Application Sandboxes: A pen-tester’s perspective

@J_L

Don't let CWS trick you in reversing the discussion. Let him answer a few questions first.

CWS may have seen a curvature when he saw James May flying on high altitude in a telivision program, but that is only a part of a globe. A curvature is at best a PoC of Copernicus theory. By no means CWS has proven that the earth is round. Also how do you know what you see on telivision is fact or fiction? Has James May really been in the outer layers of the earth or was it a nicely crafted PoC of an aiplane flying before a blue screen. CWS has not proven that it was no fiction, so how can I be certain it is a fact? How can you distinguish real life from virtual life in the digital world? Maybe CWS is a nick name of James May promoting his TV broadcasts. Can CWS proof he is not James May, I ask you.

Regards Kees

 

No, it's not a POC, because it's real it's not hypothetical, it's not theoretical, it's not experimental, it's real and it never changes-because it is a 100% proven fact.
You seem to live in the dark ages (no offense) if you still believe that Earth is flat and ignoring facts, all you have to do is to take a journey through entire Earth; you will come back at the same place from where you started-if Earth is curved, and you will, this is not a POC it's a fact.

Until I see all these POC methods used in a wild, it's matter of hypothesis.

 

CWS, you should not have any compatibility issues sandboxing Chrome. That is unless you are using some other form of program control etc. Then all odds are wild that some issues might come.

They may be from SBIE and that other program having issues and also then with their interaction with Chrome. So in that sense I accept perfectly J L's decision not to sandbox it and his blind trust in Chrome. His mission is making me a bit angry though.

I have not even cared to look at the bromium tests deeper except the first page results. And agree with you CWS that the tests should be done with restrictions in SBIE put to action in that test sandbox.

Sandboxie assumes your system is "clean". So outside some code can do whatever damage to your system. I bet these tests would not much succeed if their code would not be even allowed to run inside the test sandbox.

 

Trust me I don't have now any problems, but when I first tried both Google Chrome with SBIE it was painful, I used it now and it all seems ok, but I don't want to risk another trip like I had before.
You said this:
"I have not even cared to look at the bromium tests deeper except the first page results. And agree with you CWS that the tests should be done with restrictions in SBIE put to action in that test sandbox.
Sandboxie assumes your system is "clean". So outside some code can do whatever damage to your system. I bet these tests would not much succeed if their code would not be even allowed to start/run inside the test sandbox."

And these are my key points in such debates all the time and everyone are ignoring them.

 

James (if a may), have you seen a round earth in the wild or just digital data from second hand information sources? What is the difference between these two POC's? Are you familiar with the string theory? This puts a different perspective on 100% proven facts and "things which never change".

When you read the biography of James May on Wikki, you will notice he does not have a background in engineering, but has studied music (so he is problably aware of the string theory). He has also been fired as journalist because he published a prank. How do you know the TV broadcast you saw, was not a prank also? With so many facts, I see no reason to troll this thread any further: I rest my case.

Regards Kees

 

Funny that you're argument itself is a hypothesis at best. There's more than enough evidence for the weakness of all sandboxes under Windows throughout the 11+ pages of this thread. You're free to continue denying, but the hypocritical insults about paranoia frankly irks me. Why only tightened Sandboxie instead of the other sandboxes, except for taking its side?

Sure, what is the difference when the average person experiences neither the Bromium results or Chrome's bounty hunting exploits? An extra layer for what purpose? (other than what I've already mentioned early on)

 

Blind trust? Says the one who didn't bother reading into it? I wonder how much of this entire thread you've understood.

 

Let's go:
If that's the case I'll just use Copenhagen school of quantum physics- you don't exist because I can't see/observe you, I can't detect you, I can't smell you, I can't measure you, I can't create mathematical calculations about you since you don't exist-the same thing you can say it from me-according to you we're both POCs to each other-and you know damn well this is absolutely wrong, we're both real, not some POCs.

According to Copenhagen school only computer that I'm writing in is real; only computer and that's it-you don't exist, the same you can claim for me/my existence-and you could say that my existence is only a POC to you as much as your existence is only a POC for me-you and everyone else know damn well this is all false.

You're implying and talking about nonsense here, and you know this damn well and you are comparing apples and oranges, if you know anyone who can use these POCs to break through SBIE, go ahead-every daypractice and experiments matter and NOT hypotheses/theories.
If you can give me any evidence that these hypothetical POCs can be used to bypass sandboxes that are mentioned, I'll be happy to realize my mistake and admit I was wrong.

The more precise example is the discovery of Higgs-like boson, everybody think that it is a Higgs boson, but it doesn't have to be, yes it has its properties and all that, none is yet 100% sure if that truly is a Higgs boson, you need a loooot more experiments and data from CERN in the next 10 years to finally prove or finally disprove Higgs boson's existence-the same principle works for the POCs in computers, until these POCs/exploits are used by malwares every single day practically in a lot of computers there is no way of knowing if this going to work at all.

Instead of showing me examples where POCs were used and malware was used to use these exploits ina real deal-I'd happy to admit that I was wrong, because it would be 100% irrefutable evidence that POCs are used in a wild, which mean they are real threats.

Plus, like Jarmo said:
"I bet these tests would not much succeed if their code would not be even allowed to start/run inside the test sandbox."
Cheers.

 

The main problem is you don't give any real world examples, you're just repeating yourself with these hypothetical POCs.
Plus like Jarmo said:
"I bet these tests would not much succeed if their code would not be even allowed to start/run inside the test sandbox."
Cheers.

 

Nice try at shifting one's attention, but you haven't given any real world examples of why running Chrome under Sandboxie would be necessary. Once again, social engineering isn't a factor. Nor did you prove Jarmo's bet.

 

It's up to testers to prove/disprove, but they always ignore Sandboxie's tight configuration and start/run restrictions!
I gave from from Google Chrome, not because I think it's not secure but because of incompatibility issues, even though right now both Chrome and SBIE work excellent together right now.
But previous experience taught me don't mess with the incompatibility devil-especially if you have 2 sandboxes combined together.

 

Why would they test non-default settings in the first place? And once again, why only hardened Sandboxie? It's not unique in that feature. For example, the other most discussed sandbox.

 

Sandboxie conflicts with most other software firewalls I have used. If you allow that HIPS on them with all the "protection".
ZA is an exception, but perhaps not the brightest "star".

So of course we SBIE users want those bromium tests done with program run/internet access restrictions applied. Also DropMyWrights option if you are an admin user. I am not.
All of my internet apps are running with those restrictions. And it is no bother at all. It is using SBIE hips as you would use your other hips too.

This is a security forum, not some basic user forum. I am sure the default settings are just good for most users, but if publishing tests like that much bad advertisement by linux etc users is done.

 

The problems with testing hardened SBIE is even more than just special treatment. How would they configure it with so many different options and user preferences?

It won't even satisfy all the experienced users, somebody else will complain about the settings being "wrong". That's why the defaults is the fairest and most efficient way to test programs.

 

I don't care how they test Sandboxie. To me those tests mean nothing, they are like a pre-season game. I only care what happens when the games count and is at that time when Sandboxie always comes out on top. You and the other guys who keep banging on SBIE and underestimate SBIE, keep it up if that gives you a high but I think you should put attention to what Tzuk said in this post (numeral #2), referring to SBIE and malware that's able to take advantage of a kernel mode vulnerability:

"2. As for questions about how some specific malware would act when it gets those kernel privileges. I can't answer such questions, I don't know how the specific malware behaves. It's possible that Sandboxie would interfere with correct operation of the malware, and it is equally possible that the virus would be able to break out of the sandbox".

http://www.sandboxie.com/phpbb/viewtopic.php?p=75473&sid=a9cf26ce8082451b1a9a94d7f1dece80

Kees, you keep posting the above link and emphasize what Tzuk said in numeral #1 and completely ignore what he says in numeral #2. Not fair. And its pretty clear what he means, please don't ask me to explain it to you.

Bo

 

When did I underestimate SBIE? It's more like SBIE fans are underestimating Chrome and overestimating their own sandbox. Tzuk doesn't know, yet some people treat any test against Sandboxie as non-important due to real world insignificance, and then they sandbox Chrome while ignoring that very reason.

When the games count, sandboxing a sandbox isn't going to make a difference in the security of a clean system. Using them separately is more than enough.

 

Is Sandboxie invulnerable?
No.

Using Sandboxie with Chrome will do more harm than good?
It's possible but pretty much unlikely. In the other hand, is much more likely that Sandboxie can effectively prevent an infection.

Because against the odds of a targeted attack against Sandboxie, or a attack against Chrome that succeeds because Sandboxie is installed, are the odds of attacks against Chrome, java, and others plugins against which Sandboxie can and normally protect.

What is more current to find in the wild? Even considering the existence of kernel exploits that apparently will blow anything no matter what, what is more probable to continue to appear in the wild? Malware that succeeds because of the use of Sandboxie, or malware that fails because of the use of Sandboxie?

I'm not saying that is impossible the existence of malware that will succeed because Sandboxie is installed, or that is impossible the existence of malware that breaks out of Sandboxie, or anything else. I'm just saying that Sandboxie is and will be effective in all the other enormous majority of cases, and so clearly (to me) it's still the better option to use it.

 

JL, I am the biggest SBIE fan that you know and I never talk about Chrome. I never used Chrome so I cant talk about it. Of all the post that I wriitten here at Wilders or at the other forum where you and I know each other from, I only mentioned Chrome in one post. I wrote that post for you but you ll never read me writting derogatory remarks about Chrome or any other program. I dont do that in forums or in life.

I dont know if sandbboxing Chrome is a good idea or not but I can tell that if I used Chrome and did not run it under Sandboxie, I would not feel as relax as I do now surfing sandboxed using Firefox or IE. Those are my true feelings and I cant lie to myself. Anyway, sandboxing or not sandboxing Chrome doesnt concern me at all as installing it has never crossed my mind.

You say SBIE users threat tests "as non-important". Perhaps the reason some SBIE users, myself included, don't have much regard for the Bromium test is because, 1) they are a commercial company. That right there make things suspicious and even more so when this thread was going for more than two months and no one (HM, you, OP , Kees, etc) ever mention it. I knew about it ever since the thread was created and I don't believe you guys did not know about it. After I mentioned this little "fact", HM admitted that he knew about it. Why didn't he say something earlier?, 2) in the five years that I know Sandboxie, I seen a few POC succeed but they never become a real threat. After a while, you wont believe them unless they actually affect anyone. That normal JL, that's human nature. We keep hearing people like HM saying "watch out, malware attacking sandboxes is coming, is just a matter of time, they don't do it now because they make more money doing something else". I heard that in 2008, same words in 2013 and I have a strong feeling that we ll be hearing the same kind of remarks in 2018.

Cheers

Bo

 

@AlexC: Missed the point, and underestimated Chrome again. It's not about harm, but instead necessity. Plugins (except sandboxed Flash/PDF) are optional components that the user chooses to install and execute. Admittedly, Sandboxie makes it easier to protect those when they run, but it's still not a necessity.

@bo elam: My message was a continuation of the replies to user before you as well. In the real world, all sandboxes are overkill.

 

I've been using Chrome with Sandboxie for past few years and really got used to it. FF and IE are run under SBIE also.

The things that I like about SBIE are:
- I can control which processes can run and have internet access
- I can prevent programs from accessing my personal/sensitive data
- I can redirect all disk write activity to my RamDisk
- when I close browser I know ALL data created during browsing session is deleted

IMO all those benefits outweigh any danger that SBIE COULD cause to my system.

Right now I can't imagine using browser without SBIE supervision. If browser would become incompatible with SBIE, that browser would have to go.

 

Funny how many time I have to repeat myself. I've already stated those benefits in the first few pages. It's more for subjective control/privacy than real world security on a clean machine, yet some claimed otherwise.

 

About your claim about Sandboxie and Chrome being redundant:

- That means that every code able to bypass Chrome security is also effective even with Sandboxie installed and configured. Is that true?

- Chrome is a fairly desirable target because it's a browser used by many people. So it's very plausible that already exists and that in the future will exist more malware able to bypass Chrome security. Don't you find likely that some of that malware designed to bypass Chrome can and will be stopped by Sandboxie, and that people using only Chrome will be infected by that malware (unless some other layer stops it)?

- Are these things redundant?

 

- Does that really matter in real world scenarios? Nobody tested how much of a difference it'd be sandboxing a sandbox in the first place, but this test shows common weaknesses of all sandboxes under Windows.

- Tell me the last time someone actually got infected by drive-by installs on unsandboxed Chrome. No it's not likely, for it to successfully exploit only Chrome and not the kernel or other sandboxes (shared implementation like integrity levels). I prefer more unique layers effective at mitigating Chrome's weaknesses.

- Already answered a long time ago. Depends on the user, but unnecessary for most unless infected. Redundant with HIPS, default deny policies, incognito mode, etc.

 

J L, I don't use nothing but SBIE and Firefox with NoScript, by sandboxing most programs and files is how I keep my computers clean. Its obvious that using the sandbox its not overkill.

Bo

 

I meant overkill as in their virtually 100% protection, yet some people are doing fine without them. They're more than needed, but that's not always a bad thing, otherwise future-proofing wouldn't be a positive concept.