Application Sandboxes: A pen-tester’s perspective

Well, just because you were not hospitalized after drinking a bottle of kerosene doesn't necessarily mean it's okay to drink kerosene.

Seriously, it's getting boring to see people declining facts with their own real-life scenarios. You're still fine with XP, good for you. But...

XP doesn't support ASLR --> Fact
XP can't use IE11 --> Fact
Running as admin in XP is more dangerous than in Vista or above --> Fact
Microsoft will stop giving updates to XP after EoS --> Fact
Software developers will stop supporting XP at some point --> Fact

If the attackers can hack Windows 8, it would be trivial for them if they want to hack XP.

If you prefer your own real-life scenario, fine. Me? I'd rather sticking with facts.

Because XP is a dying OS.

It is not. At least the developer never described the product as a sandbox. More like a restrictive HIPS which only targets unauthorized execution, process hijacking, resource access, and preventing the guarded apps from doing high risk activities.

 

You're right; it works like a HIPS, only all nicely automated. Works pretty well too! But it still won't protect you from kernel exploits.

(And I take some offense at the marketing line from Blue Ridge.)

 

Exactly!! Hacking the kernel, which is possible despite having my beloved Sandboxie and other programs, is possible. We are at the mercy of Microsoft to keep the Kernel patched (which they have actually been rather good at the past couple of years.) Windows XP, which was BRILLIANT at its time (how many years ago was that), is now Swiss cheese to a hacker, over ten years ago in the modern computer age is Jurassic. The Win7 kernel was MUCH tougher than the XP kernel to begin with so much so that it actually took a while to begin to be hacked. Now that it has started to be hacked I pray that MS continues to harden it with updates.

To those who claim, "I have never been hacked using XP", I say: there are still millions of you with XP out there, count your blessings because a single fish in a school is harder to find. As more and more XP users switch to a modern OS (those who want to come out of the dinosaur age), the hacker's targets will become easier to target: YOU.

Acadia

 

Sometimes it's not easy to accept the facts. I know because I've been there, but the evidence is indisputable that a compromised kerenel vulnerability is really tough to defend against, even with one's beloved security software arsenal in place.

Now to play "Devil's advocate" a bit, those in this forum continuing to forge ahead with XP and other's who are as security conscious, could probably remain infection free into the foreseeable future on the kernel and otherwise if they properly administer the right security approach. I'm not promoting this approach but if that's what they want to do, they could likely do so with no serious repercussions if they play their cards right.

 

I don't see the results as fact, I see them as a scientific fact. The line between the two is gray but is still there. Thats why this thing doesn't do nothing to me.

Bo

 

Impossible, for some. Not worth the time demonstrating things, there will always be a "but" or "if" for some people. Not worth going down that rabbit hole.

 

Properly administering the right security approach and playing one's cards right... a great analogy. And a situation I am wrestling with now.
One of my computers runs XP, the other two run W7.
For some reason (nostalgia, convenience?) I have felt compelled to keep the XP box as a daily user for other family members.
How in the heck do I know if I am implementing the proper security approach, while playing the cards I have essentially dealt to myself?

Question becomes, why not deal myself a better hand?
Why stick with XP and continuously hope to draw to an inside straight?
I need to phase that XP box out and bring the 7x64 to the forefront.
It will take some time to get it the way I want it, but I believe it is time to fold my XP hand... before someone calls my bluff.

 

Understood. I tend to question a lot of things, especially when harboring some doubts or misunderstandings about what's being presented. From my pov I'm still not clear on some things but I suppose I understand enough to accept the dangers of kernel vulns. Actually with your security approach which I feel is among the very best of anyone's in this forum, you are not likely to suffer a compromise. You understand what the real dangers are and you've taken solid steps to addressing them.

 

I realize Kernel vulnerabilities are real, they are not a fantasy or a myth but this particular case (Bromium) has not affected anyone using SBIE. Why should I worry about it as if it was the end of the wold? Worrying about something that we can do very little about (Kernel vulns) doesn't make any sense, IMO. I enjoy life, computers are part of our modern life and I am not gonna spend the next five years of my life worrying about something that I can do very little about or that might never happen. In essence, that's how I deal with this kind of things (things in general that the chances of ever taking place are slimmer than slim).

Bo

 

Sorry, I think I wasn't really right. They mentioned about "isolation" and "containment". Sound like what a sandbox do.

Okay, sorry for the disturbance. Back on topic.

 

Indeed, I feel the same about using Chrome/IE11 and Sandboxie separately.

 

I know you do J L. Would I sandbox Chrome if I used Chrome? Since I have never installed Chrome, I don't know if I would sandbox it or not.

I know I prefer not to use anything along Sandboxie, reason being, because I like to avoid the chance of watering down Sandboxies protection. For the same reason, you prefer to run Chrome separately. I understand that.

Bo

 

And my practical experience with windows xp-which was 100% flawless; beats every single argument you have said-because experience in a real world always beats theory/hypothesis.
There is no need for me to move to windows 7 or 8 at all.
And if they use on most of the jobs in my country, than that even proves and fortifies my stand/opinion about windows xp OS.
It's not that I'm not thinking to move to windows 7 or 8, but right now I still don't need it at all.

 

One thing are facts the other thing are mere hypotheses, none argues that kernel vulnerabilities exist and will always exist, but Brohmium labs only created a hypothesis and how many hypotheses actually become reality-a very small number, let's be honest with this.
Than there is also my huuuge experience with windows xp as well.
When I actually see SBIE being bypassed in a real world, not by some hypothetical POC, than we can talk about a real world breach-everything else is an hyper-over-hyped hypothesis with no its backgorund in a real world, and it's not worth of any kind of discussion at all.
Also, if it can be configured to create any hole/vulnerability than it can be configured to block access to any hole/vulnerability-and that includes kernel as well.

 

This is not a matter of accepting or not-it is a matter of POC being real, or hypothetical-if it's hypothetical I'm not interested, I could claim and create POC that beats every system in the world-but it means nothing until it's actually done-words and hypothetical POCs are mothers of all mistakes-what you need is an real-world bypass and that's it.

But why bother with a hypothetical POC, I'm very down to earth person, and I need evidence from the real life events and breaches not some hypothetical POCs, how many of the POCs actually become real-very few of them.
Also, if it can be configured to create any hole/vulnerbaility than it can be configured to block access to any hole/vulnerability-and that includes kernel as well.
That's all and thank you for your time and patience.

 

Let it be noted I agree with CoolWebSearch to disagree with Pete.

It can take centuries for a PoC or hypothesis to become reality. Take Copernicus hypothesis for example. After all these years I still see a flat earth, even when I use an airplane I see with my very own eyes a flat earth. Pete everything you might tell about the earth being a globe is just hearsay from other people. Pete have you been to the moon and taken pictures of the earth being a globe to proof my wrong? So I ask you, please keep you feet on the earth, like me.

 

~ Removed Off Topic Remarks ~ I just wish I could get my computer back in its virgin state without any crackers getting orgasm on my account.
Period.

Security is for helping people and some forget it on the way.
Sadly!

 

It is real, it's a Proof of Concept, nothing hypothetical about it. Though I agree it may not be something to worry about because it is not used in the wild(though you could also remark that this is not strictly true, what IS true is that it is not used in the wild AND also discovered.)

 

CoolWebSearch

I read on the Sandboxie forum website that V4 still applies API hooks on XP for V4, so you are wright to question my earlier statement of better using V3 (on XP), I was wrong

Regards Kees

 

I don't care about the difference between "proof" and "theories", and neither should anyone else. The reality of computer security is that theory is important. If I understand how a system works I don't need to create a program to break it, I already know how I would write it, and taking the time is a waste of time that only leads to a rabbit hole of nonsense.

You think every good piece of research comes with a POC? It doesn't. The vast majority of research, of great great research, foundational research that changes how we approach security, doesn't have a POC attached to it.

Stop worrying about if something is a "theory". Try to understand the system. That's the only worthwhile approach.

 

hi,
I do not remember exactly what we are talking about on this thread...
I am convinced since years that sandbox based HIPS are the most effective HIPS for the last generations threats.
If we take the pentest angle, then it is not necessary to break or excape the sandbox, as many things can be done inside the sandbox via the client side shared language intereaction.
And web applications attacks appears as the most interesting to exploit.
Sometimes a closer look at shared sections guives interesting attack opportunities.

The security community have not waiting for the ex-XEN-neo Bromium guys to point out the potential issues of protection by isolation.
I can point out for instance the Vupen like research of the MWR labs for instance

https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/

https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/

As business is business, Bromium team follows its promotion campain even in the Illya town at the Russia Defecon, with their latest paper
“Endpoint security via application sandboxing and virtualization — past, present, future”
http://2013.zeronights.org/materials

All sandbox/VM HIPS or OS suffer from issues...except VSentry...of course...
I guess that that a Bromium challenge (like the Google or MST one) with a prize money would be more serious than a powerpoint paper...

Regarding PoC, this is just a demonstration tool of a research or vulnerability, interesting if you're looking for a career at Google, but not if the goal is only to get Money from any channel (underground, Vuln. assessement campanies, security agencies for the most part).

rgds

 

It is not used in a wild, because it's only hypothetical, this is like saying in physics everything that is hypothetical is true-you need irrefutable evidence for such claims, the same principle works for any other disicipline including computer science/technology.
Proof of Concept is hypothesis.that's what it POC means, if this was a real-world cyber threat, it would not be called POC at all anymore.

 

Understanding the system also belongs to hypothesis until it's 100% proven in reality.
You and everyone else should ESPECIALLY care about the difference between real world cyber threats and only hypothetical POC threats.

You're correct here:
If I understand how a system works I don't need to create a program to break it, I already know how I would write it, and taking the time is a waste of time that only leads to a rabbit hole of nonsense.

But there is one catch-one thing is to create a real program which realistically beats a real system's defenses, the other thing is to create POC which beats hypothetical system which both do not exist in a real world.
In a hypothetical POC world there are infinite possibilities to break the system, in a real world these chances are very much limited, like it or not.

That's why we need a clear 100% evidence that POC is not just a POC, but a real computer security threat-there is a HUUGE difference between 2 terms.
You and similar need to realize this, before explaining to others what holes computer system has and what is real and what is a fiction/hypothesis without any real-world evidence to back up your statements/experiments whatsoever.