How secure is Chrome's sandbox?

Discussion in 'other anti-malware software' started by moontan, Apr 3, 2011.

Thread Status:
Not open for further replies.
  1. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i was reading this review of Chrome 10 on PCMag and i got particularly interested in the security section where they talk about the sandbox:

    here's the linkie to the review:
    -http://www.pcmag.com/article2/0,2817,2373860,00.asp-

    there does not seem to be much info out here about Chrome's effectiveness against malwares.

    has there been any tests to see if malwares can get out of Chrome's sandbox?
    i am especially interested to hear how it does against drive-by malwares.
     
  2. Matthijs5nl

    Matthijs5nl Guest

    Chrome's sandbox is indeed a strong security solution (especially with --safe-plugins), but not against all types of threats. You can't compare it to Sandboxie for example.
    Chrome's sandboxing is very strong against exploits and drive-by downloads, but not against ordinary malware (trojans etc.) and phishing threats. Microsoft's SmartScreen filter is unmatched in that area.

    That is why I have always hoped that Internet Explorer 9 would feature the same sandboxing techniques as Chrome does, however IE9 only partially sandboxes. Since the combination of Chrome's sandboxing and Microsoft's SmartScreen filter would be unbeatable. Combine that perfect browser with built-in security measures (Windows Firewall, operating system hardening with assistance from EMET), backup and a system image and an on-demand scanner (Hitman Pro is the perfect candidate) and you have have bulletproof protection.
     
    Last edited by a moderator: Apr 3, 2011
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It totally isolates the code you are running in your browser using the OS internal mechanism: simply brilliant

    Only coding errors (exploits) in the underlying WIndows OS or the components Chrome itself uses could cause intrusions, it is that strong.

    It is a theoretical near 100% (practical 100% is impossible, because every man made software or product could have errors)
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx kees!
    that is information that will not go to waste. :)

    it's quite surprising that you hear a lot about Chrome speed but rarely about its security performances.

    many tnx to matt and doktor as well for their help. :)
     
    Last edited: Apr 3, 2011
  6. Pandorian

    Pandorian Registered Member

    Joined:
    Sep 25, 2009
    Posts:
    11
    I have always liked this Charle Miller quote on Chrome security:

    http://tech.blorge.com/Structure:%20/2010/04/01/google-chrome-survives-pwn2own-intact/
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep and when you disable installer detection, UAC will only elevate from safe placed, meanig not the C:\Users\etc. So Chrome will allways run in a LUA container.
     
  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  9. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Thanks andyman!
    Guess I'm extra secure running chrome in sandboxie :D
     
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'm always intrigued by the concept of running a sandbox within a sandbox,alas it hurts my head to think about it too much.o_O
     
  11. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  13. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    Starting to sound like it.

    Heck, I wonder what would happen if Google made an antivirus?
     
  14. carat

    carat Guest

    Every Google AV would get an unique AV ID ... :rolleyes:
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Isn't the unique ID thing a bit old now? On topic, a Google AV might actually work. We could argue about whatever privacy issues would come up, but I bet they could pull it off.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Google has been blocking malicious URL's/phishing sites for ages, Firefox uses it's list too. Not sure why it's being advertised as a "new feature". I believe the deal here is that SmartScreen is simply doing the best job at it, hence why it's being incorporated into hotmail, messenger, IE, etc.
     
  17. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    sorry if the question looks stupid...

    how to disable installer detection? what are safe placed locations?

    Is there way to configure chrome to achieve the below functionality like firefox's one -
    1) delete selected set of browsing history (like cache,cookies,download history, form and search history) when browser closes. (tips are welcome for ie9 even)
    2) backup list of java-script allowed sites.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Safe locations are C:\Program Files and C:\Windows.

    The easiest way to disable installer detection would be to copy the following to a Notepad file and save it with the extension *.reg, by properly naming it like Disable_UAC_Installer_Detection.reg
    Then, if you're using a standard user account, open cmd.exe with administrator rights; then pressing the SHIFT key on your keyboard, right-click the file Disable_UAC_Installer_Detection.reg and choose "Copy as path"; then go back to cmd line and click the cmd line icon - Edit - Paste. Press enter. You should get a confirmation to apply the registry change.

    Otherwise, temporarily enter your administrator account, and copy the *.reg file over there and excute it.

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableInstallerDetection"=dword:00000000
    

    Just press CTRL+SHIFT+DEL and then clean what you wish to clean.

    Chrome's preferences are kept in a file called Preferences, placed in Chrome's profile folder. Look it there.

    I know you didn't ask me... but... well... I felt like I could be of some assistance. :argh:
     
  19. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    first of all a big thanks for answering all my questions patiently :)

    This does definetely helps me. But i wanted, this one particular feature atleast to be borrowed from firefox. it really a set&forget setting and u never need to bother about cleaning traces...
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You could try and see if there's any Google Chrome extension that does it. There's one called Click&Clean, but I don't know whether or not it automatically cleans cookies, etc.
     
  21. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Hmmm, well if you are wiping all this stuff all the time, you might as well use incognito mode instead and be done with it. Just add --incognito to the shortcut.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Incognito isn't that much of an incognito... Same from IE Private Browsing... etc... They leak... like leaky diapers.... :argh: At least, it has always been my experience.

    Not to mention that under certain conditions, when doing something in Chrome, like clicking the link for Adobe Flash Player settings, Chrome will break out of the incognito mode... which is ... stupid. :D If I'm forcing something to run incognito, then I'd expect it to always run incognito...
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    What exactly does it leak? The main purpose is that it doesn't remember your internet activities, which it (Chrome/IE) seems to do fine at when using my bank service?
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    CCleaner always seems to have stuff to clean for IE, which is always ran in Private Browsing and forced to delete temporary internet files. I wonder what it fails best at. :D

    Chrome's incognito mode... well... it leaks... when the conditions I mentioned happen.
     
  25. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    After all, there are incompatibilities between the Chrome Sandbox with Sandboxie?
     
Loading...
Thread Status:
Not open for further replies.