Application Sandboxes: A pen-tester’s perspective

Discussion in 'sandboxing & virtualization' started by BoerenkoolMetWorst, Jul 25, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    Well, just because you were not hospitalized after drinking a bottle of kerosene doesn't necessarily mean it's okay to drink kerosene.

    Seriously, it's getting boring to see people declining facts with their own real-life scenarios. You're still fine with XP, good for you. But...

    XP doesn't support ASLR --> Fact
    XP can't use IE11 --> Fact
    Running as admin in XP is more dangerous than in Vista or above --> Fact
    Microsoft will stop giving updates to XP after EoS --> Fact
    Software developers will stop supporting XP at some point --> Fact

    If the attackers can hack Windows 8, it would be trivial for them if they want to hack XP.

    If you prefer your own real-life scenario, fine. Me? I'd rather sticking with facts. :isay:

    Because XP is a dying OS.

    It is not. At least the developer never described the product as a sandbox. More like a restrictive HIPS which only targets unauthorized execution, process hijacking, resource access, and preventing the guarded apps from doing high risk activities.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    You're right; it works like a HIPS, only all nicely automated. Works pretty well too! But it still won't protect you from kernel exploits.

    (And I take some offense at the marketing line from Blue Ridge.)
     
  3. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,228
    Location:
    US
    Exactly!! Hacking the kernel, which is possible despite having my beloved Sandboxie and other programs, is possible. We are at the mercy of Microsoft to keep the Kernel patched (which they have actually been rather good at the past couple of years.) Windows XP, which was BRILLIANT at its time (how many years ago was that), is now Swiss cheese to a hacker, over ten years ago in the modern computer age is Jurassic. The Win7 kernel was MUCH tougher than the XP kernel to begin with so much so that it actually took a while to begin to be hacked. Now that it has started to be hacked I pray that MS continues to harden it with updates.

    To those who claim, "I have never been hacked using XP", I say: there are still millions of you with XP out there, count your blessings because a single fish in a school is harder to find. As more and more XP users switch to a modern OS (those who want to come out of the dinosaur age), the hacker's targets will become easier to target: YOU.

    Acadia
     
    Last edited: Nov 11, 2013
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,319
    Location:
    Canada
    Sometimes it's not easy to accept the facts. I know because I've been there, but the evidence is indisputable that a compromised kerenel vulnerability is really tough to defend against, even with one's beloved security software arsenal in place.

    Now to play "Devil's advocate" a bit, those in this forum continuing to forge ahead with XP and other's who are as security conscious, could probably remain infection free into the foreseeable future on the kernel and otherwise if they properly administer the right security approach. I'm not promoting this approach but if that's what they want to do, they could likely do so with no serious repercussions if they play their cards right.
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    I don't see the results as fact, I see them as a scientific fact. The line between the two is gray but is still there;). Thats why this thing doesn't do nothing to me.

    Bo
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Impossible, for some. Not worth the time demonstrating things, there will always be a "but" or "if" for some people. Not worth going down that rabbit hole.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes. POC for now, but in the future, well who knows. No I didn't answer the last questions, because I can't. I put forth the answer to the questions I asked. I have no reason to doubt them, and so provided here.

    You are asking me why they can't do this or that. My hunch is they probably can't, and if it can be it has to be done by Microsoft.

    So all I can do is restate what I was told, and it is up to everyone to either accept it or not. Sorry that is the best I can do.

    Pete
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,707
    Location:
    USA
    Properly administering the right security approach and playing one's cards right... a great analogy. And a situation I am wrestling with now.
    One of my computers runs XP, the other two run W7.
    For some reason (nostalgia, convenience?) I have felt compelled to keep the XP box as a daily user for other family members.
    How in the heck do I know if I am implementing the proper security approach, while playing the cards I have essentially dealt to myself?

    Question becomes, why not deal myself a better hand?
    Why stick with XP and continuously hope to draw to an inside straight?
    I need to phase that XP box out and bring the 7x64 to the forefront.
    It will take some time to get it the way I want it, but I believe it is time to fold my XP hand... before someone calls my bluff.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,319
    Location:
    Canada
    Understood. I tend to question a lot of things, especially when harboring some doubts or misunderstandings about what's being presented. From my pov I'm still not clear on some things but I suppose I understand enough to accept the dangers of kernel vulns. Actually with your security approach which I feel is among the very best of anyone's in this forum, you are not likely to suffer a compromise. You understand what the real dangers are and you've taken solid steps to addressing them.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    I realize Kernel vulnerabilities are real, they are not a fantasy or a myth but this particular case (Bromium) has not affected anyone using SBIE. Why should I worry about it as if it was the end of the wold? Worrying about something that we can do very little about (Kernel vulns) doesn't make any sense, IMO. I enjoy life, computers are part of our modern life and I am not gonna spend the next five years of my life worrying about something that I can do very little about or that might never happen. In essence, that's how I deal with this kind of things (things in general that the chances of ever taking place are slimmer than slim).

    Bo
     
    Last edited: Nov 11, 2013
  11. guest

    guest Guest

    Sorry, I think I wasn't really right. They mentioned about "isolation" and "containment". Sound like what a sandbox do. :doubt:

    Okay, sorry for the disturbance. Back on topic. :D
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Indeed, I feel the same about using Chrome/IE11 and Sandboxie separately.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    I know you do J L. Would I sandbox Chrome if I used Chrome? Since I have never installed Chrome, I don't know if I would sandbox it or not.

    I know I prefer not to use anything along Sandboxie, reason being, because I like to avoid the chance of watering down Sandboxies protection. For the same reason, you prefer to run Chrome separately. I understand that.:)

    Bo
     
    Last edited: Nov 11, 2013
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    And my practical experience with windows xp-which was 100% flawless; beats every single argument you have said-because experience in a real world always beats theory/hypothesis.
    There is no need for me to move to windows 7 or 8 at all.
    And if they use on most of the jobs in my country, than that even proves and fortifies my stand/opinion about windows xp OS.
    It's not that I'm not thinking to move to windows 7 or 8, but right now I still don't need it at all.
     
    Last edited: Nov 12, 2013
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    One thing are facts the other thing are mere hypotheses, none argues that kernel vulnerabilities exist and will always exist, but Brohmium labs only created a hypothesis and how many hypotheses actually become reality-a very small number, let's be honest with this.
    Than there is also my huuuge experience with windows xp as well.
    When I actually see SBIE being bypassed in a real world, not by some hypothetical POC, than we can talk about a real world breach-everything else is an hyper-over-hyped hypothesis with no its backgorund in a real world, and it's not worth of any kind of discussion at all.
    Also, if it can be configured to create any hole/vulnerability than it can be configured to block access to any hole/vulnerability-and that includes kernel as well.
     
    Last edited: Nov 12, 2013
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    This is not a matter of accepting or not-it is a matter of POC being real, or hypothetical-if it's hypothetical I'm not interested, I could claim and create POC that beats every system in the world-but it means nothing until it's actually done-words and hypothetical POCs are mothers of all mistakes-what you need is an real-world bypass and that's it.

    But why bother with a hypothetical POC, I'm very down to earth person, and I need evidence from the real life events and breaches not some hypothetical POCs, how many of the POCs actually become real-very few of them.
    Also, if it can be configured to create any hole/vulnerbaility than it can be configured to block access to any hole/vulnerability-and that includes kernel as well.
    That's all and thank you for your time and patience.
     
  17. Let it be noted I agree with CoolWebSearch to disagree with Pete. :argh:

    It can take centuries for a PoC or hypothesis to become reality. Take Copernicus hypothesis for example. After all these years I still see a flat earth, even when I use an airplane I see with my very own eyes a flat earth. Pete everything you might tell about the earth being a globe is just hearsay from other people. Pete have you been to the moon and taken pictures of the earth being a globe to proof my wrong? So I ask you, please keep you feet on the earth, like me.
     
    Last edited by a moderator: Nov 12, 2013
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    ~ Removed Off Topic Remarks ~ I just wish I could get my computer back in its virgin state without any crackers getting orgasm on my account.
    Period.

    Security is for helping people and some forget it on the way.
    Sadly!
     
    Last edited by a moderator: Nov 12, 2013
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,556
    Location:
    Outer space
    It is real, it's a Proof of Concept, nothing hypothetical about it. Though I agree it may not be something to worry about because it is not used in the wild(though you could also remark that this is not strictly true, what IS true is that it is not used in the wild AND also discovered.)
     
  20. CoolWebSearch

    I read on the Sandboxie forum website that V4 still applies API hooks on XP for V4, so you are wright to question my earlier statement of better using V3 (on XP), I was wrong

    Regards Kees
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't care about the difference between "proof" and "theories", and neither should anyone else. The reality of computer security is that theory is important. If I understand how a system works I don't need to create a program to break it, I already know how I would write it, and taking the time is a waste of time that only leads to a rabbit hole of nonsense.

    You think every good piece of research comes with a POC? It doesn't. The vast majority of research, of great great research, foundational research that changes how we approach security, doesn't have a POC attached to it.

    Stop worrying about if something is a "theory". Try to understand the system. That's the only worthwhile approach.
     
  22. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,
    I do not remember exactly what we are talking about on this thread...
    I am convinced since years that sandbox based HIPS are the most effective HIPS for the last generations threats.
    If we take the pentest angle, then it is not necessary to break or excape the sandbox, as many things can be done inside the sandbox via the client side shared language intereaction.
    And web applications attacks appears as the most interesting to exploit.
    Sometimes a closer look at shared sections guives interesting attack opportunities.

    The security community have not waiting for the ex-XEN-neo Bromium guys to point out the potential issues of protection by isolation.
    I can point out for instance the Vupen like research of the MWR labs for instance

    https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/

    https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/

    As business is business, Bromium team follows its promotion campain even in the Illya town at the Russia Defecon, with their latest paper
    “Endpoint security via application sandboxing and virtualization — past, present, future”
    http://2013.zeronights.org/materials

    All sandbox/VM HIPS or OS suffer from issues...except VSentry...of course...
    I guess that that a Bromium challenge (like the Google or MST one) with a prize money would be more serious than a powerpoint paper...

    Regarding PoC, this is just a demonstration tool of a research or vulnerability, interesting if you're looking for a career at Google, but not if the goal is only to get Money from any channel (underground, Vuln. assessement campanies, security agencies for the most part).

    rgds
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    That PPT prresentation, really puts the whole thing in an interesting perspective.

    My final thoughts:

    1. A real theoretical threat.
    2. As many have said I am comfortable with my approach and not worried.
    3. Keep OS updated.

    Pete
     
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It is not used in a wild, because it's only hypothetical, this is like saying in physics everything that is hypothetical is true-you need irrefutable evidence for such claims, the same principle works for any other disicipline including computer science/technology.
    Proof of Concept is hypothesis.that's what it POC means, if this was a real-world cyber threat, it would not be called POC at all anymore.
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Understanding the system also belongs to hypothesis until it's 100% proven in reality.
    You and everyone else should ESPECIALLY care about the difference between real world cyber threats and only hypothetical POC threats.

    You're correct here:
    If I understand how a system works I don't need to create a program to break it, I already know how I would write it, and taking the time is a waste of time that only leads to a rabbit hole of nonsense.

    But there is one catch-one thing is to create a real program which realistically beats a real system's defenses, the other thing is to create POC which beats hypothetical system which both do not exist in a real world.
    In a hypothetical POC world there are infinite possibilities to break the system, in a real world these chances are very much limited, like it or not.

    That's why we need a clear 100% evidence that POC is not just a POC, but a real computer security threat-there is a HUUGE difference between 2 terms.
    You and similar need to realize this, before explaining to others what holes computer system has and what is real and what is a fiction/hypothesis without any real-world evidence to back up your statements/experiments whatsoever.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.