the foundation stone of security setups.

I don't think the above will make AV's will dissappear, because :
-installations are still a weak point
-SU/DF etc allow infection until reboot

That said, for keeping my system clean during normal use (ie : when not installing) I trust ShadowUser more than an AV <that is...every reboot, any malware that has managed to install, is gone>.

I'm also running tests on AntiMalware, which is passing most everything I've thrown at it so far (I downloaded the following, which ran in the Bufferzone : 3x Finjan tests <data theft>, hook test from DCS, Ghost security's RegTest 2 and ProcX <termination>, and Zapass <dll injection> , plus a visit to a CWS site - AM didn't allow any driveby downloads through <there were definitely nasties on the site - and i had IE set to medium security> ) . AM didn't pass Ghost Security Suites RegTest 1...but it doesn't claim to, saying it allows programs to write registry keys <but apparently not autostart or dll injection ones>.

Using two sandbox/virtualisation programs together may not always work. There appears to be a glitch in AM while in Shadowmode. Send me a PM if you wish to know, I doubt two many people will try running the two together

 

Before this new hype gets overheated, can someone post the negatives points of 'virtualization' or sandboxing compared to other technologies?

From my observation there are at least 2

1. Vastly more complicated. Chances of causing system failures are high compared to other technologies. Given what virtualization aims to do, this isn't a surprise.

E.g Vikorr and Erik Albert's problems with antimalware, driver conflicts etc.

2. Virtualization is unpredictable, not all software work well in a sandbox can lead to unpredictable failures.

3. Different mindset for handling software

 

Yes, this is my understanding. Therefore, anything that can happen, in regards to malware, can still happen, between reboots. For this reason, Faronics (the publishers of DeepFreeze) also sell Anti-Executable. But merely having an Anti-Executable on-board is probably not enough, since each user will still have to decide "how much security he/she needs" to protect against very destructive malware.

Also, users need to get use to turning the sandbox products off and on (each product is different) when they want to load new software permanently. To the best of my knowledge, products like DeepFreeze are really targeted toward environments such as schools and libraries where the environment is under tight control and very few, if any, new software installs, are ever performed.

From my point of view, sandbox technology is more "adjunctive" as opposed to being a replacement for traditional products such as AVs, and even products like ProcessGuard, and should be considered "automated, total system restore products".

Rich

 

I agree with this and it disappoints me at the same time. One of the reasons why I prefer to wait ... for solutions, based on another kind of philosophy, but NOT based on definitions/heuristics or (H)IPS.
(H)IPS solutions are for knowledgeable users only.
Definition/heuristic-based solutions, including Security Suites have too many other problems.

Unfortunately I'm an application analyst, not a security analyst.
One thing I'm sure about, definition/heuristic-based solutions are not the right way to solve security.
I would never collect malware objects in a definition-database, because they come from an unknown and uncontrollable source : the bad guys.
This is an endless/hopeless task and you even have to find the malwares first before you can do something about it, which makes it even worse.
If that's the way of fighting against the bad guys, you are doomed to lose in the very end.

IF and I repeat IF, I had to collect something, I would collect the good objects, because they come from a well-known and controllable source : the good guys.
If you have to solve a problem, you have to study this problem from different angles in order to find the right solution and always keep the less-knowledgeable user in mind when you choose a solution, because that's the one who really needs help.
If the first solution, usually the obvious solution, isn't right, find another one and another one until you find the best one.

(H)IPS is one solution, definition-based is one solution, sandbox is one solution, there must be other solutions, if you think LONG enough.

 

From my point of view, albeit very new to computer security and from a limited knowledge of computers in general, I agree with ErikAlbert. White lists (of aloowed applications, websites, processes) will always be more comprehensive than black lists which cannot protect against anything new. Heuristics are very clever but seem to miss the wood for the trees.

Sandboxes seem to me to be the way forward. I think the problems Pollmaster identifies could be considered one and the same. The unpredictable nature of these "virtual systems" is the biggest factor, but I think it will be a small price relatively to pay for assured security.

ErikAlbert says

but I think the solution will definitely come from someone thinking "outside the box" (forgive the pun), and sandbox concepts are that sort of "left-field thinking2 (Jebus - I've just used two of those corporate phrases I cannot stand, I must be passionate!)

I was wondering about some sort of all-encompassing idea, and thought something like a modified version of this VirtualPrivacydesktop may be the solution.

I am fairly new to this (as must be apparent) but it seems to me there must be a more effective approach than to download a dozen applications to run every day to ensure nothing gets through...

 

I'm trying to figure out the position so called virtualization tech should play beside behavior blockers and scanners.

It seems to me that a proper sandbox, would in many ways play just about the same role as a system wide behavior blocker. Many of the actions that restricted apps cannot do, are exactly the kind of behaivor we have PG and the like to monitor.

The only superiority I can think of in virtualization tech is that it allows you to "fake' or at least reverse the effects of software actions, so you can temporily allow certain changes so the software doesn't ground to a halt if you disallow this behavior.

This sounds very amazing, but it also sounds very complicated. By and large , I suspect this is possible only for simple actions maybe file writes, registry writes, but when it comes down to "deep actions" like kernel hooking, the defensive software won't be able to fake it, but will just block it, exactly like a behaviorial blocker (Process Guard for example)

If so, we are in the exact same situation as behavior blockers. You want to run this software, and it passes through all your scanners. What do you do next? If you run it through virtualization technology, it refuses to run because it requires driver installs. Again you are caught.

I'm also concerned about how tight the sandbox is. Does the sandbox restrict ALL behavior EXCEPT for some approved ones or does it do the reverse by allowing everything but blocking only some actions (enumerating badness).

Looking at some of the comments, I suspect it's closer to the latter than the former. If so , I highly doubt the effectiveness of such software being superior to behavior blocker/HIPS

A small price to pay i suppose depends on whether you are suffering from BSODs. As vikkor found out, it is extremely unlikely for two virtualization tech to work together. Running vmware in vmware is possible but not recommended. Running 2 different virtualization packages together
is just asking for trouble.











ErikAlbert says

but I think the solution will definitely come from someone thinking "outside the box" (forgive the pun), and sandbox concepts are that sort of "left-field thinking2 (Jebus - I've just used two of those corporate phrases I cannot stand, I must be passionate!)

I was wondering about some sort of all-encompassing idea, and thought something like a modified version of this VirtualPrivacydesktop may be the solution.

I am fairly new to this (as must be apparent) but it seems to me there must be a more effective approach than to download a dozen applications to run every day to ensure nothing gets through...[/QUOTE]

 

"Sandbox" software and the like sounds good in theory because it implies the use of two security concepts which have proven effective in the long term:

1) Least privilege and
2) Deny all that I do not explicitly allow / Whitelists

The problem is that it is difficult to determine the minimum privileges needed for applications not only in terms of OS system calls but the application function calls themselves. Testing based on common usage can come up with a preferred minimum privilege, but this is also dependent on this usage pattern remaining stable/relatively constant into the future. Essentially your applications have now moved from being trusted, with their actions only confined to the disk usage restrictions of the current user account, to untrusted apart from a small subset of all their possible function calls which are allowable.

Unfortunately many of these sandbox products have turned away from (2) because of the perceived difficulty in dealing with (1). Consequently, you may be surprised to learn that many 'sandbox' products emphasise the exact opposite in their design: Allow all that I do not explicitly deny
....rather than the other way round! Hence what made this class of products so different from the mainstream may no longer be there at all (in some cases).

 

I came in a little late in this thread, but I tried an AV called Norman Virus Control which claims to use a unique sandboxing technology.
This belongs in this thread I'm sure - anyone else tried this application?

Greets -

 

RMUS

Heck I still use a RAM disc along with other VPC software. As you know I have VMware on one pc and MS shared toolkit on another.
I use RAMDisk on the second. I load Firefox on boot. Now days the ramdisks load an img file on boot. Only problem is they load with windows and not seperate but
anyway your apps still run faster in RAM even with new CPU'S LOL
The thing I do like about MS shared toolkit is the ability to create limited user profiles for home or office. It is out of Beta now.
I like VMware because with DF SU ect , you can still make the mistake of saving
something you really didn't mean to. With Vmware or Microsoft's VC not the shared toolkit, you can just revert back to a differnt snapshot.
The downside to both is they do not detect a USB stick. Even this is not a biggy. You can still copy & paste or drag and drop files from the host PC to the virtual pc in vmware. not sure about MS's VPC.
Some security people are using VMware with RAMDrive and setting up honey pots. Cheapest I found was like 3000 dollars for 1 gig ramdrive PCI slot.
So this isn't something we small time testers can do LOL

controler

 

I'm not so sure it belongs in this thread. Correct me if I'm wrong, but when we talk sandbox technology in this case, we are talking about useing emulation as a scanning technique to detect malicious software?

 

Well, I still think it does, look here:

http://www.norman.com/Support/FAQs/Norman_Sandbox/17776/en

Here is stated that it uses a "safe virtual environment inside your computer" ...

Anyway - just wanted to add to the thread w/ positive info ...

 

Btw, maybe I should have posted it here, but I would also like to here about the negative side of this tech.

https://www.wilderssecurity.com/showpost.php?p=580411&postcount=72

 

The above is a definition from WIKIPEDIA. Sandbox can be implemented in different ways.

In application like Tiny Firewall, a restricted environment is provided by the implementation of rules defined by the user. User can define rules to protect resources on the computer like sensitive registry entries, files, processes, and internet access and etc. So untrusted applications can not touch these protected areas, and the computer will not be damaged by such applications. The drawback is that the rule making is complicated. It depends a lot on the rule maker's knowledge and judgement.

In application like ShadowUser, a virtual volume is provided to excute applications. Computer systems and applications are 'imaged' and excuted in the virtual volume. In this virtual volume, applications work with the 'images' of files on hard drive instead of original files. When the computer shuts down, everything in the virtual volume will be erased without being written onto hard drive. The resource protected by virtual volume approach is the hard drive, and thus all the files including the registry file on it. The virtual volume method (ShadowUser) is easy to use as few user rules are needed. The drawback is that such system is mostly good for systems which need few modifications or software installation. This is because that all the changes or software installation will not be saved while the computer is in protected mode. To make the modifications or installations permanent,the computer has to be in normal mode, and the computer is no longer protected. One can exclude some partitions or folders from protection for easier configuration changes. Such partitions or folders are weak points on the computer too.

I use both ShadowUser and Tiny Firewall for double layered protection. After years, I have already settled down to a set of trusted software that I need to use. Once I have installed them and optimized the system, I want to keep the system in that way for a while. ShadowUser serves my purpose. I would no longer need to remove temporary files or defrag frequently. I have some partitions and folders excluded from the protection of ShadowUser. At the mean time, I may need to shut down ShadowUser to install or modify the system occasionally. Tiny Firewall protects my system in such cases.

I am a long time Tiny Firewall user, and I am still trying ShadowUser. I am wondering if any malware can ever break through my configuration

 

Thanks for your interesting post, because I'm going to use ShadowUser too in the near future and I don't care about the few disadvantages of SU, because it has more advantages, than traditional softwares until the opposite is proven.

 

ok let's chew the fat on this.

shadow user $69.95
sandboxie $0.00

so the question is what has SU got that sandboxie don't? - that makes it $69.95 better?

 

It all depends on what one needs. I have not tried sandboxie yet, so please correct me if I am wrong.

To my understanding, sandboxie applies to individual applications, internet explorer for example, while ShadowUser applies to a whole partition or disk.

The good thing for sandboxie may be that it is free and one does not need to reboot to make changes. The bad thing is that one has to specify what applications to run in 'sandbox' mode. This may be inconvenient for some users. Also, the execution of some applications may not be predictable in sandboxie.

The good thing for ShadowUser is that all applications just run as normal in the ShadowMode, at least on my computer. By applying to a whole disk/partition, the whole disk/partition is protected and one does not need to specify which application to run in 'sandbox' mode either. It is convenient in a sense. Well, the bad thing is that it is expensive and one has to reboot to make changes sometimes.

 

thanks for the reply yahoo. i've tried sandboxie for a while but it doesn't suit my style of surfing, i'm always downloading stuff and making book marks etc. it's always a trade off - more protection but more hassle. shadow user is a very safe way to go - gives you a chance to try stuff out before you commit which is sane. i presume if you want you can switch it off and revert back to normal mode of operation without any hassle?

 

One has to switch ShadowMode off and then reboot back into normal mode. This makes the system safer in a sense, but it is not convenient for users. Other than the reboot, no other hassles. (I perfer switch back into normal mode without reboot )

 

Toploader,
I already explained in this thread why I want SU :
https://www.wilderssecurity.com/showthread.php?t=100811
The title of this thread should have been "Firewall + ShadowUser", but I can't change the title anymore.

I mentioned 8 good reasons to use SU and I want my newbie time back, when I was unaware of any threat.
It's not only about security, it's more about myself and that's the only reason why I'm willing to pay $70.
I don't like to pay for the other (traditional) softwares and I explained why.
If I stick to the traditional softwares, I will pay alot more than $70, if I want quality and unfortunately SU isn't freeware, so I have to buy it.
I'm sicken tired of having so many security softwares on my computer and when I use only freewares, I need even more softwares and I'm too stupid to use pro-active softwares.

Sandboxie isn't enough, because it doesn't protect my complete system and I have a few other reasons not to use Sandboxie, which I don't like to mention in this forum, because they aren't based on facts.
I couldn't test AntiMalware because it didn't work on my computer. but I read every post about AM.
DefenseWall is good as additional software, but I won't need it when I use SU, until the opposite is proven.

 

thanks Erik - for me it would be too much hassle - i prefer to surf naked and take my chances that my scanners are up to the job - it's not sane i know but it's just the way i am.

and anyway SU breaks my "use only freeware" rule - i would hate to pay $70 dollars for SU and find i didn't like it - if it's a freebie and you don't like it you just move onto the new kid on the block.

(it's a bit like buying a gym membership that costs a $1000 a year - it's seems the right thing to do but how many people just go to the gym once or twice and then give up)

 

This is possible:https://www.wilderssecurity.com/showthread.php?t=100573&highlight=winrollback

 

ErikAlbert,

I'm not a computer expert in security like a lot of members at Wilders but i've learned a lot ever since i joined and i can tell you SU is my first line of defense first and foremost because of what you mentioned:"...and I want my newbie time back, when I was unaware of any threat."

This is exactly that, a gut feeling that your computer no matter what happens will come out unscathed from any major disaster situation. Yes i do have Nod, Outpost, PG, RG, MS AntiSpy among others, which will protect me in real time but if i had to choose ONE APPLICATION as the most important, SU would be the one.

People often mention the price at 70$ being expensive: it's one off, you don't have to renew it next year and support will reply to your e-mails within 24 hours. My only concern is, if the program becomes too popular, can it be hacked?

 

I have no doubts that SU will be hacked one day, like any other software and ShadowStor will try to fix it, just like Mozilla is trying to fix Firefox when there is a security hole.
Most probably it will take some time before they start hacking SU. After all most users still stick to the traditional softwares. I'm not really worried about that.
Thanks for mentioning a few things about SU, I wasn't sure of.
I'm not in a hurry to buy/install SU, but the idea in my mind is becoming stronger and stronger every day. I just need an extra kick to do it for real.