Combined security Sandboxie and VirtualBox in ram

Discussion in 'sandboxing & virtualization' started by Blakjer, Apr 29, 2014.

Thread Status:
Not open for further replies.
  1. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    Hi, I have 32GB of Ram, so i'm able to create a large ramdisk. I copy a Virtualbox .vdi to the ramdisk and use this with Virtualbox running in a Sandboxie sandbox. My sandbox is in the ramdisk as well.

    I don't use a pagefile,the amount of ram appears to be sufficient and I don't use hybernation. So when i restart my machine everything I did in the virtual machine should be erased.

    However, is it possible that information from the virtual machine (running in ram) in a sandbox (in ram) leaks into the host OS? I don't care that "they" know that i'm running a sandbox and virtual machine. I only want to prevent information leaks to the host.

    Is my setup secure for this?
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Malware on the host could spy on the virtual machines.
     
  3. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    Thanks for the reply.

    I was afraid someone would say that ;-) I can't however find any information about malware capable of creating leaks from client to host.

    I know Crisis that is able to change VMware images. But that's different I guess.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @Blakjer: you're welcome :).

    Are you concerned about
    a) malware on guest jumping to host
    b) malware already on host
    c) both of above
    ?
     
  5. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    My main concern is to prevent that the host knows anything about the obscure things happening in the guest ;-)

    I guess malware on the guest is not a big concern since I always start with a fresh .vdi. So malware on the host is probably what I should watch out for.

    Are you aware of any malware running on the host capable of seeing things happening in the guest running in a sandbox?

    BTW, my original question was different. I wanted to know whether the guest leaves some residue in the host. For instance traces of the guest in the page and hybernation file of the host might create a problem I suppose. And there might be many others that I do not know of. So is my approach as outlined in my first post sufficient to make these kind of traces impossible?

    Malware is something I didn't realize, so you just raised a second question ;-)
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Do a web search for virtual machine introspection for info about software on host that inspects virtual machines. I don't know if there's any malware that does this type of thing.

    Concerning Sandboxie privacy, see http://www.sandboxie.com/index.php?PrivacyConcerns. I'm not sure if Sandboxie on ramdisk is sufficient for your needs.

    Have you considered using Tails instead?
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Blakjer, regarding Sandboxie. If you have malware, key logger, in your machine, it can see what you do inside the sandbox. After you delete the sandbox, forensic tools can find what you done in the sandbox. But if you have Sandboxies container in a Ram disk, all traces are gone after rebooting.

    I have no experience whatsoever with virtual machines but that's how it is regarding SBIE.

    Bo
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Since Sandboxie doesn't redirect all disk writes made by the OS, I believe that's not accurate.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I know something like Prefetch is not gone but anything that you do within the sandbox, it is gone. Windows is not running sandboxed.

    Bo
     
    Last edited: May 2, 2014
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I agree with these statements.

    Since Windows itself is not being sandboxed, it could store information about the sandboxed programs that could possibly be of a sensitive nature.
     
  11. chris1341

    chris1341 Guest

    There are other things as well. The OP seems more worried about privacy for me and SBIE is not primarily a privacy tool.

    I run SBIE in a RAM disc (to cut down disc activity on an old box rather than privacy concerns) and all the traces of the browser session are gone on re-boot/un-mount of the RAM disc but I can still see traces of sites I've visited in the DNS cache for example. Log files, USN journal, MFT and the multitude of MUI caches etc can still record application activity. As you say SBIE is virtualising the sandboxed App only not the OS.

    If I'm doing anything sensitive I through Shadow Defender in RAM cache mode into the mix. That drops the logs, DNS etc on re-boot but, hey its Windows. It's like a sponge and who knows what it's storing where.

    Chris
     
  12. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    Thanks guys for the comments. So, it seems rather hard to impossible to leave no traces even with a VM running in a sandbox in ram.

    Perhaps this question is easier. Is it possible that the contents of for instance files I download or documents I make in the VM are visible outside the sandbox/VM mix? I don't care that people know work has been done on files in the VM, but I don't want them to know which files and what. Connections to the internet are always encrypted (and that's always safe with OpenSSL ;) )

    And I will look into Tails and Shadow Defender.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It's possible. Do a web search for virtual machine introspection for info about software on host that inspects virtual machines. I don't know if there's any malware that does this type of thing.
     
  14. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    You mentioned virtual machine introspection in an earlier reply and you have the patience to do it again, that's nice :)

    I already looked into it and found some techincal papers that unfortunately went, most of the time, way over my head. However I think to understand that host or guest must be somehow compromised in order to make introspection possible. And most of the time it probably is a totally legit business strategy to do introspection.

    This is something I cannot prevent from happening I guess. My main concern is whether the host OS itself will register what I do in the guest. And AFAIK Windows even registers when I smile while handling my keyboard. I hoped I could somehow prevent that. Not the smiling but the logging of it :)

    I get the impression that forensics might reveal more then I like in my setup. So back to the drawing board :doubt:
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You could try a program like LastActivityView to get an idea of what Windows records.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You could also use a program such as PrivaZer to clean Windows traces.
     
  17. Blakjer

    Blakjer Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    6
    Thanks for the name of Privazer. Looks nice. I always wonder how the traces are removed. Erased or just deleted? I guess a lot are just deleted from the file/database they are in. Am i therefore wrong to assume forensic software will be able to recover them?

    Most annoying is that erasing flash memory (SSD/USB sticks) is not secure by design.

    I tried LastActivityView, it gives some very strange results though.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.