Possible to blast through the Sandbox?

Hi,folks: Using DeepFreeze is like having a borrowed /disposalble Pc. During Frozon State the whole partition/drive is virtualized. Any changes/alterations will stay there, until rebooting. Therefore, it is safe to assume that files addition/registry modification and so on, can not be saved. The one I am using is standard edition, while enterprise edition may have more options and flexibilities. DF is indeed a very very secure, safe application, as I mentioned many times before, each PC should have equipped w/ this baby from day one. Just my wish.

 

As previously stated, DeepFreeze is a fine program for protecting 'Static' systems and if this is your case, it will suit you well. For others, who are constantly trying different programs and setups, DeepFreeze would be somewhat of an inconvienance especially for programs that require a reboot to complete the install. So as far as pros and cons go, it depends on your needs.

 

Given that we are currently in the sandbox/virtualization is "the cure to all our problems" craze, I think it behooves me to raise a caution. Here's an interesting article by Roger Grimes

http://www.infoworld.com/article/06/11/03/45OPsecadvise_1.html

Entitled "Seven shortcomings of virtual security
Don't be fooled into thinking virtual security technologies are a panacea for your malware woes"

Some highlights

No mention of our forum darlings Sandboxie or Defensewall (though he might have tried them too), but Bufferzone seems to be a good enough representative.

I know he is supposed to be an expert instructor on hacking, but within an hour seems too easy... Or is he really that good?

Not sure about this one. Have to test.

Well that's hardly surprising. I'm sure we beta-testers can root these problems out and prevent buffer overflows

Never seen this happen. But hey it could happen...

Not sure about this one, it appears only in the electronic version but not in the print version copy, either he added it later to the electronic copy or he removed it from the print version. Not sure which one is more current..


I know that the current dogma in this forum at this time is that Sandbox+virtualization is the obvious,correct and only solution, so don't kill me..... just bringing an alternative opinion here from a fairly well known expert on security...

 

There is no better computer security defense than having a known, good, safe data backup, right?...

 

Well it's more like your defense has already failed.

 

I disagree.

Different points:
- I prefer having a defense missing few sometime than one (antiviruses) missing half all the time.
- There is no proof of what is written. The specialist should show his tests so that we can judge by ourselves. Scientifically speaking, something is true when it can be reproduced. Concerning BZ, I know some of the limitations, and some bugs, but I tried to break through with usual (yet simple) methods, and it looks OK so far.
- To finish, you have to be targeted. Who would specifically target me and my virtualization defense? Who would spend even 30 min. to do so?

 

BTW, it looks like every existing and yet to come defense has already failed...

 

Nice analysis DA, that article was interesting to read, but I would sure like to see some proof that these sandboxes can easily be circumvented.

 

Back on post #10 (11Dec.) I had made the statement:

and I have just run my BufferZone Protected Internet Explorer, for which Excite.com requres minimum security settings,
this is the current "cookie" status.

There are the cookies that I would expect (they are 1 or 2KB Text Documents) located within the BufferZone
C:\Virtual\Untrusted\C_\Documents and Settings\a\cookies\a@adopt.euroclick[3].txt a 1 KB Text Document and inside the Red Border.


The C:\Documents and Settings\a\Cookies also has a list of cookies modified by todays visit and they are all listed as:

C:\Documents and Settings\a\Cookies\a@adopt.euroclick[3].txt.virtual a 3 KB Shortcut and all of these (and the folder) are also inside a Red Border.

So I think I had misunderstood the Virtual Folder setup and the Red Border Protection which seems to have also been provided to the Cookie Folder that I assumed was not protected since it was not under 'Virtual\Untrusted' tree.

BufferZone has given my IE Browsing complete isolation from the looks of that structure above and I regret doubting that fact before.

 

One way described by Sandboxie's author:

 

I don't really buy the writer's claim that he can defeat any sandboxing/virtualization software with 'minimal' effort. Talk is easy. Show me the proof. Ilya Rabinovich beat an older version of Bufferzone a while back and admitted, I think, that it wasn't easy, and he definitely knows what he's doing.

I will agree that nothing is 100% safe these days, and as a security software gains in popularity there are those who will work night and day to find a way to beat it - and they eventually will. Hopefully, with constant upgrading, the security sandboxing/virtualization folks can keep a half step ahead of the malware writers.

 

Let's face another fact:

What DA said could be accepted as is if, and only if 80 or 90% of users had a sandbox or virtualisation security program. In this case, hackers would spend time to break through to eventually gain money.

But the real world is different. Why spend time and energy on breaking sandboxing technologies, when you have millions and millions of computers which barely have a simple antivirus (updated) and no firewall?

I think I have a rolls royce of security, not only because it is a very efficient way to keep malwares out of my computer (as any other kind of hips actually), but also because the level of knowledge necessary to gain access on my computer is far beyond the possible gain of money a hacker can expect by doing so. So that I just make myself sure I will not be in the target of anybody.

 

Good point, BZJet. An ideal example of one of the millions is our next door neighbor. She recently bought a computer with the Norton trial. It wasn't installed, just the .exe sitting on the desktop. She thought she was protected since Norton was there!! My wife ran the install and she's good for another month, then we'll have to explain to her why she needs to either buy Norton or remove it and install something else.

But, it wasn't but a few years ago that I was just as dense and still am about some security things.

 

If someone knew how a program was coded (structured, built,designed, etc.) of course very possible to blast through a sandbox. Which is why a layered defense is necessary to try and stop whatever code or script that tries to execute as a result of a discovered vulnerability in a program. Even if hackers were to find vulnerabilities in a sandbox type program, If the user has a good layered defense, the hacker would still need to get pass all the other stuff, I have yet to experience such a breach on my box.

 

Absolutely! And try as they may, you can put up a very formidable gauntlet (Layered Shielding) that any series (version) of malware/rootkit will have a devil of a time just to reach the half-way point if it even can.

I always have said and still say that untill the day comes that they can master a hijack of the electrical current itself they are going to continue to be limited in how far they can advance even their best efforts of malware/intrusion code into a PC fully equipped with the latest security shields (updated) and in doubles in some instances, like mine.

Includes Shadowing/Sandboxes, AS, AV, HIPS in all forms many they be now. It pays to not put all your eggs into a single basket when it comes to these matters.

 

I don't know enough about them, some people know a lot more,

www.techsupportalert.com/security_virtualization.htm

 

Chill guys.

The question was whether it is possible to "blast through" the sandbox, and the answer is yes obviously.

Whether you have being hacked in the past or not, has no bearing on the question of whether sandboxes can be defeated, as you said, probably no one has tried yet on your system so pointing to that fact seems self defeating.

Neither is the question on whether the "gods" of layered defense can protect you.

In other words no one is saying you are going to get hacked. The question is whether the sandbox can be defeated, and the answer is it can and was and will be in the future!

Seriously, people here need to get a grip and stop this whole defensive , "I'm not going to get hacked no matter what cos I got a super invincible fortress setup " raving reaction whenever somone points out that nothing is 100% or something could possibly be beaten.

No one is saying you are going to get hacked!!!!

 

This person doesn't know as much as many are crediting him. But YMMV.

 

One more point here. It is very important also to have many security vendors available and active: big, madium and small. In case if malware writers will find the hole within one vendor product, it always will be possible to be protected with other vendors one. In case if there will be one huge security vendor and no competition at all one small security hole will lead to hundreds of millions infections within a couple of days.

 

Absolutely correct, Ilya. I can also add that having many vendors keeps each one working harder to make the best software. I wonder how many will drop by the wayside now that Windows Vista is out. I've heard and read that Microsoft won't give the needed info to some to be able to develop software for Vista, Blink being one because they exposed a security hole in Vista.

 

ABSOLUTELY UNEQUIVACALLY CORRECT!

Thanks Ilya for making that perfectly clear spoken/posted by a most revered & respected developer as yourself.