Application Sandboxes: A pen-tester’s perspective

Discussion in 'sandboxing & virtualization' started by BoerenkoolMetWorst, Jul 25, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    The problem is not about what Chrome can't do. The problem is if AppGuard will interrupt Chrome to be fully functional in making use of its own security mechanism. See the links about RunSafer here:

     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Appguard and Run Safer are nothing alike. Run Safer uses windows privileges to accomplislh what it does. Appguard doesn't.

    Pete
     
  3. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    I am confused are we talking about Appguard or OA. Runsafer=Online Armor. Like Peter2150 said they are different things.
     
  4. guest

    guest Guest

    Aaaarrgh... is my grammar so broken which makes people keep misunderstanding what I'm saying? :ouch:

    I'm not comparing AppGuard with RunSafer. I just pointed out that RunSafer could break some programs from making use of their built-in security mechanism properly. Thus, I wonder if AppGuard will break Chrome or other software as well. The reason why I included links about RunSafer is because they're the most valid examples I could find. The key is if the security products will break Chrome or IE or Adobe Reader or whatever from doing their jobs to protect the users' computers.

    EDIT: Anyway, this is getting OT. I'll just try to get myself some info about AppGuard so I can decide if it will be redundant when used in conjunction with Chrome's sandbox and just weakens it instead.
     
    Last edited by a moderator: Nov 10, 2013
  5. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    O I see now. You could ask on the appguard 4 forum here. I don't know the answer. I don't think it does IMO.
     
  6. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    Last edited: Nov 10, 2013
  7. Can an additional security software layer stop kernel exploits of the OS which the security software itself is also using as foundation. Answer is simple no, that is impossible!

    Can security software reduce the exploitability of an kernel bug (meaning the bug can be used in a predictable manner): Yes putting extra locks and bolts on the chain/flow of event of the average intrusion and reducing attack surface complicates the predictability of a kernel bug used by malware.

    So the answer this statement
    To stop kernel exploits: NO
    To stop java exploits: YES
    To reduce the chance of predictable outcome (exploitability of a kernel bug): Possibly yes, with a downfall. Adding code also adds complexity and increases the chance of two security mechanisms reducing each others effectiveness.

    The pen-tester's perspective claim that an out of the box configuration of Dell, BufferZone and Sandboxie indicate that the latter is the case (reducing Chrome's sandbox effectiveness when it comes down to kernel exploits).

    No one of us can proof that a well configured' "security program A" is able to stop kernel exploits as well no one can proof with a "real life exploit" that using two sandboxes reduces security. As said earlier: when it feels better to use software A on top of a build-in sandbox, feel free nobody has proven your wrong with real life exploits yet.

    But please don't claim that "a properly configured bla bla" can stop kernel exploits: this is simply impossible for any software running on the same OS instance of which the kernel is exploited.
     
    Last edited by a moderator: Nov 10, 2013
  8. guest

    guest Guest

    This makes me think: securing Windows is really not sensible at all. All we can do is creating barriers on the user space level. But once the core of Windows itself has been compromised by a direct attack, all your plans are failed in an instant. It's like wearing a suite of thick armor while leaving your head exposed.
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Which is why you have to keep updating the kernel. :)

    In all seriousness though, the situation is IMO not that bad on modern, supported OSes. I was doing some penetration testing on an up to date Windows 7 VM earlier, and damned if I could get any exploits to work at all. Even on the XP VM I posted about, I was mostly relying on exploits in out of date userspace applications. If I'd updated the VM I might not have gotten anywhere.

    Updates are not the be all and end all of kernel security. (If you need proof of that, look up the number of exploits found per year in Linux vs. FreeBSD.) But they are really, really important.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Remember that, while you can't really do much *yourself* for Windows kernel vulnerabilities, there are people at Microsoft doing a lot of work to make the Windows kernel more secure. That's why it's important to move from a system like XP where *no one* is doing work to make the kernel secure.
     
  11. Good explanation, no security is 100%, but when attacked with arrows I prefer to have an armor suite over adam's costume, I could allways roll in a curl (head down) to minimise the attack surface :argh:

    In another thread I could 'proof' with a calculation that by allowing only javascript from NL and COM domains, using Chrome's safe browsing and a third pary URL/reputation filter (e.g. Avast or Bitdefender), the chances of getting infected were lower than dying within a year (I am 55) using Dutch mortality tables. Same with driving a car, taking an airplane. Risks are part of our life.
     

  12. This. If your running XP then upgrade to at least 7 which is still being working on and getting security patches.
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I'm using a Windows XP from the very first day, and I have never ever seen my computer being hijacked by any kernel exploit just for the note.
    What I think is that you and WS are making an hyper-over-hype; no offense, but after such great experience with windows xp in my hands there is no way anyone would ever convince me to move towards to windows 7 or 8, exactly because of the above mentioned reasons.
    And all that time I've been using SBIE (and many times even without SBIE) and my router firewall tweaked on maximum level plus windows xp firewall tweaked on maximum level, sure I was infected a several times-but that was when I was a rookie, after gaining some experience there is no way anyone could be making a fun of me and my computer.
    I even visited websites that are considered dangerous for visiting, and yet nothing happened-if you know what to do and what NOT to do.

    I've been using Chrome on windows xp as well-nothing was ever breached-again where are the real-world evidences of the hyper-over-hype statements?
    Sorry, there are no evidences in my backyard-I'm a windows xp veteran, so I know exactly what I'm talking about.
    Also, most people inside their homes and on their jobs (almost every single one of them) in my country still use windows xp on their jobs and inside their homes-and why should they mitigate to windows 7 or windows 8?
     
    Last edited: Nov 11, 2013
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    But every time new exploit/vulnerability comes out, it can't be configured to block access to that vulnerability, hacker would again have to look for the new loophole in Windows.
    And also it has to be mentioned these are POCs, how many of them each year become real in the real-world scenario?
    None, a very few...?
    Question what url filter uses BitDefender?
     
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Actually, I remember several times when something wanted to download on my computer without me even knowing it, since you have to use Public fox with a password it asked me password to download it, since I have never seen what exactly was trying to download itself, I clicked cancel and than the download was blocked-so Public Fox is a very useful extension.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What part of the statement is incorrect, exactly?
    The one where I mention that with enough tight configuration you can protect yourself from every hole/vulnerability, if you vlock access to all those operation system holes/vulnerabilities?

    And those API vulnerabilities; couldn't they just be configured to block access to all API who are vulnerable and where the holes are?

    Of all the 3 security software-AppGuard, Sandboxie, DefenseWall, AppGuard seems to be the most effective and the most universal and the strongest of everything I've seen so far.
    And this is my answer why I don't consider worth mitigating into windows 7 or 8:
    https://www.wilderssecurity.com/showpost.php?p=2304344&postcount=213
     
    Last edited: Nov 11, 2013
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Than what is the issue between Google Chrome and AppGuard?
    And how exactly strong is AppGuard according to your experience and knowledge?
    To me it seems to be the strongest and the most effective, the most detailed and the most universal application on the market today.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easy one first. I don't know if there is any issue between Appguard and Chrome, I've never tested Chrome, nor will I. Reason is simple, there are some companies whose software will never see my machine.

    How strong is appguard. Simple, I've tested it's protection and it does what it says.

    Pete
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes, that is what is incorrect. You have blocked access to the kernel files in Sandboxie. Won't help, access isn't needed. Appguard blocks memory read write. Also won't help, memory read write isn't needed.

    Simple answer is no. How are they supposed to know who to block? For example the API the checks for a partition table, which every imaging software needs to use. How would it know which is good or bad?

    I would say Appguard, and Sanboxie are equally strong, just do things differently. Defensewall needs to got on board with x64 to be considered at this point.

    I would have said the same thing until hardware failure gave me no choice. I had a choice of OS on my new machine and went with Win 7x64. Now I wish there was an easy way to bring my other systems to Win 7. I am loving it.

    Pete
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    What exactly is AppGuard? If it's what I think (i.e. executable whitelisting) then no, it's not nearly as strong as Sandboxie. Or any properly configured HIPS for that matter.

    Edit: N/M, Appguard is a sandbox of some sort. Oh. Must test.
     
  21. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I wonder if the reason are their politics?
    Bad experience with Google Chrome?
     
  22. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    But how do you know that's the case, and the key problem is this is all POC-it's merely hypothetical. This is like abstract mathematics which I study. There is barely (less than 1%) in abstract mathematics that can be used in a real world and in experiments.

    How it's not possible to enable all of this you mentioned you still need configuration to enable all this with API, and if you can configure to do all this, than you can configure it to block access or to close the hole as well-if you know what to configure.
     
    Last edited: Nov 11, 2013
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,391
    Location:
    Canada
    :thumb:

    Why so few mention the virtues of scripting control astounds me.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Sigh. I give up. Let me restate it very simply.

    In terms of the attack type in this POC, It is game over, perioid end of discussion.

    Pete
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Like I said the POC exists only in hypothesis/theory, it is not real, that did not answer my question.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.