Can we rely on virtualization software?

Discussion in 'sandboxing & virtualization' started by COMPYPY, Oct 19, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    I’ve no clue on how SB is programmed.

    Your points:

    1. Denying file access to the real system should mitigate this threat.
    2. Social engineering might prove successful here. If one denies all downloaded files execution this should help miitigate the threat.
    3. Deny Internet access for anything but trusted should work.

    Write access carries some danger but denying execution is even more important. I guess we might eventually see if exploiting SB proves to be routinely successful, especially if it becomes as popular as using antivirus.
    It's been quite a few years already since it's release and there's been only a small handful of proven ways to exploit it, all patched in a timely manner by tzuk, of course :)
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree because most average family pc users never even heard of sandboxie.Still its got to be a lot harder to create a malware to break out of a box and still function properly to infect the host.
     
    Last edited: Oct 22, 2011
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I don't think anyone has any clue how it's programmed. It's just kinda interesting that I see a lot of people make the comment that Sandboxie is programmed very well.

    1) Yup, it certainly would. But sometimes you need to or at the very least it makes things easy. Denying execution absolutely does make sense. If I allow Chrome access to my downloads folder but don't allow execution there I have no real problem. My only point was that it's access to the real file system and these are where holes start to form. Suddenly you aren't relying purely on sandboxie but you also have to default-deny that folder.

    2) It would certainly help but, again, social engineering.

    3) If it's socially engineered the user will bypass default deny to internet or any other thing. Default deny is a "yes or no" situation whereas sandboxie is a restricting situation. Once the user believes a file to be legitimate default deny starts to break down (not entirely though.) If a file only needs to run a single exe in your downloads folder at any integrity even sandboxed and all it requires is internet access your user is in danger. This is something sandboxie deos not protect a user against and imo it shoudln't even bother trying to.

    That's a situation to leave to other methods.

    Basically, sandboxie protects against malware that requires file system access or any privileges amazingly well. It's simple and effective.

    It isn't made to protect against social engineering malware (nor should it be imo) and we have no clue how exploitable the program is.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It depends. I'm sure there are program vulnerabilities with Sandboxie. There's going to be a fair bit of attack surface if you're running, say, a browser sandbox.

    You could potentially hijack the webbrowser, send it to some OpenGL site taht you have set up, and then potentially have access. This is of course a ridiculously vague example and probably wouldn't work but my point is that exploits will certainly exist.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Nah, smart super paranoids won't rely on scanners. They'll overwrite the entire drive, and maybe flash the BIOS.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wouldn't call being super paranoid smart >_>
     
  7. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    When I lived by myself I relied solely on virtualization software for quite a long time with no issues and no infections or anything. Now that i have other people flatting with me and sharing my network i've had to add a few more security layers in.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hungry Man, not picking on you here, I just fail to understand a few things.

    1. why does it matter if you have the code or not? The majority of programs are closed source, at most exposing some public functions in the libraries. I would just as soon it stay closed source so that a cracker doesn't have easy access. Let them work at figuring it out IMO.

    2. Why would any program need what you call V&V? Do you really think it is unbiased always? Maybe some are, maybe some are not. It should not come as a surprise to anyone that you can most likely buy your way to a good score on a test. I am not saying to completely disregard some lab who tests things, but I am saying real world is as pertinent as the lab, and real world testers can easily know as much or more as the lab, and may even test more/better than some lab. Passing some labs test, if it is 100% unbiased, would be a good start, but also real world use and how it fares is equally important, at least in my experience. Norton scores tops in nearly every test, but IMO it has been nothing but vomit for a long time, although lately real world results seem to be more favorable.

    3. Exploitless to those using it is still exploitless, no matter if you think otherwise. The reason is simple enough. Every tool/program is exploitless until a hole is found. To say that it can never be exploited is not realistic, as all code can eventually be broken and a work around found. I think what those who say this about sandboxie mean is that they have not found an exploit yet that causes them to lose faith in it. The few stories we have heard of flaws have been fixed or are just limits to the program, to be dealt with. It is easy then to say it is near perfect because thus far it has been, although it may not always be.

    4. Well programmed. What does that mean exactly? Again, I don't think anyone needs the code to see if it is well programmed. Instead, judge the tree by the fruit it bears. It is lightweight. It is not buggy. It works, all the time, as expected, for most everyone. It installs and uninstalls. It just doesn't seem to fail. Sure, there will always be a version that is not up to snuff for some, but it is developed so rapidly that is not usually a concern. And there will always be a certian % of people who have issues, due to the vast amount of hardware and software configurations available. But, overall, almost all feedback I have ever seen on Sandboxie points to a very good fruit with very little rot. I would say that is good programming, even though I have not seen the code.

    I have tried lots of software over the years, as most of us have. We have all seen our share of crap-ware. Some products just choke. Sometimes it is because of our hardware or software or settings. Comodo is that for me, I simply don't like how my system feels with it on. ZoneAlarm is another. We can each most likely think many products we have tried that really sucked it up, either from being a hog or just not doing what it was supposed to do, or other things as well. We don't usually see the code, or if we did, how much we might even comprehend. I don't think Sandboxie is the only tool to use. I don't think Sandboxie is without flaw today nor will it be tommorrow. But I do think Sandboxie is doing what it claims very very well. And whether that is because of good code or bad, whether it has been approved by some lab, and whether or not massive exploits are found in the future, none of that matters. What matters is that right now it does something so well that many other tools pale in comparison.

    Sul.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Security through obfuscation (closed source) is shown time and time again to not work. In cases like an Operating System like Windows you have entire teams dedicated to patch management/incident response. That is how they get away with it. Hackers will ALWAYS find exploits in any product of significant complexity. Sandboxie is significantly complex.

    As a security program it needs to be... well... secure. I do not care that the program CoreTemp is closed source - it's not a critical component to my system. Sandboxie is - especially if the topic is about relying on it - and therefor if it's exploitable I'm vulnerable.

    It's not what I call V&V it's what the industry calls V&V. It's not some catch phrase I pulled out... it's a very very well established method.

    No, it's not bias. All it does is show that the program does what it says it does and that it's written responsibly. This isn't a matter of "Scoring" there is no company out there performing V&V, it's a community matter. Anyone can score it themselves and anyone can make the conclusions. IT is incredibly important to have V&V if your product doesn't have proper incidence response.

    Again, it's not a lab. This isn't some matousec project or AV-Comapritives type thing. This is programmers looking over the code and saying

    There are multiple levels to this process.

    http://books.google.com/books?id=1g...&resnum=5&ved=0CDcQ6AEwBA#v=onepage&q&f=false

    I obviously can not show you the entire book lol

    Yes, of course. It's exploitless because no one's looking. That's fair. Security throguh obscurity while a bit silly is still technically security. The problem is the second anyone looks at it they might find some gaping holes.

    No, saying that we haven't found exploits does not mean that the program is near flawless. At all.

    That's what V&V is for. Exploit history or lack there of is not necessarily an indication of strong programming.

    It may very well be near perfect. It may very well not be. Looking at the fact that no one's found too many exploits does not mean in any way that exploits won't be found.

    I know that may not sound quite right but that's just how it is. It's why V&V exists. IT has to exist because these things have been proven time and time again.

    Aren't you a programmer? You know there are a million and one ways to accomplish any simple task. Imagine how many different approaches there are to creating a program like Sandboxie. There is no way to look at the end result and try to imagine every way it was coded. IF we could do that any close source project could be easily reverse engineered.

    Yes, you can find API calls etc and I bet you could recreate Sandboxie to an extent but I bet if you took one single programmer and told him to look at sandboxie and recreate every line of code (excluding comments! lol) they wouldn't get anywhere near it.

    Looking at the post-compiled product to guess at the pre-compiled code isn't a great way to look at it.

    I would say it's a good program too. I've seen some of the things Tzuk has said and I legitimately believe that he's very competent - I'd bet he knows way more than I do about anything I've said in this post.

    That doesn't really change anything. Closed source + no incidence response would not mix well with a large userbase. In the hypothetical situation I posed I do not believe that Sandboxie could do well.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I agree that Sandboxie does what it claims very well.

    I personally will rely entirely on it when I can.

    I also agree that the future doesn't matter. I doubt Sandboxie will be holding serious market share anytime in the near future and so I don't mind relying on it.

    My only point is that if it were to hold significant market share the fact that it's closed source and has no serious incidence response team and that's a bad recipe when you mix it with a lot of users.


    EDIT: It would be pretty cool if Tzuk chimed in actually =p

    Just to be clear (and to say once again) I love Sandboxie. I think Tzuk is intelligent. I think the product has the best approach to security - far beyond anything else on the Windows market.
     
    Last edited: Oct 22, 2011
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    So, security through obscurity would be a closed source program? I admit, you have me scratching my head vigorously with that. Or do you mean something else with obfuscation? To me obfuscation and obfuscated mean hiding, as when you obfuscate your code so that if it is REd it is, well, gibberish that takes a lot of effort to decode. I assume you mean security through obscurity, where sandboxie, being little known, aka obscure, would do well because it is beneath the radar so to speak. Regardless, I had never looked at closed source (the majority of software AFAIK) as making something obscure.


    Hmm. I have never seen this V&V before. Never heard of it actually. A quick look at it makes me think of iso9001 products, which have a super low failure/defective rate, like for medical equipment. A quick google turns nothing up for searches like "security software that passes Validation & Verification". Actually, I cannot even recall seeing this on any product. Surely it would be advertised, much like the iso9001 is. Is this just something used in other arenas that the prim and proper think should be used in software? I get the purpose, I just don't see it being used, at least not plastered on product advertising anyway, which I would think it would be.

    So, I assume you really do mean obscurity. Why do you comment though at first about obbuscation and closed source in the same manner? Just curious.

    Again, not refuting that V&V can determine some level of consistency or even validity to claims, but what do you call any application that does not currently have known exploits? Mind you, not exploits that have been fixed, as they no longer exist (or should not), and not things the program does not cover (like the clipboard part of sandboxie). If no exploit is known, would you say there are no exploits? You have to look at that from the viewpoint though that EVERY program has exploits, so technically NONE of them are ever exploit free, more like currently exploit-less. And that is what sandboxie seems to me right now. Flawless in the current state, the same as many other programs are for now, until one day a cracker figures out where a hole exists. I can certainly agree that sandboxie does have an exploit(s), just that here have been precious few and they have been fixed AFAIK.

    I would be very interested to see just how many programs (or operating systems) pass some type of V&V. You would think you could find that easily, but mr. google sure didn't want to reveal anything to me anyway ;)

    Yes, I program as my hobby. Yes, there are usually more than one way to write code to perform the application task, although there is not always more than one way to perform specific functions.

    There are only so many functions and methods at your disposal. And only so many of those deal with specific areas, like token manipulation or even disk read/write activities. To say there are many ways to do things is only partially true. There are actually a limited number of ways you might approach things within the world of windows, because there are only so many methods exposed. So, while my end result might not look like Tzuks, I would imagine that many of my functions would be using the same code he did, because there are only so many ways. In no way would it be like Tzuks, because in writing the application the variables are large, only the specific functions would be similar, and some identical if there was only one exposed method to acheive the task.

    I can see your point in certain cases though, because while there may be limited methods to achieve a task, some of the methods could be older, and not as robust in terms of security. It would all depend on the task. In that case, validating that sandboxie used the best method available would give you an idea of whether it would stand up against exploits known to be available against older/other methods.



    lol, maybe I am a slow learner here, but just how do you plan on looking at your executables and dependencies? I have never looked at the code before deciding if a program is good or not. I have before compiling code or before executing scripts. Do you ever get to look at software you did not write pre-compile time? I don't know anyone who has.

    You have mentioned many times about large scale use. I don't know how that really fits into your views on things, but it isn't something I have been including into any of my thoughts on sandboxie. I know it isn't large scale. While I have bought a few copies, and I really wish Tzuk would become very compensated for his briliant creation, also don't really want to see it go mainstream. I know there is a cracker sitting somewhere who will find a hole, as they do in everything. I don't worry that it could not be patched, but I worry more that mainstream would kill the way it is now, in the sense that it would become more than a one man show, or Tzuk would sell it to the Symantec Regime, or that he would just call it quits. It is such a behaved and obedient tool that I hate to think of it becoming a "suite" like so many other great programs have.

    Very interesting stuff Hungry Man.

    Sul.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Security through obscurity: A not often used program
    Linux uses security through obscurity

    Security through obfuscation: Closed source
    Linux does not use security through obfuscation.

    I'll respond to the rest of your post in a sec.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    How many security softwares do you know that are open source? Other than clam AV?

    And the idea of V&V isn't "Ok we'll get together and write up a document showing the issues." It's the fact that a community can go through the code and

    See that little IEEE-STD-610? That's because it's a standard. It's a known methodology.

    It's a type of quality control. It's not a requirement for software to undergo it, of course.

    Come on man lol

    http://encyclopedia2.thefreedictionary.com/Security through obfuscation
    http://en.wikipedia.org/wiki/Security_through_obscurity

    I think technically obfuscated code falls under obscurity but I prefer to make a distinction for clarity's sake.

    If literally the only thing I knew about an OS/application was that someone said "It has no known exploits" and I HAD to say whether or not I considered it secure or insecure I'd say it was secure. The fact is that that is not nearly enough information for me to actually say whether something is secure.

    As for operating systems passing V&V
    http://www.crazytrain.com/monkeyboy/SmartLinuxIVV.pdf
    http://ojs.academypublisher.com/index.php/jnw/article/viewFile/0409819836/1382

    V&V is just a methodology for verifying a program is up to snuff. It does not have to be published. It does not have to be done by a group (though I believe there are dedicated groups.)

    I'd be very interested to see how many programs pass a public V&V as well. The fact that most programs are closed source means that if any V&V is going on it's on the dev side and IMO that's not nearly as useful.


    Yes, we agree here. There are of course limitations for certain actions. But my point is that for something more complex there are often many ways to go about it and your code will likely have different bugs/exploits. On the user end they might look the same and they might function very much the same but they'll also probably have different bugs/exploits.

    Oh, you misunderstood. I don't' mean you get to look at the software. I mean you can monitor the software and see what it's doing and then try to guess at how it's coded based on that.

    And I entirely agree. This is purely in my hypothetical world where Sandboxie is magically on the majority of PC's and malware creators have no choice but to look at it.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Umm, don't follow you here. I was saying the same, that most softwares are closed source. At least that is what I was intending.

    I understand a bit better what you mean by V&V now, as a production tool not so much as an qualification meant to give your product a better rating, as like iso ratings do.


    Interesting, you are using obfuscate and obscure like that. By the definitions below:

    Obfuscate
    Render obscure, unclear, or unintelligible.
    Bewilder (someone).

    Obscure
    The state of being unknown, inconspicuous, or unimportant

    I have always used obscure as the unknown, and obfuscate to make something obscure.

    Your use like this
    had me wondering what you meant. You know, like did you mean closed source would imply security through obscurity, or did you mean to use obfuscation, like if something was closed source, it made it obscure. Just didn't make sense to me.

    Yeah, this seems to make sense. I could see the use for that, just never knew they did that.

    Well, I guess I learned my new thing for the day - V&V. Don't know what good it is to the end user unless they actually give some data on it. I mean, it could be V&V super duper, or V&V crapola, and it would not make any difference to us if they don't publish it. How would it make any difference to you if you cannot even find out if it has gone through such a thing? And would you really make your decisions based on it if it still worked but was deemed immature in V&V?

    Sul.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Right, now you get me.

    Obfuscated = you can't see the code or part of the code.
    Obscure = IT isn't used often. It's a rarely seen program/ technique.

    That's what I mean. I think you get that now though. I should have been clearer on that point because I think most people actually consider them a lot more similar and I'm possibly wrong. But that's what I mean.

    If V&V happens and it's found that the program doesn't do what it says it does it's basically malware at that point or a failed project. Either way, the end user doesn't really need to see the end results.

    If V&V happens and it's found that the program does work then there's not much to say.

    I've only just touched on myself V&V and I personally don't know enough about it to go into detail.

    If Sandboxie were open sourced and failed a community based vetting via some type of V&V methodology I would consider the program unfit. It either fails to do what it says it does (I don't think we need to source code to agree on this much), does something more than it says it does (I don't believe it does), or it is written in a way that just isn't up to snuff.

    A program like a browser or sandboxie would have different requirements than say some application that does a simple function, doesn't connect to the internet, etc.

    I wouldn't want to say more on V&V because I'm still learning. It is fairly well known though and it is a standardized method.
     
  16. wat0114

    wat0114 Guest

    Regarding V&V, I'm hard pressed to find anything security-related in my brief Google search on it.

    In wikipedia the main points are:

    • Validation checks that the product design satisfies or fits the intended usage (high-level checking) — i.e., you built the right product. This is done through dynamic testing and other forms of review.
    • In other words, validation ensures that the product actually meets the user's needs, and that the specifications were correct in the first place, while verification is ensuring that the product has been built according to the requirements and design specifications. Validation ensures that ‘you built the right thing’. Verification ensures that ‘you built it right’. Validation confirms that the product, as provided, will fulfill its intended use.

    Then there is Software Verification and Validation: An Overview

    This goes into a lot more detail but, again, I'm hard pressed to find anything that places anything of importance on the secure nature of a product against possible attempted exploits.

    We can quite safely assume (I hate to use that word :ouch: ) that Microsoft has a sort of V&V in place that puts their products, especially the O/S, through rigorous testing to ensure it does everything it's supposed to do without breaking (yeah, we know it still does sometimes) and, let's face it, we're talking about an incredibly complex product, far more so than even the inimitable Sandboxie ;) that has to function on myriad hardware configurations, no small feat to be sure, yet exploits are uncovered and patched on pretty much a monthly basis.

    So even if Sandboxie or any other security-related software were to pass a rigorous V&V test with flying colours, I seriously doubt that ensures an in-exploitable product; it just means the product is built according to design specifications and requirements and will perform its functions exactly as intended.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yes, we can assume that about Microsoft. Absolutely.

    No, definitely not in-exploitable. But it at least means that it was built according to some standards.

    Thanks for the links.

    And yes, there's definitely a security nature to V&V when you're talking about a security product.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    To be clearer you can have V&V on any product. It just works better or is at least easier/more common for an open source product.

    You can V&V Sandboxie but without the source code it's not the same story.

    I'll talk more about V&V tomorrow maybe.

    It wasn't really the main point I was trying to make about sandboxie lol the main point I was trying to make is that Closed Source software (which doesn't lend itself nearly as much to V&V) gives literally no hint as to whether or not it's secure. People often say "Oh sandboxie is programmed well and it's very secure" but we have literally no way to tell without seeing the code.

    Interesting that the V&V bit is what kept getting brought up lol
     
    Last edited: Oct 23, 2011
  19. wat0114

    wat0114 Guest

    I would add, however, that a thorough V&V on a product would likely reduce to some extent the possibility of it being exploited, since a well coded product is not going to contain the bugs, or at least it will have fewer bugs, that could otherwise potentially fascillitate the chance of malware exploiting it.

    It's the security buzz acronym of the day :D
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm going to have to read more and get back to this.

    I don't think it's as simple as bugs = exploits and that thereby falling under quality assurance.

    I'm thinking either quality assurance has to have some kind of security standard, though I'm not really thinking this is likely... or...

    that this has to do with patch management/ incidence response...

    or something else that I'm also not sure about.

    Like I said I'll have to read up aka ask my security researcher friend who hopefully won't read this since it'll just be embarrassing how little I know >_>
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Yes. Me too. What I found said this...
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Like I said, I'll get into the security aspects tomorrow when I hopefully understand them better.

    There is definitely a relationship between security and V&V.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm actually a lot more interested in this topic than V&V though. I'd rather make a separate topic about it when I get the chance and we can keep this one about virtualization specifically and not just Sandboxie as a program in general.
     
  24. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I completely agree with this statement. Since joining Wilders back in 2005 I have used ShadowUser, DeepFreeze, Shadow Defender, and Sandboxie. They have never ever been breached by anything, and even though I don't test malware, in my job I have encountered hundreds of infected USB flash drives without ever affecting my machines. I only hope they don't become too popular, malware writers might start writing code to break them.
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    There are such people, in fact they're smarter than the average person (although too suspecting of others).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.