Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.
There are Chrome-only exploits
Only exploits with release date of the same date as new the Chrome version, most of them published by Chrome also, so non existant in the wild
From what I've read, you don't have to use a kernel exploit to bypass Chrome's sandbox. So this means that if Chrome is hacked by a browser specific exploit, you would still be safe when running SBIE on top, because it will contain the payload. Of course, most of the time, hackers will use a browser + kernel exploit, because it's way easier to bypass the sandbox this way, including SBIE.
On the other hand, even when malware is launched via a kernel exploit, it will probably still have to target SBIE, to get full control. So it will have to disable its driver and remove the user mode hook. This is not difficult with system privileges, but not all payloads will try to disable security tools. So there is a chance that SBIE will still interfere with the actions of certain payloads.
A bit off-topic, but does AppContainer benefit Chrome in any way? As in the "Windows 8 Mode" (which for some reason I don't see).
You know certainly more about this stuff than most of us. However, let's not forget that it's the target process which is sandboxed. The broker process is not. In your article about Chrome's Linux sandbox you wrote:
If you're suggesting AppArmor to restrict the broker process (an alternative would be Firejail, I guess) - wouldn't this also apply to Windows by using Sandboxie? The sandbox FAQ says:
So it's easier to write and analyze a correct IPC mechanism - but does that mean that IPC is invulnerable? I don't know if there have been such vulnerabilities in the past, though.
Somewhat, yes. The differences are:
1) Apparmor doesn't interact at all with the application it sandboxes, so there's no increase in attack surface from within a sandbox'd process.
2) Apparmor and Chrome's sandbox work through different mechanisms, contrary to Windows where Sandboxie and Chrome's sandboxes work in mostly the same way.
That said, the easiest attack is still the kernel, which will still bypass both, which is why focusing on areas other than sandboxing is a good idea when looking to secure Chrome.
No, it's not invulnerable and I believe at least one linux-specific vulnerability abused the IPC mechanism.
So what about AppContainer?
I see. Thanks for answering my questions!
Appcontainer on the broker could be interesting but for renderer processes it would likely be useless, unless it provides anything over an untrusted process, which, as far as I know, it does not. I'm not entirely sure on that though I've never put time into figuring out the internals of appcontainer.
Again, explain what increased attack surface-please explain-if I have AppGuard, Avira Antivirus free, HMPA, HitmanPro, Malwarebytes anti-malware or Emsisoft internet security on my computer-you would say that each and every single of these security options simply increase attack surface?
I'm sorry, but that's total rubbish-name the one computer which can survive long from not being infected just because none should use any of those security options, since each and every single one of them increases attack surface-that's the stupidest and the most naive reason I have come across so far-not too mention that increased attack surface is merely a hypothesis-obviously completely wrong hypothesis.
According to you Hungry Man none should have anything on the computer to protect themselves, just to have decreased attack surface-the same thing goes with Chrome and Sandboxie issues, yes, the only reason why they shouldn't be allowed to run (Sandboxie on top of Chrome) is because we are talking about 2 sandboxes-it's simply wrong to run sandbox inside a sandbox, it's much like to have an antivirus inside of another anti-virus-and you know damn well what happens when you run 2 antiviruses on the same computer.
Yes, if there is a browser exploit, it will bypass browser itself, however it will protected by Chrome's sandbox, however, if this same browser exploit also breaks Chrome's own sandbox, if run Sandboxie on top of Chrome-that browser exploit will still be contained and protected by Sandboxie which is running on top of Chrome's sandbox-that is the truth.
Yes, indeed. There have been numerous examples in the past.
The one computer? Must be mine. Ah, no - the computers of several friends of mine, too. Just by applying basic security strategies like implementing SRP. No AV, anti-malware - and no infections ...
HM explained why. Because they are both using the same mechanisms. Thus, if malware breaks one sandbox it most probably also breaks the other.
And as a general remark: Before you think that HM is talking nonsense you should really read the many posts in his blog. After doing this you will probably realize that it's a bit adventurous to think that he knows less about security than you do.
I agree with that. Using OS built-in security features with patching and safe computing habits should prevent most ordinary security incidents. Reducing attack surface is IMO good security strategy and using no 3rd party real time security apps will surely reduce this.
Summerheat, malware doesnt have to break the Chrome sandbox for the user to get infected.
Sandboxie also protects the user when landing on webpages that automatically download malware without the user clicking anywhere.
Sandboxie and Chrome do not use the same mechanism.
This is a matter of course. If you download an executable and start it, we're no longer talking about Chome but about that executable. Thus, this argument is irrelevant here.
I was actually only quoting what Hungry Man said. I'm not a system programmer so someone else has to go into the details.
It is relevant. That kind of situation is the reason why using Sandboxie on top of Chrome is beneficial. And what about users landing in webpages that are compromised that download malware automatically? Chrome wont do nothing about that. But Sandboxie will protect by containing the infection (if it gets to run).
But how do you protect yourself than you cannot protect yourself with just this, for example how do you protect against usb infections in different Windows systems (from Windows XP to Windows 10)
What is your security setup anyway-if it's not forbidden to know, I'm very curious.
Oh, summerheat pelase give me a break, I've been in some really risky situations from where fake avs were about to install to my computer system, Chrome does not stop this, Sandboxie does, plus you are forgetting facts that even the experts and the most experienced users do actually get infected like this, because they want to download and actually run something that seems to be benevolet, and yet it is malicious, everything can be run inside Sandboxie and you will protected-against this Chrome cannot protect at all.
Thanks for being the only one who responded so far... I might try putting it in "Windows 8 Mode" later.
As for SBIE protecting Chrome... I already listed pretty much all the possibilities.
Not double-clicking and running EXEs manually in SBIE and/or uploading to VirusTotal should be common sense.
SRP and similar stuff is simply not enough, you have to have basic antivirus for example, you have to protect yourself as much as you can, SRP and similar stuff can only protect you limited, this is why you need more complete security options-and that example you posted of an security researcher again it's a hypothesis not the real thing-if everything is increased attack surface to have on you computer-the best is to disconnect from the internet-it's the stupidest excuse by a light year, since it has no basis in reality-if this was really the issue, all the people that have security options on their computers would be attacked so many times and their security and protection would be bypassed so many times, so increased attack surface, is pretty much another word for rubbishness to scare people, don't use this, don't use that, don't even try to run anything-totally unpractical in every possible way and it doesn't make you more vulnerable-this is something that Hungry Man and Safeguy, no matter how knowledgeable they are, fail to recognize/detect.
Not even VirusTotal can protect you from everything since it cannot recognize everything, been there, tried it already, I run it inside Sandboxie-if there was no Sandboxie there would be some really nasty infection on my computer, and yes at that time (1 month ago) I was using Chrome (sandboxed Chrome), unsandboxed Chrome-my security would have been compromised otherwise.
Any evidence of such? I already stated that running SBIE manually outside of Chrome itself is more than enough.
I'm talking about my experience, not some testing lab thing; my colleegue actually gave an virus that unrecognizable by all av vendors under virustotal.com.
Yes, even virustotal can fail you, don't put 100% trust in it, that's my advice.
I rather give it to av vendors to try the sample and analyze it manually/personally, but this can take days to analyze, and I don't have days to decide if I want to run the sample or not-luckily I knew already that this was some really nasty malware, because the collegue told me to be careful so I tried it with Sandboxie on default level, and everything was just fine-no infections at all.
And have you read my second sentence? You download the malware with SBIE-less Chrome, run it under SBIE, and get infected? Please.
Separate names with a comma.