Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.
I share the same frustration. It's very silly.
For a browser that strives upon limiting privileges, attack surface is a big deal. For other security apps that add attack surface, you would have to evaluate it out for yourself if it's a good idea. I am not here to tell you that. Even if I did, you wouldn't agree with me anyway so there's nothing to be gained from my side.
Also, I removed my initial comment in reply to your sarcastic and personal remarks because I am trying to keep it civil. If you still want to go through with it, PM. Let's not tarnish this thread.
I agree! I appreciate all the replies so far, but I think it will take a chrome developer to really answer the question. I will continue to run ALL my vulnerable programs in sbie simply for piece of mind. Thanks to Sully for his "real world" situation of sbie saving the day.
Just for the fun of it, I created a thread @ chrome's forums.
My opinion has no qualifications, but I think Hungryman's explanation is pretty much spot on. Us Chrome alone or immerse it in Sandboxie probably makes no difference to anyone who knows how to attack the kernel.
Than why do you run any security option on computer? Get rid of them because of attack surface?
Sully's case proves that it's more beneficial to have Sandboxie on top of Chrome, than and this happens even to techies-and Sully is not alone, I had the same experience exactly 2 months, so no matter what you say about any sandbox in my case and in Sully's case, and I think even Peter's case (he mentioned something about that he had experienced similar situations), Sandboxie protected against against what Chrome could not protect against-and this is not just some hypothesis of attack surface or anything like this, it's a real world practical experience-which is far more than any hypothesis.
Just because Sandboxie adds attack surface it doesn't mean this is bad, it's pure speculation. It could actually fill the holes in Chrome's sandbox-against things that Chrome does not protect against.
It could also mean that Sandboxie can protect against exploits if they have bypassed Chrome-yes it could.
None really counts on double sandboxing in the first place.
Actually it does play a role, I explained above.
Also, increasing attack surface sometimes can be beneficial as well, heck if you want protection when you surf 24.7 like I do, you need more than just one simply security solution.
Obviously, it's not that secure if you can bypass it in the way Sully described, Chrome is the most secure web-browser sandbox-so in this category, but there are some limitations in Chrome's sandbox protection like the ones Sully, me and Peter experienced while surfing the net, but it's not tougher than Sandboxie, since Sandboxie covers and contains and protects much wider range of the system, Chrome protects only web-browsing and that's about it, but even than; as shown and proven by Sully and some other posters here; Chrome does fail when not additionally sandboxed/protected/run under Sandboxie.
If you talk about exploits, than it's a tie/50:50 for both Chrome's sandbox and Sandboxie, since, everything that Chrome blocks, so does Sandboxie, but there are situations like the ones Sully described where Sandboxie does actually protect you while Chrome alone does not, and this is why Sandboxie on top of Chrome is more useful/more secure than not.
Obviously attack surface does not mean anything-actually I see it as an advantage, rather than disadvantage; the larger/bigger and the more complex attack surface is, it's harder to exploit it because of the fact it is so large and complex-everybody sees it this as an disadvantage, but forget that large and complex codes can only be/are more complex to exploit in the first place, this is why I don't have anything at all against someone Sandboxie on top of Chrome's sandbox-it will only be more beneficial, unless you experience compatibility issues, which is exactly the real problem here, and not the attack surface thing.
Whether you sandbox Chrome or not, this fresh thread at the Sandboxie forum might be of interest to you.
Re: the all it takes statement ..... a typical case of key cutters anomaly IMHO
Key cutter's: People who are able to replicate exploits through published exploit kits think they are able to create exploits themselves
Anomaly: So why are so few people exploiting Chrome on Pwn2Own? JungHoon Lee earned $ 225.000 in just two days.
The keycutter's anomaly (because he/she can replicate keys he/she imagines him/herself to be a great burglar also)
I was trying to make a point. You make it sound that because of SBIE, there is a big chance that it will be easier to bypass Chrome, I don't believe that's the case. Like I said, SBIE might in theory interfere with Chrome's sandbox, but normally speaking it's not the other way around.
So whatever happens, SBIE will still protect you, and on top of that it can even protect against malware that's installed manually via the browser. And I just read what Bo posted, but I wouldn't be surprised that in certain cases it's possible to escape Chrome sandbox's, while still getting stuck in SBIE's virtual container.
Well, it was a rhetorical question, I already know your answer, since I know your point of view. But I would never blindly trust in a browser's own sandbox, I always think it's a good idea to cover all bases and restrict it even more, with for example anti-exploit, isolation and HIPS.
Are you kidding me, you're taking it way too serious. I don't even run Chrome, and couldn't care less if people use it together with SBIE or not. I just wanted to give my opinion about all this "added attack surface" talk, and I must admit it annoyed me a bit when in my eyes you were flipping the script, acting like it was others who want to continue this "discussion", while there's really nothing more to be said.
c.f. safeguy's comment about keeping it civil...
I think your seeing this as a case of arrogance is a mistake. safeguy is not claiming that he can easily develop a kernel exploit. I certainly couldn't, and don't claim (or desire) the capability. The problem is that there are people who are very good at developing kernel exploits, and unfortunately a lot of them seem to be blackhats (or as good as). In this case, there are just a lot of burglars who are very good at what they do.
As for Chrome/Sandboxie/etc. it's starting IMO to become a question of why a burglar should even bother picking the lock, if he can just force his way through with a crowbar. Windows does so much stuff in kernel space, IMO, that something nasty is just bound to come up - kind of like the situation with Xorg running as root on Linux.
That's why we should all use Bromium, it protects against OS kernel exploits.
EDIT: On the other hand, it might increase the attack surface.
1. Virtual Container
I have addressed the points regarding Sandboxie as a virtual container (read my posts again if anyone missed it). I mentioned that despite it having a possibility of saving a Chrome user, I still find it a poor trade-off.
If you disagree, I am fine with it.
2. Attack surface
If you still see it as benign, then we shall disagree. There's no way we can meet eye to eye on this.
3. Blindly trusting browser sandbox
To the contrary, I am aware of Chrome's sandbox limitations. Where some users choose to "restrict" it further, I choose not to mess with it. Read about Chromium's sandbox architecture and you'll find out why I don't want Sandboxie interfering with Chrome's sandbox. Read up on people who have penetrated sandboxes and yet mentioned that it was not as easy a task and praised Google for their effort.
4. Me flipping the script?
Can we just stop making this about me or you, Rasheed?
My objective was to point out that Sandboxie hurts Chrome's built-in sandbox - as per the original question posed by OP. I knew I was going to fail in convincing a few members here but I was not expecting such a strong opposition.
I've said "do whatever you want", "that's it". Yet, each and every single time, my post qets quoted and rebutted with points that I have acknowledged. It is quickly getting tiring.
Thanks a lot for understanding. I cannot replicate or develop exploits. That's beyond me.
I do agree with you GJ that a burglar can just force his way through a crowbar. If a lock is going to keep most of the burglars out, I am still going to keep the lock.
I think what WS is saying though is that kernel vulns are not as common as other vulns and perhaps even blown out of proportion when you factor in the no. of skilled people who may develop such exploits.
I don't see how it's a poor trade off. Let's say hackers manage to bypass Chrome's sandbox, and manage to run a malicious app, and now try to encrypt files (ransomware). If you're running SBIE, the attack will fail because of virtualization. Of course, this is all theory.
Do you think it's easier to bypass SBIE than to bypass Chrome? This is a serious question.
I don't see how this has become tiring to you, since you're the on instigating stuff. But perhaps I'm wrong about this, fair enough.
That's the whole thing, you don't have to convince anyone, because we all have our own point of view. End conclusion: most people don't care about the "added attack surface".
A poor trade-off does not mean I discredit scenarios where Sandboxie can help. Yes, given your theory, the attack will encrypt the files but because it is "virtualized", the original files are unaffected. It is definitely a plus point for Sandboxie.
A poor trade-off means I consider the possibility of Sandboxie helping as a marginal benefit compared to the complexities that Sandboxie brings in when used over Chrome. Yes, that includes the attack surface thing that you dismiss.
This is going to be another controversial POV.
Yes, I do think so, if a skilled attacker is interested enough. SBIE's sandbox, while based on Windows security model just like Chrome, is more generic, allowing more direct access to achieve compatibility and it's supervisor has higher privileges. The virtualization aspect would be trivial to such an attacker to escape from.
... I fail to see what you guys are even arguing about.
My feeling, at this point, is that Windows is so badly behind when it comes to security that layers like Sandboxie, Chrome's sandbox, and all that are much less effective than they were of old. The "party at ring 0" has become a popular rave club. "Attack surface" doesn't even enter into it. The point isn't "trust Chrome's sandbox more" or "trust Sandboxie more," the point is "don't trust anything that runs north of the kernel."
Missed that one...
As a matter of fact: yes. By a large measure. SBIE is designed to accommodate lots of different applications without breaking them, whereas Chrome's sandbox is designed for Chrome, to much much finer tolerances. There have been studies on this. Custom application sandboxes can restrict things more and are generally harder to break.
(Mind you, whether I trust Chrome itself is another matter. I have very little trust in Google as a company at this point, so...)
I know I don't have to which is why I continued posting regardless. Let's be honest. Every time a group of people have a discussion, there's bound to be a consensus and a disagreement. That does not deny the right for me to post; popular POV be damned. This is not about majority wins.
Let me change the conclusion for you: I don't care about what most people care. Most people don't care about what others care.
Yes, that does make sense. On the other hand, how many hackers out there are actively trying to bypass anti-exploit tools, sandboxes and HIPS. And then I'm talking about the hackers who try to infect home users with stuff like ransomware and banking trojans. And I'm not so sure if it's easy to escape the virtualization part.
Who is talking about denying the right to post? I was just trying to say that your point was quite clear, and most of use even agreed with your main point, yet you were acting like nobody understands you, and everyone else is wrong.
Why are you trying to make this about you? The end conclusion of this thread, is that most people don't think it's risky to protect Chrome with Sandboxie. They think the benefits outweigh the risk. With you it's vice versa.
I don't agree with this, there will always be OS kernel flaws that will be exploitable. And security tools will always need to interact with the kernel. I also think that KPP has made Windows a lot safer. Security tools (and malware) can't mess around with the kernel anymore, which is mostly a good thing. I say mostly, because some feel like security tools should have been allowed to modify the kernel. Of course, this is an old discussion and off topic over here.
Your reply hits the mark in the sweet spot. That is exactly what I intended to say. Also we agree on more as might seem out of this thread. As an example I agree with most of your remarks in regard to Chrome, only I have used an OS-container around Chrome, so it would be hypocrite for me to tell SBIE users to stop adding a virtualisation layer around Chrome.
Let me make clear that I did not want to make it personal or offend people (my remark was more a reply to Hungry Man's post)
Separate names with a comma.