Sandbox by Zone + Restricted Read access + Banish sensitive data from the sandbox!

Discussion in 'sandboxing & virtualization' started by dabruro, Jan 3, 2008.

Thread Status:
Not open for further replies.
  1. dabruro

    dabruro Registered Member

    Joined:
    Aug 23, 2006
    Posts:
    15
    Location:
    New York, US
    What do you think about this 3-point approach? Is there any way to do this with existing products (or combination thereof)?!?

    1) SANDBOX BY ZONE:

    We need the ability to surf the web and have each site come up in a sandboxed or non-sandboxed browser according to whether we've designated it as a trusted/critical site (e.g. your bank).

    (There's no point in using a sandbox if you do your online banking within the sandbox, unless you always clear the sandbox just before you visit bank, which can get tiresome and lose information that you wanted to keep*.)

    This is similar to the Security Zones in IE, especially in Vista where it operates in a Protected mode "sandbox" (though I don't know that it can be *cleared* like other sandboxes) except when visiting Trusted sites. Can any of the sandboxing-type products talked about in this forum do this, e.g. block the sandboxed processes from accessing certain designated critical sites?

    2) RESTRICTED READ ACCESS:

    But Vista in the default configuration won't prevent the sandboxed process from *reading* your private data (has anyone experimented with changing this policy configuration?) -- I *believe* the same applies to SandboxIE but not to SafeSpace which has a data privacy feature.

    If you could prevent the sandboxed process from reading your sensitive data (like your banking password that you are storing or sending to your bank in the Trusted Zone outside of the Sandbox), that would be a big benefit.

    3) BANISH SENSITIVE DATA FROM THE SANDBOX:

    But then the problem is, you very well might *not* have added your bank to the Trusted Zone, or you might mistakenly enter sensitive information while visiting a non-Trusted site. Since we have to assume that the sandbox may be completely compromised on your machine, this means that you may be throwing your sensitive data (like banking authentication and the transactions themselves) to the wolves, defeating an important benefit of the sandboxing.

    So I think we need to combine zone/site-sensitive, read-restricted sandboxing with something that will stop you when it notices you trying to enter sensitive information (e.g. account numbers and passwords that you have previously designated) within the Sandbox. (And of course it must be impossible for a process *within* the sandbox to defeat this filtering.)

    Is there any way to do this with existing products (or combination thereof)?!?

    --------------
    (*) See my earlier post https://www.wilderssecurity.com/showpost.php?p=824135&postcount=12
    where I also talked about the more ambitious idea of automatically surfing each site in its own separate sandbox.
     
    Last edited: Jan 4, 2008
  2. dabruro

    dabruro Registered Member

    Joined:
    Aug 23, 2006
    Posts:
    15
    Location:
    New York, US
    Vista native sandboxing (Integrity Level --> IE Protected Mode)

    I've read more about Vista's Integrity Level feature, and it sounds more promising than I'd thought as far as limiting what a non-trusted party can do, even if they get you to run an arbitrary executable in the default protected mode IE:

    "...you can just do this:

    chml.exe c:\secrets -i:m -nr -nx

    This should prevent all the low IL processes, like e.g. Protected Mode IE, from reading the contents of your secret directory."
    http://theinvisiblethings.blogspot.com/2007/03/handy-tool-to-play-with-windows.html
     
Loading...
Thread Status:
Not open for further replies.