Application Sandboxes: A pen-tester’s perspective

Thanks anyway.
The problem with kernel flaws is that when let's say AppGuard protect against a number of them, however it happens that exploit happens to open kernel level something that even AppGuard cannot protect against?

Also, I'm very much surprised by this test it says that Google Chrome by far beats all other sandboxies even SBIE4-even if we talk about tightly configured SBIE4?
WS (WS=Windows Security) explained why is that a case above to me.

And yes I do use Firefox newest version with NoScript, AdBlock plus but I also do recommend Public Fox which blocks unwanted downloads from everywhere on the net, click * to block all downloads and also you can use password protection for this.
This is what Google Chrome actually needs something similar.

 

Chrome does have native built-in scripting control already, and recently a pretty decent extension for this which utilizes the functionality:

-https://chrome.google.com/webstore/detail/script-defender/celgmkbkgakmkfboolifhbllkfiepcae

 

Forget about Script Defender it's a naked version of ScriptSafe, ScriptSafe is much better than Script Defender, however it still does not block downloads.

 

The download link provided by Kees-sensei (Windows_Security) works fine. I can download it.

TBH, I found it works better than ScriptSafe if we're only talking about javascript/plugin blocking.

 

Agreed 100%

*EDIT*

Sure it does, if we're talking about compromised websites injected with malicious code. ScriptDefender will block the script-initiated download as long as the user doesn't allow it.

 

Sure but I'll rather have something that blocks downloads in the first place, something like in SBIE, Publicfox is the closest to this approach, Chrome needs something like this. Publicfox will also block all the downloads (including all the exploits, exploits need to be downloaded first) from Malware domain list and similar, because every single download requires password to allow to be downloaded.

 

My opinion: no system can be 100% exploit proof. Sandboxes are one way to make a system less vulnerable to exploitation; they aren't a silver bullet, but they are useful.

Chances are, you will not run across any NSA-developed kernel exploits in your journey through the web. 95% of what you run into will be far more mundane than that. Sandboxie will do well to protect against those.

 

Except for Windows itself...

 

Finally got it, thanks.

 

I see your point. It's impossible to know for sure whether Windows was rooted or not. However, I don't think it's likely. This kind of activity could easily be detected over Wireshark, and there are many eyes on Windows since it is the most used operating system family. If there was a Windows backdoor, presumably it would be discovered sooner or later and could very well put an end to Microsoft. Microsoft relies on its enterprise clients, and they would leave in droves if a Windows backdoor was discovered. It would be an absolute disaster for them. So, while I think Microsoft will give the NSA advanced warning about newly discovered exploits, I don't think that Windows is backdoored.

 

Thanks Peter for sharing this.
So I guess no matter what security application (AppGuard, Sandboxie, DefenseWall, Chrome, SBIE or whatever) I use it's always a russian roulette to go to the internet.
It doesn't matter if I know use Google Chrome or SBIE4 with configuration-it all depends how many vulnerablities my OS has.

So I guess no matter what security application (AppGuard, Sandboxie, DefenseWall, Chrome, SBIE or whatever) I use it's always a russian roulette to go to the internet.
It doesn't matter if I know use Google Chrome or SBIE4 with configuration-it all depends how many vulnerablities my OS has.

So, I have a question how do those experts (http://labs.bromium.com/2013/07/23/a...s-perspective/) know that Google Chrome has far superior implementation or whatever, did they actually try to use tightly configured SBIE3 or SBIE4 against Google Chrome to see what the results are going to be?
I'm not talking about kernel-exploits of any OS, but simply blocking ability of malware (including kernel-level malware, exploits) that is trying to install on your computer?
How do they know SBIE3 or SBIE4 is not better than Chrome, if Chrome cannot block installation of anything, while SBIE4 can plus with that tight configuration how can Chrome match this?

 

It is fully answered and fully explained on SBIE forums for both online banking and kernel exploits:
Here are the answers on SBIE forums:
http://www.sandboxie.com/phpbb/viewtopic.php?p=88252

And the following is for online banking:
http://www.sandboxie.com/phpbb/viewt...er=asc&start=0

This explains it all.
This settles entire debate, let's see what Hungry Man and Windows Security have to say, if they agree/disagree.
It proves my point: tight configuration of kernel is the key to solve kernel exploits problems.

 

That's really not true. Have you ever asked yourself "Why Bromium guys didn't take DefenseWall into the research paper"? And the answer is very interesting- some sandboxing solutions are more resistant to unknown kernel-level vulnerabilities by default the others. Guess which one?

 

My point here is; the way I see it here and on SBIE forums, I came to the conclusion; it all depends how much you can configure SBIE or Google Chrome-this is where the real power/efficiency/security lies; and SBIE in this category has huuuge advantage over Google Chrome.

 

I am not saying you are right or wrong, I just find the logic of this statement is flawed. If you are saying because it is not included in the paper than it must be more secure, then any sandboxes not tested are would also be more secure. I don't see avast's or comodo's sandbox included, does that make it more resistant to kernel-level vulnerabilities ? Again I am not attacking defensewall as a product, or you as person, it is a great piece of software but unless I am reading it wrong that is how you are implying the strength of it. Seems like kind of a leap of logic when there are no facts supporting your statement.

 

Here you go

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

 

Sorry Pete, but I have to point out that . . .

. . . so maybe you (Pete) could advice the security researcher a career change?

regards Kees

 

My thinking as a non-expert: what is more likely to emerge in the wild?

- A exploit that affects Chrome, one of the most used browsers worldwide and so a desirable target?

- A exploit that affects Chrome and also is able to bypass a well configured Sandboxie?

I think that the first is more likely, and so it's still a better option to keep Sandboxie together with Chrome.

 

Then if everyone starts to use Sandboxie?

Alternatively, put Chrome under EMET's protection.

 

Based on what I'm reading around the 'net, exploit kits "fingerprint" a potential victim navigating to a compromised site; the kit identifies the browser being used, plugins and the O/S. Based on its findings it launches all exploits possible against what it identifies, but it seems that the focus is more on the browser and plugins (applications running on the O/S, no different than Linux actually) than anything else, including the O/S.

Imho, scripting control is extremely important and of course keeping the browser and plugins, along with the O/S, up to date.

For Windows users, I know so many hate .NET, but you need it for EMET, the latter of which should also be used - considered mandatory even - to harden the Internet facing applications. This way memory heap allocation of malicious shellcode is greatly minimized if a malicious script is mistakenly allowed. Zero day exploits are less of a concern with this mitigation tool in place.

 

Highly unlikely (and even more unlikely, would be everyone starting to use Sandboxie with a tighter configuration than the default one). Anyway that doesn't prove a point.

Then if everyone starts to use Chrome under EMET's protection?

Then if everyone starts to use __________? (fill with whatever you like).

That's my opinion, so far.

 

It wouldn't matter much because EMET prevents known exploit techniques to be effective at all.