Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    No. You don't know what I meant. If you did, you would clearly understand that I am fine with the idea of using Sandboxie on browsers that have no sandbox yet. With Chrome though, I think it is redundant..and even if it's not, the benefits do not outweigh the risks (but I've explained that already.)

    Do you realize that most security advancement (and exploit development) stem from theories? To disregard theories is purely convenience. Following your logic, how many people (in the wild) get exploited via Chrome alone?
     
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    I guess the root of this debate lies in the fact that Chrome's sandbox is "invisible" to the common user. That security feeling isn't there when compared to using Sandboxie on top. Most people would rather choose "visible" security that makes them feel more secure. I get that.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thank you.

    Years ago I stopped using firewalls and antivirus apps, really the only 3rd party apps I even have installed are MBAM and Sandboxie. I used to argue merits of this or that, or cook up obscure schemes or try to use OS mechanisms. You know, security (and computers in general) are all quite fascinating for INTP types like myself I guess.

    I built up a machine for use as a DAW. Put win7 on it, did my usual plethora of settings/tweaks/schemes. Been using it for almost 2 years I guess. I've done plenty of browsing with it, mostly for music related stuff though, or utility apps that I find I need for some reason or another, or just to demo software I am interested in. Point is, its benign stuff really.

    I don't even use Sandboxie much on that machine. Just chrome. I run as admin 24/7 and did not have an issue for quite some time. But then it so happened that I was looking for a plugin for a guitar effect or something of that nature. And what do you know, I get a pop up and next thing you know I've got some crapware or malware installed. I did nothing other than navigate to an infected site.

    I messed with MBAM a little, looked up what it was, found it was going to be a bit of work to remove manually, and decided I did not have time for that. So, I used macrium and restored my image, put a few apps/settings in place and moved on with life.

    The next time I veered from my normal "music type" sites on that machine, I started chrome in Sandboxie. And wouldn't you know it, a very similar situation happened again. There must be a lot of people looking for free vst plugins for that to happen twice, but none the less, it did. But this time, it took about 30 seconds to clean things up. Due to Sandboxie.

    I am at the point that I don't care what works. I only need to put up a wall against what I am likely to come up against and thats it. I am under no illusion that I will ever find great security because it is, in my opinion, fleeting at best. So, I have modified what I do and how I do it accordingly. I may take some rather extravagant steps to find what works for me (like a laptop devoted to one purpose only, my bank account, and a whole interface on a pfsense router/firewall devoted to that one laptop lol ), and you (or anyone) do your own thing. And if it works, great. And really, if it works and you don't like it because of a principle you have, great too. I get the whole principle thing, believe me.

    I do find it fascinating at how far I (or anyone) will go to try and have computer security. I think it could be classified as a disease ;)

    I admit I have missed this place, and have not missed this place. It sure can suck up my time :)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    I was basically trying to say, that the chances of getting exploited via security tools is quite slim.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    I agree that if you want to protect Chrome against exploits, it doesn't need any help from a third party tool. But all of this "SBIE will make it easier to bypass Chrome" stuff doesn't fly with me. If you can bypass SBIE, you can do the same with Chrome, and vice versa.

    And I mentioned the other browsers, because that's the whole point of SBIE, to give the ability to sandbox or isolate just about any app, no matter if these apps (like Chrome and IE) have implemented their own sand-boxing capability.
     
  6. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Sandboxieing Chrome is a good idea with any extensions. Either to get to learn how they work before installing them in real or get to know how to operate their settings.
    Regarding guitar playing, I like this tuning page and I assume it is safe. Needs to allow Flash plugin though in my uMatrix: http://www.tunerr.com/
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    You know what Sully. I am an I,N/S,T,P/J. I cross from one to another depending on circumstances.

    My first experience with malware was basically a rogue-ware. Nothing I did helped until a friend recommended me to use Spybot S&D. Since then, I went on a journey to finding the best security setup possible. Layers upon layers until I figured out that I was just going overboard. I took a drastic turn and seek for a minimal setup that I know is relatively secure and let me sleep at night.

    It is a disease alright which is why I don't visit this forum as often because it is very tempting.

    I am pretty sure reports have been discussed on Wilders forum where you would find that browsers and OSes nowadays are gradually getting better in terms of secure coding practices (not perfect but way better than it used to be). Updates are also reaching the end user at a faster rate.

    It's security tools that are still lagging behind and to make things worse, they often have full privileges. When security tools interact with attacker-controlled data, it is an alternative pathway for these attackers to breach the system. With a concept like sand-boxing, you want to minimize the privilege/access to the least possible. That is my entire point.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,220
    Location:
    Canada
    Thanks for this, summerheat. Does this mean Chrome's out-of process (PPAPPI) Flash plugin is vulnerable, or only Adobe's (NPAPPI) plugin is?

    First, welcome back, Sully, and also Hungryman as well! I consider you two as true security "heavyweights". I'm always intrigued by your commentaries in these forums :)

    I'm just wondering if using some sort of browser scripting control or at least blocking plugins by default would have helped here? I imagine it would. As for the double sandboxing debate, I tend to agree fully with Safeguy's recommendations of simply relying on Chrome's only. Honestly, though, it's not the potential attack surface Sandboxie might introduce that would concern me, but rather just additional unnecessary resource (albeit low in Sandboxie's case) and user-management overhead that Sandboxie introduces into the user's browsing experience.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    Nice real world example of Sandboxie doing its thing, Sully, nothing beats that.:cool:

    Bo
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    Yes but why aren't AV's and other tools being exploited? Perhaps because it's hard to write working exploits? Or perhaps it's easier to attack widely used apps like browsers, document readers and media players?

    And besides, if hackers can exploit the OS, they can get system privileges via both Chrome and Sandboxie. So at that point, it doesn't matter if some components of SBIE are running with full privileges or not.
     
  11. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Even if I don't use Sandboxie, it was a nice example that it can make a difference and save you some precious time, and welcome back Sully.
     
  12. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    686
    Location:
    Canada
    I don't use Chrome, FF and Palemoon are my browsers and both are Sandboxed with Sandboxie. But if I was using Chrome I would use it in Sandboxie. Now does that make me a Sandboxie fan boy? Sandboxie :thumb: number 1!!!!:argh: Welcome back Sully!
     
  13. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,303
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    There's plenty of low hanging fruits so attackers don't bother. Sandboxie may not be as widely used as other apps but that still does not negate the fact that it brings it's own complexities to a browser with it's own sandbox.

    If an attacker gains system privileges, sure...all bets are off. If that is your only point of contention, then why do you even bother trying to sandbox your browser? That kind of argument brings nothing to the table.

    Damn, this is leading nowhere...just going in circles. I have made my point. That's it.
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,220
    Location:
    Canada
    Maybe think of this another way: Perhaps AV's and other security software with their potential propensity of broadening the attack surface make it easier for the exploits to be successful? So with this in mind, maybe there's no need to specifically target the security applications, but rather it's these security applications that help facilitate the exploits in attacking the user's system? There's no need to target the security software when the this very security software has aided the exploits in attacking the O/S.
     
    Last edited: Jul 11, 2015
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    How does one find true security when there are new attack types or new vulnerabilities literally every day? The OS (at least windows) is patched on a schedule due to the new vulnerabilities. LOL, you visit a place like this where enthusiasts argue over what works best. 30 members online and 300 guests! What do you think those guests are doing? Looking at the Colasoft forum?

    Nope, its those here, those inquisitive souls, those who don't like being taken advantage of, those who are hardcore geeks, those who have fixed thier nephews computer for the last time, its those people who are on the bleeding edge. HA! Yep, the bleeding edge. Thats right, you Safeguy. You wat0114. Yes, you Azure Phoenix and Wolfrun and SweX (sorry, not going to list the whole membership ;) ). You are testing, prodding, watching. Are you an expert? Maybe not. But I can tell you this much, your testing and discussions and even arguments are a MAJOR resource for people who aren't that interested, but just want to stop getting thier system messed up.

    Sandboxie is likely found by hundreds every week because of threads like this that mention keywords. It probably demo'ed 25 times. Bought 5 times. Its not because you typed the name Sandboxie and Chome in the same sentence. Its because you had dialogue. I've been away for quite some time. I've basically accepted the state of pc security and have my own ideas on how to do things. But I have seen mention of Wilders sooo many places. And I have to believe that when a newbie is tired of problems, and they finally find a thread like this, they just might go away with some new ammuntion to try.

    So, will sandboxing chrome be a good thing or a bad thing? Right or wrong? Eh, if you know exactly what the exploits are and the strengths of Chrome and how it is using OS mechanisms, maybe not. If you just want something the "rollback" any mistakes, then whats it matter? If you have been getting hit by malware and friends for a long time, when who gives a rip about what a sandbox is as long as it stops the issues.

    @wat0114
    I don't know if a scripting restriction would have helped or not. I was in incognito mode with updated chrome, and saw the typical "you have a virus" window. Thats pretty much all it took, my machine was borked. Had I been UAC, it would have still hit my user profile. Thats where most of it seemed to live. I am quite sure that by being admin it got to hook in a little deeper. The problem as I see it is that I voluntarily clicked on that link, and by doing so basically allowed things to happen. I could have used a number of other mechanisms to have stopped that in its tracks, but to be honest after a few years of basically doing nothing but using chrome, thats the only issue I have had. If I am going looking for that sort of thing, I just fire up sandboxie now and forget about it. I simply have better things to do these days that spend the night farting around with some half-baked Sully Security Model like the old days :)

    @safeguy

    I,N/S,T,P/J -- I understand. I however am so INTP its crazy. Its like someone wrote my life story and I am only now understanding haha.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    That's not a point at all, the point of this article is the fact that if NSA and similar spying agencies and military want to spy on you, there is no security option that can protect you against them, no matter how well you are protected-so your points here are moot points/useless points.
     
    Last edited: Jul 12, 2015
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    The problem is sandboxed Chrome or not, the attacker will gain system privileges without bothering bypassing Sandboxie and Chrome, so your arguments that sandboxing Chrome is a moot point, and rather hypothetical one-right now I don't use Chrome, but when I did use Chrome, it was always sandboxed.
    SBIE4 also uses the same integrity level as Chrome is, so it's moot point, they both use the least system privileges, so far there have been no worse security issues Sandboxie over Chrome at all these 5 years, while Chrome cannot protect you against social engineering-that's SBIE 1, Chrome 0, obviously sandboxed Chrome is slightly more secure if you count everything-social engineering random clicks and similar.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,871
    You're welcome, wat0114! I'm not sure about the details. According to the Adobe Security Bulletin the Linux versions are affected but both the NPAPI version 11.2 and the PPAPI version 18.0 for Chrome got a priority rating of 3:
    "historically not been a target for attackers" is a strange wording, IMO. Does that mean that Linux systems are vulnerable but attackers are simply not interested in them, or does it mean that those flash versions have those vulnerabilities on principle but they are not exploitable on Linux systems? :confused:

    FWIW, the documents of the Hacking Team revealed another two vulnerabilities. So we can expect another Flash Player update in the coming days.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    Yes, this is going in circles, but it's because of you, not me, don't get it twisted. I already agreed with the fact that if you're worried about automated exploits, Chrome doesn't need the help from a third party sandbox. But we are disagreeing about whether users are more at risk, when Chrome is running sandboxed. Perhaps in theory it's true, but in practice it's neglectable.

    If you're so worried about exploits, why not run anti-exploit tools to protect Chrome? Oh, but wait a minute, tools like MBAE and HMPA both use user mode API hooking, combined with a kernel mode driver, that's way too much attack surface for me.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    What point are you trying to make? I'm just saying that both SBIE and Chrome make use of the same sandboxing methods, the only difference is that SBIE can apply it system wide. The easiest way to bypass sandboxes is to use a OS kernel bug. Chrome is not immune to this, no matter if it's running under SBIE's supervision or not.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,220
    Location:
    Canada
    Yeah I'm not sure what they mean by that. The Linux theory makes some sense because with so few people using it, the returns of attacking it would be so little compared to Windows. Thanks again.

    I think it's far more often the browser's plugins or extensions that are targeted rather than the browser itself. summerheat's link earlier is a good example of this. In my case I enable only a few plugins in Chromium and use four extensions, all with good reputations of not being common targets.
     
  24. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    Look at who is twisting words right now. Did I say it is going in circles because of you? It is going in circles because peeps here seem to acknowledge my point that Chrome does not need Sandboxie's supervision but still continue putting forth arguments just for the sake of doing so.

    Worried about exploits? Let's see...the one running Sandboxie and/or anti-exploit tools over Chrome or the one who doesn't? Don't bother answering...I don't have a minute to wait.

    Duh. I've made the exact same entire point across all my posts so far and you are still asking me? You are telling me 1+1=2. I never denied that Sandboxie can be used system-wide (I get the feeling people here think I am hating on Sandboxie. Nope!!!).

    I am telling you now (as simple as I can possibly phrase it): Chrome does not need Sandboxie. Now, how else do I say it? Is there anything wrong with my usage of the English language so far?
     
    Last edited: Jul 12, 2015
  25. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    Count me in on the same group. I am still on page 2...:p
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.