Create your own Sandbox (e.g. under x64)

Discussion in 'other security issues & news' started by Kees1958, Jan 5, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For the do it yourself dare devils on Vistax64 and Windows7 weening about missing Sandboxie or defenseWall


    1. Create a LUA user (I call it BEPERKT = LIMITED in Dutch)

    2. Remove with ACL (right click a FOLDER and click tab properties) write access for this extra constraimed user (BEPERKT in my case). Simply navigate to the USERS folder. Right click on the newly created user (for me BEPERKT) with Explorer and select tab Security, now DENY the rights for Execute and Write

    3. Do the same using REGEDIT.exe for the HKCU part of the registry (disllowing create value, create subkey, write and delete fo rmy special limited user called BEPERKT)

    4. Switch back to your normal user again
    a) Download from sysinternals http://technet.microsoft.com/en-us/sysinternals/bb795533.aspx and download ProcessMonitor and PsExec

    5. Open taskmanager and choose to display the Image path also. Write down the image path of your favourite browser (in my case Iron, because it is allready sandboxed of its own = less interfaces/references to files/registry keys)

    6. Unzip ProcessManager and create a filter for your favourite browser
    see picture using the Image path as main filter (second pic). Read through this list, you only need write/delete/create access of files and registries in the user space.

    Start ProcessManager, activate the filter, start Iron, do some browsing, save a favourite, remove a favourite (or go into porn mode = inprivate or incgonito) Use the output to grant access to your browser (in my case Iron) for registry entries in HKCU which need create/write/delete access as explained below

    Now use jump to to allow access to certain registry keys as illustrated by the second picture in the registry. Read the comments, when it says ALL or create, write, delete allow access throug REGEDIT (registry) or EXPLORER (Folder).

    7. Unzip PSExec and create a shortcut which allready includes user and password that starts your browser (best is Iron for this purpose). Google there is enough explanation and examples on the internet about PsExec.


    8. Important

    a) Always use a different LUA user

    NEVER do this on your normal accounts!. Good thing: when you mess up; it is in the specially created user, so it does not hurt. When in panic, just delete this special user.

    b) File cleaning
    Write down the folders for which you allow write access
    Use the handy CCleaner to delete all traces afterwards of folders (bewar: exclude your download folder) allowed write access

    c) Registry cleaning
    Use CCleaner Erunt or Comodo backup (only registry) to backup your registry. After doing dodgy browsing, simply restore this saved registry again.

    You're done, after cleaning/restoring game set match over for malware


    Cheers Kees
     

    Attached Files:

    Last edited: Jan 5, 2010
  2. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    I have been monitoring this thread to see the reaction to your post, Kees. I am stunned there have been no replies until now. You obviously put a lot of work into the approach you've outlined, as well as composing the instructions in your post, and your effort deserves to be acknowledged.

    Nice work! :D

    Now I must say, it does appear to be a somewhat convoluted approach to Sandboxing x64 - especially with Sandboxie x64 beta offering a dead-simple aproach. But at the very least your approach seems very interesting to a tinkerer like myself (and its free!) If I had the time, I'd give it a go. Unfortunately it is still above my head; I wish the instructions were more explicit! :eek:
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    OK I have just seen this thread, there's not many replies because Kees1958 didn't explain it enough in detail, some of it is over head as well.

    Kees1958 in a nut shell can you explain to us what things the browser is isolated from the OS for example I can see you with your method you have denied writing access to registry and files what else?, does your method also include anti executable of all file types?

    with sandboxie, sandboxie limits the communication and interaction with programs outside of the sandbox all tho not as good as before due to patch guard but it still can to a degree, can your method do this?

    with sandboxie, sandboxie can prevent certain programs running in the sandbox
    that connect to the internet from READING certain sensitive files and folders outside of the sandbox, can your method do this?
     
    Last edited: Jan 6, 2010
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    arran outbound protection:)withing sandboxie very simple but effective
     
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    if you mean outbound connections to the internet a firewall does the same thing. You still need a firewall anyway to control outbound with programs running outside of the sandbox.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i know but what about if you sandbox all the program that uses the net to connect out?
     
  7. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    system services like explorer.exe can make out going connections and you can't sandbox system services can you.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ah i see;) so it will be a good idea to have sandboxie and a conventional firewall?
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Correct system services and Processes do tend to make outgoing connections when there is no need for them to do so.
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    what firewall will you recomend?i always have a hard time to decide what to choose from:)
     
  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    there is many outbound firewalls to choose from, comodo with hips disabled, kerio etc go read/participate in the firewall forums, we have gone a bit off topic here now, best we stop.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks i will check it out;)
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Arran, Optigrab, Jmonge,

    Let me try to explain.

    PSEXEC or RUN AS

    With PSExec/Run as you can launch a program with the credentials of another user. Why would you run under another user? Here is a quote from Mark Russinovich
    Remember this was when XP ruled, so on Vista and Windows7 running as ADMIN with UAC, you should at least be notified when a program request elevation. But the obvious solution is to run as a different LIMITED user.. This will run in a different user profile, hence the bounderies are guaranteed by the OS.

    For ease of use Mark added the switches -u (specify user) and -p (specify (password of this user). The -d switch tells PSexec not to wait, but proceed (close the window and exeit launching the specified program). In my case it looks like:

    PSEXEC -d -u BEPERKT -p PASS1234 "c:\program files\Chrome\iron.exe"


    ANTI EXECUTABLE implementation of the user account BEPERKT

    I normally take away the "Write" and "Browse and Execute" rights of the C:\Users\BEPERKT. You can also choose the only take away Write rights and use Pretty Good Security to add a deny Execute Software Restriction Policy (the latter is an easier solution, because one can still navigate through the folders, you can also add both = ACL + SRP deny execute, which is as paranoid as wearing a trouser with a belt and a braces).

    IRON
    Iron is a chrome clone without the privacy issues. Because Chrome uses an internal sandbox, it has very few connnections to the outside world. Therefore I give it access to some of its own HKCU registry keys and Appdata folders, plus the TEMP folder and the DOWNLOAD folder specified in Iron.


    Challenge to malware athors
    a) first they have to break the internal sandbox of IRON
    b) next they have to brake ACL (plus SRP limitations of PGS)
    c) then they they mess around in a profile which is not used for serious PC usage and will be cleaned by CCleaner and/or recovered (e.g. use Comodo Backup for user environment of BEPERT user only) from time to time which sets them back to point zero

    Ultimately it gives you a higher than LUA level security while running Admin (and UAC)


    Sandboxie x64
    :D How could I know that Tzuk changed his mind. Sandboxie x64 :thumb:


    Note:
    You should not worry about the password of that extra limited user, since it can do less than a GUEST account. This is also the reason for using PSEXEC in stead of run as (it is less used by home pc users)
     
    Last edited: Jan 7, 2010
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For those who think is to difficult

    Let's hope some very knowledgeable members provide some scripts for us (sorry my knowledge and is lacking on that area as is the time to learn it).

    Here is a nice read on Access Control Lists: http://msdn.microsoft.com/en-us/magazine/cc982153.aspx

    Regards Kees
     
    Last edited: Jan 7, 2010
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I should have commented on this earlier.

    Nutshell is that this 'sandbox' kees refers to is the %userprofile% of a 'more restricted than usual User account'.

    While SBIE might use drivers/services to strip communications of ProgramX with the real file system (or whatever) this method Kees presents is simply using what is available in the OS (user accouts/rights/permissions/restrictions), in a bit of a different fashion, but the same effect can be achieved in general.

    There is no doubt SBIE has more features, but I think one can be quite suprised by just what you can do with your OS that you are not aware of.

    Nice job Kees, interesting as always!

    Sul.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    well done kees:thumb: :thumb:
     
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    This will work well as long as you don't run any system owned apps that are exposed to the network. If a vulnerable system owned process is exploited, the exploit will allow the attacker access to everything the owner has access to (in this case the admin, which means everything). Basically, if a system owned app is successfully exploited, it will give the attacker system level access even if the user running the app was in a LUA sandbox. This is an inherent weakness with the DAC model (of which Unix and Windows both use). To overcome this, one needs a MAC security model (like SELinux or Trusted Solaris, or whatever third-party MAC's Windows has.)

    But, assuming this limited user has no way to change the files and directories he has write and execute access to, then, yes, this sandbox will work just fine (assuming no system owned apps are being ran from within the sandbox). I also like the idea of using SWIron since it has its own built-in sandbox (a fact many people seem to forget about for some reason).

    If one is just going to use this account for nothing but using Chromium/Iron then I think it will be pretty darn secure. An attacker would have to crack the Chromium sandbox -- and if he did that, he would only have access to the very few files and folders that the sandboxed browser user had access to (this is barring any privilege escalation exploits, which are possible but unlikely. This is also assuming Chromium only runs with the privileges of the user, which I think it does).

    I have been using a set-up similar to this on my Linux box for years, except I also have a MAC system in place to control the freedom an application exploit will allow an attacker.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Since Vista higher rights objects are protected from lower rights objects when UAC is on. So how would a lowest right browser in LUA environment infect any system owned aps then?

    Regards Kees
     
Loading...
Thread Status:
Not open for further replies.