Sandboxie and/or SRP

Discussion in 'sandboxing & virtualization' started by moontan, May 16, 2011.

Thread Status:
Not open for further replies.
  1. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    well,

    after 2 months testing browsers i finally decided yesterday in using Firefox over Chrome permanently.

    the only thing is that i don't fell as protected using Firefox as Chrome.
    yes, Firefox runs from Program Files but it runs in only 1 process for all tabs at Medium integrity level.
    Chrome has of course its own sandbox with tabs that runs at Low integrity level.
    or at least they should... ;)

    am i "fully" protected using Firefox eith UAC at maximim + SRP + a Standard User account?

    or should i add Sandboxie?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You're never fully protected... but that's plenty. I personally wouldn't run firefox without sandboxie but, then again, I'd never run firefox if I were concerned about security.

    So while you're very much protected right now I'll still suggest sandboxie.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Integrity Levels

    A process started at a Low Integrity Level may "typically" access objects and containers (thats files and folders) at a higher Integrity Level, but may not modify. This is the default action.

    Thus, if you use icacls or chml to set firefox.exe to a Low IL, that firefox process is contrained/restricted to only modifying in areas that are ALSO Low IL. This means that almost all of your system will be off limits to creating/modifying/deleting by firefox when ran at Low IL.

    Indeed, in order for firefox to work properly, there are a couple of directories you must also set to Low IL, as shown here
    https://www.wilderssecurity.com/showpost.php?p=1759315&postcount=1

    If this is all you do, then firefox ran at Low IL will not be able to download anything except to those directories you set Low IL to. If you need to download files, create a directory for downloads, and set that directory to Low IL as well. This gives you a place to download to because firefox at Low IL can write to a directory with Low IL, but to no other location.

    If you are still fearful, you can also apply a no execute to the download directory using icacls. It might be enough that the downloads directory is Low IL, so anything you do execute (or is executed without your knowledge) starts also with Low IL, and thus even though it executed, the rest of the system is off limits.

    Now, considering that your run as UAC/LUA, the shell (explorer) is running at Medium IL. If you browse to the downloads directory using windows explorer, and you execute a file you downloaded, a correctly set Low IL will be set to all objects placed within that downloads directory - this is inheritance - the objects you place within it are "inheriting" the Low IL. So, even though your Medium IL explorer is executing a file, the Low IL is forced upon it.

    A convenient way to remove the Low IL is to COPY the file out of the downloads directory and paste it somewhere else. The IL does not follow a copy/paste. However, if you were to MOVE the file, the IL would follow it.

    Just some food for thought ;)

    Sul.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Isn't the reason that Chrome installs to AppData because it's LowIL? I'm not sure. I remember there being security reasons for it but it may have been because it wants to avoid UAC.
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx a lot folks! :)

    i'm going to look at setting Low Integrity for Firefox.

    it seems a little technical but i think i could figure it out.
    if not, i'll use SBie. :)

    couple of questions:
    -where do i get icalcs
    -any tutorials for it?
     
    Last edited: May 16, 2011
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am not "exactly" sure, but I can hazard an assumption.

    I think Chrome installs to AppData because it is in user space, which allows it complete flexibility in what it does, because the user has full rights there. The Chrome "broker" or parent process runs at High or Medium IL (depending on whether you are admin or user) and each thread it creates should run at Low IL (although I think there is a bug which causes it not to sometimes). It is the broker that has control over the AppData directory, which I don't believe is at Low IL by default (although I haven't checked, as I use Chromium and copy/paste it where I want).

    There should be no reason then for UAC at all, as if Chrome updates itself, the broker does it with Medium IL, and has all rights needed to modify what it needs to in AppData. If Chrome were installed to Program Files (but not the profile obviously), the broker process would then need the High IL of an Admin to update the objects.

    I personally think it is for ease of use in a user environment.

    One thing I find interesting about Chrome/Chromium is how the broker works. You can save files wherever you desire (well, within your rights) from a Low IL process because it is the broker at Medium/High IL which is doing the actual writing. I would think if there was a hole in Chrome, that is where it would be.

    Sul.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    from command prompt, type this in
    icacls /? > c:\users\<your user name>\desktop\icacls_help.txt

    This will dump a text file with the output of icacls /? - which shows the syntax for icacls

    If you look at the many threads Kees or myself have been involved in, you will find many examples by us or m00nbl00d. I think MrBrian also posts a lot of those type commands too (sorry if I forgot anyone, not trying to :) )

    Sul.
     
  8. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx sully, :)

    i'll look into it.
    ---------------
    edit:
    way too complicated for me.
    i'll just re-install SBie.

    tnx folks! :)
     
    Last edited: May 16, 2011
  9. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I've had a lot of luck using applocker with Sandboxie. I'm pretty sure that is as close to perfect protection as you can get... There is almost no usability constraints, and nothing can launch.

    Applocker can put a restriction rule on the Sandbox folder (SRP can't do this because its run in user mode, and sandboxie fools it). If you deny everything in the Sandbox folder, nothing can execute. Sandboxie can keep things contained pretty well by itself, but there was always a gaping hole in the form of read access. Now, we don't really have to worry about this, because any exploit of the browser will create files in the Sandbox, and none of them will be able to create a new process.

    I permit everything else with applocker because I don't really want to be bothered dealing with the restrictions, especially since I see no need for it.

    Being that I sandbox just about everything, I run, I don't see much need for running a more restrictive environment..
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8!

    the only thing that have Internet and Start/Run accesses in SBie are firefox.exe and plugin-container.exe

    i also have Drop Rights enabled.

    with SRP, UAC at max and SUA + SBie that ought to be enough.
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    No need to have Chrome install to AppData. Just install Chrome using Google Pack and it installs the application and updater in Program Files.
     
  12. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Yeah, I don't see any conceivable way anything will break through that.. If anyone manages to, I'm sure the apocalypse is around the corner..
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There are problems that go along with this. If you use program folders it can update you at weird times.
     
  14. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I don't like installing it into appdata for the simple reason that its writable for a regular user. If you keep programs in program files, you need Administrator rights to alter the executable. If its left in appdata, anything execute in userland could easily pack a dropper onto the chrome executable and use it to maintain access.

    Typically its a good idea to separate commonly used applications from user write space.
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Firefox has 2 processes by the way. The other one is plugin-container.exe, which obviously isolates plugins. It isn't sandboxed though.
     
  16. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    UAC at Max.
    make firefox and it's default directory to run at low integrity via icacls.
    add firefox in "HKCU/Software/Windows NT/AppCompatFlags/Layers" in regedit to enable UAC Virtualization (find Kees1958 tutorial)

    IMO SRP is not needed, but it will definitely add as a security layer.
    Standard User Account not needed but you can also go for it.


    you're pretty safe without Sandboxie with that but if you want to clean all traces after browsing for privacy adding either Sandboxie, Geswall or Returnil won't hurt :)
     
  17. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx but this stuff is too complicated for me. :doubt:
    i'll just stick with what's in my sig for the time being.
    --------------------------------------------------
    edit:
    uninstalled Sandboxie as well.
    it cripples my internet experience and i find i get irritated using it.

    i've re-installed an old "friend"; Geswall Pro.
    i'll see how the latest version fares...
     
    Last edited: May 16, 2011
  18. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    If you are having trouble with Sandboxie, it can be customized to behave however you want it to behave.. Personally, I only have drop my rights on as the only real restriction. I also give "direct access" to a few folders so I can save stuff without a recover prompt.

    Typically, when I use Sandboxie, the only difference is that I have hash marks in the title bar of the window.
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    to behave like i want i'd have to give it access to the whole Profile folder.
    and Drop Rights dos not really matter if you run from a Limited/Standard account, which i do.

    hopefully, those bugs i experienced with Geswall over a year ago have been fixed since then.
    i enjoyed Geswall back then.
    it's totally "transparent" in my daily usage.
    out of sight, out of mind; the way i like my security app. ;)
    i'll see how it goes...
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Thats pretty much how I feel. The only difference using or not using
    SBIE is the hash marks and occasionally I can not view a video that
    can unsandboxed. Everything else works the same.

    @moontan, check your settings in SBIE. If you try SBIE again, start
    out with a default sandbox and change settings at a slow pace, not
    all at once.

    Bo
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I would say SBIE adds a second or two to the browser load times, and on some sites it might add an extra second to page render, but overall hardly noticable.

    For me the only time SBIE was sluggish and caused what I would call a slower experience was on one specific version, maybe between versions 3.28 to 3.38 or somewhere in that area. Since that version, it don't notice any difference in any aspect with my current configs, which I have been using for quite some time now, maybe 2-3 years.

    Sul.
     
  22. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Well, to each his own.. but you can actually give access to the firefox profile folder if you want to. Typically, I just allow history and cookies to be saved. If I want to add an extension or something, I will start unsandboxed.. then just reload the browser in sandboxed mode..
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8! :)

    ideally, i'd like to learn about this icalcs stuff.
    i like the idea of having tweaks like that because it does not need an extra piece of software like SBie or Geswall.

    So far, Geswall works really good but i'd like to get rid of it if i can ;)
    edit: just got BSOD'd so Geswall it's gone permanently.

    i'll spend this afternoon playing with this icalcs stuff see if i can figure it out.
     
    Last edited: May 17, 2011
  24. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I've seen this slowness effect on some computers, but mostly on slower/older computers... I think its a disk access problem though, possibly due to increased I/O from Sandboxie. My wife's computer is where I've seen it the most, and her drive is almost full. I cleared some space on it a few times and defragged, and this usually has helped a bit... and this is what led me to believe its a disk speed related problem.
     
  25. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    [brag]It's very easy... it took me less than 1 minute to type the commands. [/brag] :D


    ^ this I did not know. thanks.
     
    Last edited: May 17, 2011
Loading...
Thread Status:
Not open for further replies.