Application Sandboxes: A pen-tester’s perspective

Discussion in 'sandboxing & virtualization' started by BoerenkoolMetWorst, Jul 25, 2013.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks anyway.
    The problem with kernel flaws is that when let's say AppGuard protect against a number of them, however it happens that exploit happens to open kernel level something that even AppGuard cannot protect against?

    Also, I'm very much surprised by this test it says that Google Chrome by far beats all other sandboxies even SBIE4-even if we talk about tightly configured SBIE4?
    WS (WS=Windows Security) explained why is that a case above to me.

    And yes I do use Firefox newest version with NoScript, AdBlock plus but I also do recommend Public Fox which blocks unwanted downloads from everywhere on the net, click * to block all downloads and also you can use password protection for this.
    This is what Google Chrome actually needs something similar.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,320
    Location:
    Canada
    Chrome does have native built-in scripting control already, and recently a pretty decent extension for this which utilizes the functionality:

    -https://chrome.google.com/webstore/detail/script-defender/celgmkbkgakmkfboolifhbllkfiepcae
     
  3. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Forget about Script Defender it's a naked version of ScriptSafe, ScriptSafe is much better than Script Defender, however it still does not block downloads.
     
  4. guest

    guest Guest

    The download link provided by Kees-sensei (Windows_Security) works fine. I can download it. o_O

    TBH, I found it works better than ScriptSafe if we're only talking about javascript/plugin blocking.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,320
    Location:
    Canada
    Agreed 100%

    *EDIT*

    Sure it does, if we're talking about compromised websites injected with malicious code. ScriptDefender will block the script-initiated download as long as the user doesn't allow it.
     
    Last edited: Nov 5, 2013
  6. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Sure but I'll rather have something that blocks downloads in the first place, something like in SBIE, Publicfox is the closest to this approach, Chrome needs something like this. Publicfox will also block all the downloads (including all the exploits, exploits need to be downloaded first) from Malware domain list and similar, because every single download requires password to allow to be downloaded.
     
  7. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    My opinion: no system can be 100% exploit proof. Sandboxes are one way to make a system less vulnerable to exploitation; they aren't a silver bullet, but they are useful.

    Chances are, you will not run across any NSA-developed kernel exploits in your journey through the web. 95% of what you run into will be far more mundane than that. Sandboxie will do well to protect against those.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Except for Windows itself... :)
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,735
    Location:
    U.S.A. (South)
    Finally got it, thanks.
     
  10. Keter

    Keter Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    12
    Location:
    USA
    I see your point. It's impossible to know for sure whether Windows was rooted or not. However, I don't think it's likely. This kind of activity could easily be detected over Wireshark, and there are many eyes on Windows since it is the most used operating system family. If there was a Windows backdoor, presumably it would be discovered sooner or later and could very well put an end to Microsoft. Microsoft relies on its enterprise clients, and they would leave in droves if a Windows backdoor was discovered. It would be an absolute disaster for them. So, while I think Microsoft will give the NSA advanced warning about newly discovered exploits, I don't think that Windows is backdoored.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Getting back to the original point of this thread, several people were aware I was going to ask the Blue Ridge (Appguard) folks about this.

    I have heard back and the answer was essentially the same as Tzuk's answer on the sandboxie forum. That is if there is a weakness in the kernel, or critical window API's then if they are exploited no security software can protect you. Their security expert even went on to say, if the OS Hyperviser has a flaw then it may even be possibe that virtual machines won't help either.

    What this tells me is 3 things.

    1. So far it is POC, hopefully it will stay that way.

    2. The best defense is to keep the OS patched.

    3. Good images of the system to recover.

    Pete
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks Peter for sharing this.
    So I guess no matter what security application (AppGuard, Sandboxie, DefenseWall, Chrome, SBIE or whatever) I use it's always a russian roulette to go to the internet.
    It doesn't matter if I know use Google Chrome or SBIE4 with configuration-it all depends how many vulnerablities my OS has.

    So I guess no matter what security application (AppGuard, Sandboxie, DefenseWall, Chrome, SBIE or whatever) I use it's always a russian roulette to go to the internet.
    It doesn't matter if I know use Google Chrome or SBIE4 with configuration-it all depends how many vulnerablities my OS has.

    So, I have a question how do those experts (http://labs.bromium.com/2013/07/23/a...s-perspective/) know that Google Chrome has far superior implementation or whatever, did they actually try to use tightly configured SBIE3 or SBIE4 against Google Chrome to see what the results are going to be?
    I'm not talking about kernel-exploits of any OS, but simply blocking ability of malware (including kernel-level malware, exploits) that is trying to install on your computer?
    How do they know SBIE3 or SBIE4 is not better than Chrome, if Chrome cannot block installation of anything, while SBIE4 can plus with that tight configuration how can Chrome match this?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi CWS

    If you are asking me, I don't know.

    Pete
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It is fully answered and fully explained on SBIE forums for both online banking and kernel exploits:
    Here are the answers on SBIE forums:
    http://www.sandboxie.com/phpbb/viewtopic.php?p=88252

    And the following is for online banking:
    http://www.sandboxie.com/phpbb/viewt...er=asc&start=0

    This explains it all.
    This settles entire debate, let's see what Hungry Man and Windows Security have to say, if they agree/disagree.
    It proves my point: tight configuration of kernel is the key to solve kernel exploits problems.
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    That's really not true. Have you ever asked yourself "Why Bromium guys didn't take DefenseWall into the research paper"? And the answer is very interesting- some sandboxing solutions are more resistant to unknown kernel-level vulnerabilities by default the others. Guess which one?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ilya, they might not have used defense wall, because it doesn't run on x64 or am I wrong now.

    Also the security reascher I got my info from said nothing would stop an exploit if there was a flaw in some parts of the kernel.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    My point here is; the way I see it here and on SBIE forums, I came to the conclusion; it all depends how much you can configure SBIE or Google Chrome-this is where the real power/efficiency/security lies; and SBIE in this category has huuuge advantage over Google Chrome.
     
    Last edited: Nov 8, 2013
  18. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    I am not saying you are right or wrong, I just find the logic of this statement is flawed. If you are saying because it is not included in the paper than it must be more secure, then any sandboxes not tested are would also be more secure. I don't see avast's or comodo's sandbox included, does that make it more resistant to kernel-level vulnerabilities ? Again I am not attacking defensewall as a product, or you as person, it is a great piece of software but unless I am reading it wrong that is how you are implying the strength of it. Seems like kind of a leap of logic when there are no facts supporting your statement.
     
    Last edited: Nov 8, 2013
  19. Here you go :D

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000003
     

    Attached Files:

    Last edited by a moderator: Nov 9, 2013
  20. Sorry Pete, but I have to point out that . . .

    . . . so maybe you (Pete) could advice the security researcher a career change?

    :D regards Kees
     
    Last edited by a moderator: Nov 9, 2013
  21. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    My thinking as a non-expert: what is more likely to emerge in the wild?

    - A exploit that affects Chrome, one of the most used browsers worldwide and so a desirable target?

    - A exploit that affects Chrome and also is able to bypass a well configured Sandboxie?

    I think that the first is more likely, and so it's still a better option to keep Sandboxie together with Chrome.
     
    Last edited: Nov 9, 2013
  22. guest

    guest Guest

    Then if everyone starts to use Sandboxie?

    Alternatively, put Chrome under EMET's protection.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,320
    Location:
    Canada
    Based on what I'm reading around the 'net, exploit kits "fingerprint" a potential victim navigating to a compromised site; the kit identifies the browser being used, plugins and the O/S. Based on its findings it launches all exploits possible against what it identifies, but it seems that the focus is more on the browser and plugins (applications running on the O/S, no different than Linux actually) than anything else, including the O/S.

    Imho, scripting control is extremely important and of course keeping the browser and plugins, along with the O/S, up to date.

    For Windows users, I know so many hate .NET, but you need it for EMET, the latter of which should also be used - considered mandatory even - to harden the Internet facing applications. This way memory heap allocation of malicious shellcode is greatly minimized if a malicious script is mistakenly allowed. Zero day exploits are less of a concern with this mitigation tool in place.
     
  24. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Highly unlikely (and even more unlikely, would be everyone starting to use Sandboxie with a tighter configuration than the default one). Anyway that doesn't prove a point.

    Then if everyone starts to use Chrome under EMET's protection?

    Then if everyone starts to use __________? (fill with whatever you like).

    That's my opinion, so far.
     
  25. guest

    guest Guest

    It wouldn't matter much because EMET prevents known exploit techniques to be effective at all.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.