Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    Yes, and this is a lot of work and not really worth it.

    Correct, but the point that I was trying to make is that current security tools are good enough to protect systems, even when the OS kernel is not that secure.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    I'm talking about a scenario where Chrome's sandbox gets bypassed, and malware like banking trojans or ransomware manage to start up with at least medium privileges. Without SBIE, the malware can now inject code into the browser (sniff data), and encrypt files. With SBIE, it's likely that it will block code injection and will block (or virtualize) file modification. Because normally, the malware will not be able to disable SBIE's protection driver.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Not the case unfortunately. If malware has blown through Chrome's sandbox, it will have already blown past SBIE. The sandboxes operate on the same CPU privilege level and therefore will be defeated by the same measures.

    (And unless I'm reading it wrong, CWS' post above doesn't conflict with this. CWS clicked on a malicious executable, which means the Chrome sandbox didn't enter into it. If you tell Chrome to launch something, it will do so - a sandbox can't protect you from your own rashness.)
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    You doubt Sandboxie uses the driver for better isolation? read below.
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19163#p103750

    Bo
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    I run as an administrator, dont use HIPS, firewall, antiviruses and nothing but Sandboxie and NoScript when browsing. Whenever I turn off my XP or W7, its clean. This is so not because I am skilled or lucky but because just about anything that runs in my computers, runs untrusted under SBIE:cool:.

    Bo
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,789
    Location:
    Mexico
    Runs isolated not untrusted under SBIE you meant to say, did you Bo?:p
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Sandboxed programs run untrusted. Thats what I meant. According to Curt, thats lower than low.

    Mr X, remember, "Trust no program" means: When you run a program in the sandbox, the program runs untrusted.:cool:

    Bo
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    But isolated too. After all, thats what Sandboxie is all about. Isolation, separating sandboxed programs from the system, files, registry and other programs. Thats the beauty of SBIE.

    Bo
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, the futex vuln that summerheat is the one I was referring to - futex was a whitelisted system call. Seccomp is great, but there's tons of attack surface exposed to any process that can do basically anything.


    Yeah, that's the one.

    Virtualization is enforced by Windows integrity, a drive is what enables the applications to selectively bypass the integrity levels based on the policy applied. The driver doesn't really need to be bypassed, it's what lets a process that needs to write to Medium integrity run as Low.

    What's required is bypassing the integrity controls.
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,243
    One of the best posts that I have ever read here on Wilders.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Okay, right - I'm going to bow out of this discussion now. Not worth the inevitable argument.

    @Hungry Man

    Nice. futex is one of those things that sounds innocuous too. (Although maybe not in retrospect - I mean, a futex is a concurrency lock, and messing it up right might cause a race condition, which might cause all kinds of nasty...)
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Check this out, Mr X.:)
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19642#p103719

    Bo
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,789
    Location:
    Mexico
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    Here are some slides that show how different kind of sandboxes can be bypassed using kernel exploits [PDF]: https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf
     
    Last edited by a moderator: Jul 16, 2015
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Not really true because the attacker will not expect that you have another sandbox above Chrome's sandbox-so it will make things more complicated for attacker, plus sometimes Sbie can help even here to block exploits which Chrome's sandbox does not.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Gullible, if you are browsing protected by Sandboxie and all of the sudden, a webpage starts downloading malware or you click the wrong link and malware runs, it runs sandboxed. If it installs, it installs sandboxed. Sandboxie is a sandbox program, Chrome is only a browser with a sandbox. Comparing Chrome with Sandboxie is like comparing apples and oranges.

    Sandboxies role ends when you recover something out of the sandbox. Sandboxie wont do nothing for you if you recover malware and run it out of the sandbox. But anything you do in the sandbox, stays in the sandbox. Get that in your head.

    Bo
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    It might not stay in sandbox if kernel vulnerability is exploited using sandboxed program.
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    No one is talking kernel. I am talking regular malware, the type non Sandboxie users like yourself are exposed to everyday.

    But, if you know of any malware that has bypassed Sandboxie via a kernel vulnerability during the past 10 years, please name it or....

    Bo
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    I think that it was malware using True Type font parsing vulnerability. Will try to find some reference.
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Minimalist - you're probably talking about Stuxnet and/or Duqu, right?
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    OK, quick find using Google: https://threatpost.com/using-kernel-exploits-bypass-sandboxes-fun-and-profit-031813

     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    Yes, you're right. Just found a link :)
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    I can post it here if you want. But that was a POC, by the same people whose link you posted a couple of days ago. No real malware. And to break SBIE,......it used a vulnerability that had already being patched by Microsoft. Really nice.

    Bo
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,847
    Location:
    Slovenia
    It might have been POC, don't remember if there were any actual ITW exploits. But it's good to know limitations of security software that is being used. Not knowing about them can be dangerous, also.
    At the end Microsoft had to patch the vulnerability. Neither Chrome's sandbox nor SBIE could protect users against it.
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    It was a POC. Thats not a maybe. But i agree, we ought to be aware that we are exposed to that kind of vulnerability even if you use Chrome and or Sandboxie. But its also a good thing to know that this type of malware is so rare that at no time since Sandboxies creation there has been one that has bypassed Sandboxies sandbox.

    Bo
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.