Possible to blast through the Sandbox?

The more I think I think about it, the more I like the concept of virtualization. I like the idea of freely surfing without worrying too much because all the nasties will simply be trapped in the sandbox. So applications like sandboxie and greenborder have a lot of appeal.

But could malware break out of the sanbox is the question? Could the sandbox get full? How about somethiong at the kernel level, could that break the sandbox? Just really thinking out loud here and would appreciate feedback from the technical people that really know.

 

Re: Possible to blast through the Sanbbox?

I don't really know a lot of this but... a malware on kernel level cant be executed inside sandboxie, ask at sandboxie forums for more info: http://sandboxie.com/phpbb/

 

I read several technical articles that speak of new strains of malware that are able to recognize when they are in a sandbox, then are able to penetrate your defenses and get to your system. I don't have a link or reference as it was several weeks ago that I read the articles. Every one of the articles said that a more secure methods was running as limited account. A couple suggested using "DropMyRights" to run browser and email in limited mode. After reading those articles I downloaded DropMyRights and began following their advice. I know the two methods (sandboxing and limited account) are similar as far as not allowing malware system priviledges, but there are still a lot of differences, which I'm not technical enough myself to explain. If I can find the journal articles again I'll provide the links, as they are very interesting reading.

 

I think the question is whether you're going to run everything you download in the sandbox. If not, then that's one way malware could still potentially infect your system.

 

I wouldn't do that at all. Just call me skeptical. I finds it hard to believe that a siftware can create a truly isolated place on my hard drive that no malware can escape from.

I actually really love the concept because you aren't relying on your antispyware vendor keeping up with signatures and trying to stay ahead of the bad guys.

 

Re: Possible to blast through the Sanbbox?

I think that, in principle, a real virtualisation sandbox, designed to isolate (and not to guess) and running at kernel level is the safest tool available nowadays.

Some of the limitations are as follows:
- the quality of the code. A poor code can of course let holes behind or bugs leading to a misbehaviour of the sandbox.
- the balance between usability and safety. In this case, chocices are made by conceptors to let potential threats in order to keep an easy use of the product.
- the potential weaker protection of trusted processes accessing internet through vulnerabilities...

A good product well designed is almost imunising the system against all common threats (due partly to poor coding of nowadays malwares focusing on money earning).
But of course, vulerabilities can be found in sandboxes and therefore can be as well targeted by hackers.

 

Re: Possible to blast through the Sanbbox?

Some programs may need to write directly to the disk, for example it is not desirable to download the e-mails to a sandbox and delete them on the server. For Sandboxie that can be configured in Configuration -> Sandbox Settings -> Set File Copy Options, or manually (Edit Configuration) using OpenFilePath and OpenKeyPath.

 

Re: Possible to blast through the Sanbbox?

Hi, folks: I am using DeepFreeze home edition. Is it a sandbox/virtualization app? I am under impression that it might be one of the safest apps of its catagory(correct me if needed). During DF's frozen state, it freeze the whole drive C, creating an insulation wall w/ nearly zero permeablity(permeating nothing). Therefore any damadges created within sandbox is surely and safely contained. I like to have some DF users to concur my findings or some experts to rebuke my statements(sort of). Thanks.

 

Re: Possible to blast through the Sanbbox?

A bad code, yes i think that would be one weakness, aside from something that no sandbox could prevent, inherently.
For this i would like the opinion of some knowlegeble Wilders dudes and dudettes.

But for the trustes processes, there is no protection, remember, they are trusted. Defined by you or the program's default.

Thanks ejr, i was thinking of starting a thread like this if none would.

 

Re: Possible to blast through the Sanbbox?

On my WinXPpro System, with Sandboxie, it had no problems with Firefox, but with Internet Explorer (6) it would lock-up after a few pages opened and the last time, it closed the AntiVir Umbrella (Guard, Active Protection).

BufferZone (version 1.90-11 free single app.) seems to work fine, but I did notice that one Tracking Cookie (Excite.com) got outside the "Virtual" Folder and on the un-boxed Cookie list.

 

Re: Possible to blast through the Sanbbox?

This is not true. For DF, GB, Geswall, BZ, an untrusted process can not contaminate a trusted process. So trusted process are very well protected from the untrusted world. That is even the aim of this protection! For example, keyloggers often can listen other untrusted processes but have no access to trusted ones.

But in the same time, trusted programs are not protected from buffer overflows. Of course, the system legitimately thinks the trusted process performs an usual operation.

 

Re: Possible to blast through the Sanbbox?

"the potential weaker protection of trusted processes accessing internet through vulnerabilities..."

I probably didn't understand you right. But you said trusted processes accessing the internet, so they're not isolated from the system. I didn't say they weren't protected from untrusted ones.

 

Re: Possible to blast through the Sanbbox?

I found this to be an interesting read from the makers of 'Bufferzone'.

http://www.securityfocus.com/columnists/410/1

 

Re: Possible to blast through the Sanbbox?

Hi, folks: nice link,tabacco, thanks. According to BZ's creator, BZ is an application-level virtualization app. Does this imply that some of sandbox/virturalization apps may be something else? such as kernel-level ? Has anyone been able to identify most(if not all) of these apps as application-level or kernel-level? If most or all of these are indeed application-level, then I may have a legitimate concern. W/ Vista comes into stream early next year, the word"kernel" has been mentioned many times. Most security software firms are very much concerned w/ this "K" word. My primary concern is that if malwares' point of entry into our machine is at kernel level, which is lower than application, then BZ and its alike just looks alike a piece of junk, defenseless to say the least. I think we need exerts to explain all this to us. Please.

 

Re: Possible to blast through the Sanbbox?

Quote taken from article - "Could you describe the architecture you designed in more detail?

Eyal Dotan: Virtualization is done through a kernel module. A Windows Service instructs the kernel module on what policies to implement. In the corporate version, policy rules come from a BZ Server. In standalone versions, these policies come from the GUI Administration interface which the user can use to alter the pre-configured settings in the limited number of scenarios where that might be necessary".

Sounds to me that 'Bufferzone' operates at the 'Kernal Level' doesn't it?.

 

Re: Possible to blast through the Sanbbox?

you're right. But untrusted and trusted processes can communicate. In the framework of a buffer overflow, a simple command can "force" an application to perform unwanted actions, and it is seen on behalf of the trusted application itself. That's why trusted applications are susceptible to buffer overflow. This is a limitation of such virtualization hips.

On th other hand these same trusted processes are not sensitive to injection, classical attacks, deletion, keylogging... They are not isolated from the system but still from the outside.

From what I understand, kernel level application are simply denied the right to execute inside sandbox, or whatever you call it.

The point is that BZ and its alike have first hand. They primarily decide what other applications have the right to do. Installing a driver being forbidden by default for untrusted processes (from within sandbox), it will be impossible... except if the sandbox has itself a vulnerability and if the untrusted application "knows" of it, i.e., uses it to go out of sandbox to install the driver. Of course, if the application runs outside the sandbox (therefore trusted), and if this application is a malware, sandbox becomes useless, but this shouldn't happen, except with complicity of user himself.

 

Re: Possible to blast through the Sanbbox?

Now i understand fully what you mean.

On a side note: reading my first reply to you, note that i wasn't saying you're not knowledgeable, or otherwise. I'm just trying to lure others to join and give their thoughts on the vulnerabilities of sandboxes alike. You didn't even mention this, but i like to settle my statements. If i think i'm not being correct, i stand corrected .

 

Re: Possible to blast through the Sanbbox?

Fully ring0, as DW!

 

Hi, folks: hi, BZJet, thank you for the info. On post#16, you mentioned that kernel level application are simply denied the right to excute inside sandbox. Does this mean that malwares(kernel-level) do get chances to be planted outside sandbox, such as system files etc,if sandbox app doesnot sandbox these files? How about those kernel-level HIPS or antispyware real-time scanner(also kernel-level), do they get green light to stay active within sandbox? Any info will be appreciated.

 

Hi Perman,

First, to make things clear, I am only a simple user, and don't have deep technical knowledge, so I must confess that I reach the limits of my understanding of such tools.

By kernel level appication, I meant program trying to install a driver.

I should have said: an untrusted application can only run inside sandbox. So an untrusted application, so running inside sandbox, is simply denied the right to execute (install driver).
Furthermore it can not install or create program outside the sandbox.

No.

What for would you install and / or run security tool inside sandbox? It is trusted. I have Antivir, installed and running outside sandbox. Maybe you ask to know if you can use it for testing purposes. Well, you can but it won't be as powerful and complete as a real virtual machine.
I will test and come back to you about installation of such programs inside BZ sandbox

 

I downloaded Norton and tried to install it. Impossible because microsoft windows installer (necessary for norton install - it is a msi file) was not found by the setup program.

Then I tried to install defensewall inside BZ (I am sure at least that DW installs a pure driver) and guess what, DW install showed up a window saying that setuo couldn't install driver.

Hope I gave correct and useful info.

 

Hi,BZJet, thanks a million!

 

Re: Possible to blast through the Sanbbox?

By "application level virtualization" he means Bufferzone virtualizes applications.

He is distinguishing his product (as well as defensewall, sandboxie etc) from Vmware, Virtual PC etc which virtualizes whole machines up to and including the Operating system.

 

Re: Possible to blast through the Sanbbox?

Hi, folks: Thanks for the further clearification. So I can assume DeepFreeze is a drive-level virtualization app ? Because it virtualizes(freezes) the whole drive C; Is there any pros and cons in comparision with these two types of apps. I notice that member who posts #10, did get a tracking cookie outside the BZ sandbox, and how could this happen? Can you educate us? Thanks.

 

I guess Deepfreeze is good if you don't download software often. If the computer is relatively static, it's perfect. Everything stays the same after reboot.
I still don't understand if you can save files. Probably yes, it would be silly if you couldn't. But i don't have Deepfreeze, so i'm not sure. This is what i understood so far.