Do Chrome/Chromium-based browsers benefit from additional sandboxing?

Discussion in 'sandboxing & virtualization' started by Fox Mulder, Jun 10, 2012.

Thread Status:
Not open for further replies.
  1. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    I'm aware that Chromium-based browsers have their own sandbox. Is there an appreciable security benefit to sandboxing these browsers with SandboxIE? My intuition tells me that there would be, just in case something breaches the Chrome sandbox, but I'm wondering what people think.

    I currently have all internet-facing programs except for my browser (Comodo Dragon) and video games sandboxed by SandboxIE but I don't know if I should take a further step and sandbox the browser.
     
  2. chris1341

    chris1341 Guest

    Chrome's sandbox 'is a C++ library that allows the creation of sandboxed processes — processes that execute within a very restrictive environment. The only resources sandboxed processes can freely use are CPU cycles and memory. For example, sandboxes processes cannot write to disk or display their own windows.'

    Sandboxie is different in that it provides a virtual environment where processes are replicated and restricted away from the 'real' system.

    One restricts, one virtualises and restricts (and can be set to restrict further on a very granular basis) IMO they are not exclusive and can be used well together. I use Iron and SBIE with no issues.

    Do you need it? Up to you but even just for virtualisation I would. YMMV.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There is one significant benefit to Sandboxie'ing Chrome - if you run Java or Silverlight or some other plugin (not flash) Chrome doesn't sandbox it. So running Java in that sandbox would help.
     
  4. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    And also forcing Java in EMET as well.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, definitely. I wouldn't run Java on Windows without EMET.
     
  6. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    I have EMET. How does one force Java into EMET.

    EMET is hard to understand >< I get so confused with trying to configure it. I finally understand a lot about sandboxie though :D
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  8. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, Vista as well. I'll add a note, thanks.
     
  10. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    So I should put SEHOP as "opt in" correct? Seeing as I am using Windows 7.
     
  11. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    No problem.

    SEHOP should be "Opt-Out" for Maxmium security
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Opt-In = Programs must explicitly opt into protection
    Opt-Out = Programs must explicitly opt out of protection

    Opt-Out is the more secure option.
     
  13. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Other than Java, there's no practical benefit imo. It comes down to undiscovered future vulnerabilites.

    You have to weigh your "paranoia threshold" vs your "this is slightly less convenient" threshold.
     
Loading...
Thread Status:
Not open for further replies.