Application Sandboxes: A pen-tester’s perspective

That's the mindset of most, but what's being pointed out that's rarely ever discussed because few ever give it any consideration is the fact the kernel itself is structurally full of weaknesses, many of which have been discovered and patched, but it's anyone's guess as to how many more undiscovered there are now and in the future. The setup you refer to is better than so many others because it is not potentially impacted negatively by 3rd party applications. However, it is still structured around a questionably designed, security-wise, kernel.

I agree. Perhaps the O/S' kernel can be designed better to expose a reduced target landscape for attackers. BTW, it's because of a filter built in to linux' kernel that affords a more robust Chrome sandbox.

 

Hi Fleischmann, Why drop Sandboxie for something that doesn't exist in the real world? The thing (I refuse to call it a study) as of October 16th only works in theory. In my opinion, if we see people at the Sandboxie forum reporting real infections day after day and suddenly we see a rush of users complaining that they are getting infected, that would be the time to replace or drop SBIE. But doing so because of an unreliable test doesn't make sense.

I call the test unreliable because it was done by a guy that has his own product that he wants to sell. This is the same situation as when antivirus A sponsors a comparison test and they come up on top. Some of the guys here pounding on SBIE would call that test bogus. Why they don't do it here is beyond me.

Hungry man saids that real infections of this type doesn't exist because its too expensive, not many people use Sandboxie, its only a matter of time.....but eventually its going to happen. Ha, I being hearing the same story, same words during the five years that I used Sandboxie and guess what? Sandboxie is stronger now that it was five years ago when I started using the program and I can prove it. Its simple: Where are the people getting infected with this BS? He couldn't even name ONE real infection based on the video or the PDF writeup. Myself, I am no expert on nothing that has to do with computers. And despite that and only using Sandboxie and NoScript for security, I don't get infected. Thats reality, the real world, something that can be touched, not fantasy as the PDF or video.

Some people seem to think that in a few years, Sandboxie will get killed easily, right? I say, dont underestimate Sandboxie or Tzuk. When the malware guys get to kill SBIE V4, Sandboxie will be in V6 or doing its thing differently. Real malware cant catch up with Sandboxie as SBIE is always gonna be years ahead. Whether thas because of SBIE itself or because its too expensive to create malware that takes advantage of the "operating system's kernel weaknesses" it doesn't make a difference.

Bo

 

@wat0114

I did not say that Windows_Security's setup provides any protection against kernel vulnerabilites. I just wrote that setup as an example of how secure Windows can get with its own mechanisms. Many security suites can't do better than that and can be bypassed with the same measures that would bypass a restricted Windows configuration. I wanted to point out that kernel vulnerabilites are not the reason people use security software.

@bo elam

I think you have misunderstood me because I am not considering replacing Sandboxie at the moment. I am only worried that somebody reads the Bromium article and says: "Ok, so I am vulnerable against this kernel type exploit stuff, so I want exploit protection. Oh look, there is a program called anti-exploit and this internet security offers exploit protection, so I'm gonna ditch Sandboxie in favor of that."

I on the other hand think that on Windows, a combination of Sandboxie, AppGuard and EMET 4.0 is as good as you can get.

 

It's good to know the limitations of an application and adjust your approach accordingly. Every application has some vulnerability that can be exploited. If we adopted a philosophy of abandoning software every-time a vulnerability was discovered then what would be the point of utilizing a computer? I've had a good history with Sandboxie, as have many, and potential risk is not enough reason for me to jump ship at this time.

 

Of course and I agree with you.

Again, agreed Most people don't think of the kernel when they plan their security strategy. For the most part they are going to choose the O/S that suits their needs best, and that, of course, is usually Windows. They accept it for what it is and secure it the way they see fit.

 

I'm just going to say this without reading, but I realize that people are feeling the need to jump from Sandboxie to something else. You probably don't want to do that.

Instead, what I suggest is actually taking the time to secure your Sandboxie as best you can. That means restricting the sandbox file access beyond default. You make post exploitation information gathering much harder.

Kernel exploitation is still an issue but it is simply out of your hands on Windows. I suggest using EMET to make userland exploitation harder.

 

Lots of comments and I'm going to try to answer as many questions as possible here in the next couple of minutes I've got. I'm going to end up being busy all day today, and likely not be on much after the next two hours.

@Peter,

I doubt they told Tzuk about it but it changes nothing in terms of whether what they demonstrated is legitimate or not. What can Tzuk do? This is not an attack on Sandboxie, this is an attack on the sandboxing model, with Sandboxie used to demonstrate.

@Wat,

The whole 'It's the operating system's fault' thing extends far beyond this, but this is one good example of how the security model has to be built with the OS in mind.

Yeah, the one thing I miss from my Firefox days (oh how long ago) is NoScript. Great extensions, anyone in here running Firefox I highly recommend to use NoScript as well.

I've settled with a TLD whitelist, courtesy of Moonblood.

Unfortunately Linux suffers from the same issues Windows does, just not when done properly. On Windows there's basically no decent system call hooking interface without getting deeply complex (running programs in specifically compiler-for virtual machines as bytecode or minfree drivers that can only hook some etc + tons of undocumented calls). On Linux you have LSM but, more importantly, you have Seccomp. Seccomp prevents kernel exploits incredibly well - the only partial attack on ChromeOS didn't attack the kernel (despite it being fair game) it attempted to go through the broker.

To really achieve kernel-up security you have to harden the kernel directly, but seccomp lessens that need drastically.

@Bo,

How is a video of them exploiting it 'theory' - while it may not be in the wild that is certainly much more than theory. They didn't say "Our hypothesis is that we can do this" they said "We did this".

I think it might be best to try to stay *ahead* of attackers, rather than play the cat and mouse game.

This isn't a test, nor is it an attack on Sandboxie, nor did they really push Bromium at all in the talk (I was absolutely surprised at this). What this is is a demonstration of the inability for generic sandboxes to work on Windows against what could be considered an advanced attack. I say advanced beacuse it's only advanced for the current threat landscape, the reality is that kernel exploits are not new.

No, not too expensive. Simply a waste of money. Sandboxie users are few and far between, and Java users are everywhere.

Now now, no need to call it BS.

I can definitely name people being infected by kernel based exploits! Just not ones targeted to Sandboxie users.

http://www.livehacking.com/2013/07/...ability-which-is-being-exploited-in-the-wild/

There's one from July this year. This would have bypassed Sandboxie entirely, any TTF attack would (they're also not that hard to exploit due to the nature of TTF vm).

Not expensive at all. TTF attacks are cheap. I think they sell for a mere 25k on the blackmarket, but I'm not up to date on pricing. They aren't used because attackers don't care - I have literally talked to botnet operators and they just don't care to do it right now. They know about it, they are fully capable of it, btu they're pulling in anywhere between 200 and 800k a year doing what they're doing. IF everyone used a sandbox they'd care. That isn't the case.

Sandboxie is definitely not ahead. I'm not going to try to attack Sandboxie, because the discussion should really be on *sandboxes* on Windows, not Sandboxie. But Sandboxie is not ahead.

Hope that covers any misconceptions or questions.

The tl;dr version is that you should probably not just jump **** on SandboxIE, even if it definitely doesn't address these issues - nothing on Windows does a good job of addressing them. Instead, lock down your sandboxes as best you can.

 

Bo it's usually the ones who told me I was gonna be infected using no antivirus,guess what no infection!~

Then there are those who say,keep using XP OS you'll get infected,again no infection!

I'm using Sandboxie now with nothing else,guess what again,no infection,also using XP

 

Yes, XP is fun, because sandboxes become even more limited in their ability to protect the user.

As with virtually all conversations I have on wilders, in the end it really comes down to a disparity about what we want to call secure.

 

I am sorry Boost but I don't understand what you are saying. If you meant to say that I said that using Sandboxie all the time without an antivirus can get the job done. Then yes, I could have said that. I have used SBIE for almost 5 years, stopped using real time scanners 3 years ago. Then, 2 years ago, I stopped using on demand scanners as well. Using or not using an AV along SBIE has not made any difference for me regarding getting infected. My last infection was a few days before I installed SBIE for the first time in late 2008.

Bo

 

Hey Pete, before Sandboxie, I was like your friend. I used to get infected once or twice a year every year, for some strange reason (SBIE), that came to an end when I started using the program.

Bo

 

o

This!

It's disappointing to see whenever presented with facts, instead of trying to grasp the message or read the report, users go on defensive mode and reject it outright.y.o make it worse, declaring their systems state being infection-free as proof. First and foremost, infection rate has nothing to do with the topic and details discussed. It is possible to be infection-free even without Sandboxie. The mere fact one employ Sandboxie in a sea of crowd that uses systems that are far less secure already gives the person an advantage so it should come off as no surprise.

Instead of placing blind faith, it's important to realize and accept the limitations of the security tools and policies one use. When Ronen Tzur himself acknowledges the fact, it's silly for Sandboxie users to say otherwise. Sandboxie is a great tool on Windows because it provides a sandboxing mechanism for programs but it's a generic sandbox that is designed for compatibility with as many programs. That itself lends a wider scope or avenue for abuse compared to Chrome which need to sandbox itself, flash and pdf reader. This is no fault o. Sandboxie. Tzuk is a talented developer and for a
one-man project, Sandboxie is impressive. No one's saying it's time to ditch Sandboxie. It's one of the best security tool.on Windows. Just be aware of it's shortcomings.

Now for those who claim their XP is secure thanks to 3rd-party apps, you need to know that all of those security apps are dependent on the OS and the interfaces/APIs provided by MS to work. When the underlying OS itself is weakno amount of 3rd-party can make up for it. At best, they extend the OS and your system is 'safer' by virtue of being different enough to thwart the current threats ITW. By no means it can be called secure by design.

 

@safeguy,

very well said

 

Thanks Pete. I'll take a deeper look into EAM's settings and have a look at appguard.

 

An informative thread for many reasons, not the least for letting me know how much advanced attackers pull per year! How do I become one?

Now for a serious note.

Seems to be such a balanced view, thanks.

Thanks for arguing your point throughout. Would you care to be more specific in your recommendations on how to best lock up on SB?

 

Quote:
Originally Posted by newbino Would you care to be more specific in your recommendations on how to best lock up on SB?
[DefaultBox]

ConfigLevel=7
AutoRecover=y
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FF00
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=y
NotifyStartRunAccessDenied=y
NeverDelete=n
AutoDelete=y
DropAdminRights=y
ProcessGroup=<StartRunAccess>,firefox.exe(whatever browser you use)
ProcessGroup=<InternetAccess>,firefox.exe(whatever browser you use)
ClosedFilePath=%Personal%\My Downloads\(block your personal info from malware)
ClosedFilePath=%Personal%\My Music\
ClosedFilePath=%Personal%\My Pictures\
ClosedFilePath=%My Video%\
ClosedFilePath=\Device\Mup\
ClosedFilePath=C:\WINDOWS\system\
ClosedFilePath=C:\WINDOWS\system32\kernel32.dll(It could say kernel64.dll instead of kernel32.dll)
ClosedFilePath=C:\WINDOWS\system32\t2embed.dll
ClosedFilePath=C:\WINDOWS\system32\win32k.sys
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ClosedIpcPath=!<StartRunAccess>,*

If you need anymore info just ask.

 

Reference Sandboxie and XP. My wife frequents graphics arts sites and is constantly downloading stuff. She runs XP and has been hit with malware monthly, sometimes weekly because she panics and clicks run or something when a box appears.

I finally got her to install the free Sandboxie a long time ago and I made just a couple of permissions changes. It's an earlier version 3.45 or maybe earlier. Now, I'm trying to get her to upgrade to at least a newer version.

Anyway, since installing it and explaining that she just has to click the Sandbox icon on the desktop and empty it occasionally, and making sure she does it, her computer has not been infected a single time. Sandboxie does work, at least in her case.

 

No one's arguing against Sandboxie's effectiveness against the "mainstream" or "off the shelf" malware. It works superbly against it. It's about how it might struggle against advanced attacks ultimately targeting a weakness in the kernel, which of course these days are rare, but they could become commonplace someday.

 

@Newbino,

It's easier than you might think. Rudimentary programming experience and understanding of common protocols is 90% of it. The difficult part is breaking into the hacker scene, it always involves knowing someone. Then you need startup to buy your exploits (unless you can develop them yourself) and a few other things.

Disable every capability you can for the program you confine. Remove as much file access as possible. That's really all you can do on Sandboxie, and it's enough to make certain types of post-exploitation attacks more annoying.

@Chuck/Wat,

To be more clear, when we talk about Sandboxie, it's purely because it is an example of a per-application sandbox on Windows. These are not issues with Sandboxie though, these are issues with the capabilities Windows has exposed to developers, preventing them from creating powerful sandboxes. It's something I've talked to MS about and they are fully aware of it.

This isn't an "uninstall sandboxie" thread, it's purely a demonstration and a look at the weaknesses of all sandboxing products on Windows.

 

And no one is arguing that the weakness in the kernel doesn't exist. But it bothers me when I see someone in a video portraying Sandboxie users as having their head inside the ground. Or when I see a fellow member on this thread saying that we live in an "invincible sandbox fantasy" or when HM says that "sandboxing on Windows is, for the most part, a joke". And since I know that Sandboxie is not a joke and I seen what Sandboxie has done for me and others, I had to say something.

It is not fair to expect Sandboxie users to just sit quietly and say nothing about what you guys that don't use Sandboxie are saying about the program in a thread in which the name Sandboxie/SBIE was mentioned 90 times in the first two pages of this thread.

Bo

 

@bo elam

OBJECTION!

I didn't specifically mention about Sandboxie. You know that there are a few people out there who think that just because they are using a sandbox they will never get infected no matter what and advocating to throw away all those bloated AVs because a sandbox is all you will ever need. Also, HM didn't specifically mention about Sandboxie. And I believe you are aware that some sandboxes are too half-faced to be able to give a real protection. Thus, the invincible sandbox fantasy. Not invincible Sandboxie fantasy.

You interpret us wrong, ze.

 

@ bo elam

I think HM said that the weaknesses of the OS are compromising the whole sandboxing principle on Windows and no application sandbox can get around that. Further he said "sandboxing on Windows" and not "Sandboxie". The reason Sandboxie is mentioned so often in this thread is because it's THE sandbox app we all know, or do you use Dell Protected Workspace?

But I concur that some of the Bromium guys attempt at humor were insulting.

 

Agreed and this makes sense on all points.

I use Sandboxiue on a home machine with XP dual-boot with another O/S, and I have complete faith in its abilities to shield my activites or those of family members from malware threats, even if XP is practically begging to get hacked If threats do someday advance far beyond their current mainstream level, then maybe things change, maybe they don't. Probably by then I will have removed XP anyway. It's just that the hardware is 10 yrs old so it can only run this MS O/S adequately. The kids don't like "the other" O/S too much

True, and if anyone can advance their design, I'd say Ronan is the most capable of doing so