Sandboxie+ Isoaltion modes and Data protection

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Jul 26, 2021.

  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    I need your Input on the topic of UI design.

    As you may remember I'm planning to create a new Privacy Enhanced Sandboxing mode https://github.com/sandboxie-plus/Sandboxie/issues/890
    In the Privacy Mode sandboxed processes will be only able to read C:\\Windows\\*, C:\\Program Files\\*, and parts of the HKLM registry, all other locations will need to be granted explicitly access to be readable and/or writable.

    As well as introduce in Application Container modes in which there is low to no security isolation for people which want to use Sbie for application containerization and deployment primarily.


    Also as you know when creating a sandbox you can choose between 3 resets already
    1.) Hardened - Drop admin rights enabled
    2.) Default - well the new plus standard
    3.) Legacy - a bit lower isolation and more classic presets


    So to avoid confusion I was thinking it would be best to color code the boxes in the UI and also add a setting in the first tab of the general box option where this preset is displayed and enforced (i.e. other settings which would compromise the preset gets disabled)

    upload_2021-7-26_11-47-27.png

    The main issue is that we have not 1 but 2 aspects to the sandboxing
    1. Is isolation: Hardened, Regular, Legacy, Lenient, App Container (NONE)
    2. Resource Access Mode a.k.a. Privacy Mode

    For the optimal customization these should be 2 independent settings, but I think this is not ideal and can't be represented with one color code.

    So I was thinking about defining presets which configure both aspects at once

    My current thoughts are as follows:

    Hardened Sandbox with Privacy Mode
    Hardened Sandbox
    Private Sandbox
    Regular Sandbox
    Custom Sandbox

    Legacy Sandbox
    Lenient Sandbox
    Application Container with Privacy
    Application Container

    So no idea what Color to use for custom and for Lenient, the only left is Magenta, I mean sure I could introduce additional colors but at some point its gets hard to distinguish.

    Also I'm not sure what the Lenient mode should do people requested it for games and or video conferencing and desktop sharing, I mean it could be a mode which indicates full desktop access "OpenWinClass=*" and "NoAddProcessToJob=y" and may be a few more minor things like "OpenDevCMApi=y"

    We could make the Regular sandbox and Custom Sandbox the same thing and drop the Legacy config all together as its currently only "UnrestrictedSCM=y", "OpenPrintSpooler=y", "Template=OpenSmartCard" as all the other security enhancements are also enforced for the classical build.

    So may be I should make it like this:
    1a.) Hardened Sandbox with Privacy Mode
    1b.) Hardened Sandbox
    2a.) Private Sandbox / Custom Sandbox
    2b.) Regular Sandbox / Custom Sandbox / Legacy Sandbox
    __.) Box configured without isolation, not denoted to be an App Container
    3a.) Application Container with Privacy
    3b.) Application Container

    I think this selection of 6+1 modes is reasonably comprehensive, we have 3 basic modes:
    1. Hardened
    2. Regular / Customizable
    3. App Container

    And 2 variations for each
    a. Privacy Mode
    b. Normal Mode

    as well as the not configurable display only mode when something is configured very insecurely without it being on purpose


    So the promotion from variant b. to a. is automatically done based on the future "UsePrivacyMode=y" option

    Promotion from mode 2. to 1. is governed by the "DropAdminRights=y" option

    And for the App Container / Lenient Mode I would introduce a new setting "AppContainer=y" or should I be more explicit and call it "DisableSecurityIsolation=y"

    So changing this preset in the drop down would set these 3 options accordingly and fix other settings if that are conflicting.



    When the user would edit the ini section to enable a conflicting preset which lowers the security (increasing would be fine) the display would switch to the Magenta box display and the drop down would indicate idk. "Inconsistent box Preset" or something like this.



    Well enough rambling my lunch break is over....
     
  2. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    193
    Location:
    Poland
    Well done will be helpfull for mine usage :)
     
  3. sevenstar

    sevenstar Registered Member

    Joined:
    Oct 19, 2010
    Posts:
    37
    Your brain works overtime!! :rolleyes:
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,621
    Location:
    U.S.A. (South)
    Extremely interesting @DavidXanatos - Keep up the good work. Your innovative approach is drawing me near. And i'm one not easily impressed. That is until I see something like this.
     
  5. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    154
    Location:
    New Zealand
    "or should I be more explicit and call it "DisableSecurityIsolation=y""

    Yes this one - it just makes it more clear that enabling this option is security related and is going to lower an aspect of security.

    Excellent job btw. I probably need a few more coffees to properly take on board the upcoming changes you've detailed above. It would also be really helpful to let us know with the next edition, which settings are enabled by default (without having to try and comb through the ini to figure it out, especially for those with less tech knowledge), and which are opt-in. Thanks!
     
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    "DisableSecurityIsolation" sounds to long but i guess "NoSecurityIsolation" is just as clear and short enough

    Also these plans are for build 0.9.5 or 1.0.0 there is quite a way untill then, LOL

    but an other think... we could have most of the compatibility of an unisolated app container mode, with quite some security as we still can filter file system access and registry access using the driver, as well as access to other processes using ObCallback ... so we could have a mode in between the hard core sandboxie mode and the pure app container mode.

    Or assuming the filtering wont break anything I could make this the default app container mode with the option to disable it for a super insecure app container mode LOL

    So there would be an other option "NoSecurityFiltering" LOL

    I mean to bring it into perspective about what levels of security we are talking here, a App Container mode with filtering would be equivalent to the Comodo Sandbox,
    which is okay as long as no processes inside run with admin or higher privileges, what they can if the users click on on a UAC prompt.
    So using such a container with drop admin rights + fake admin to be able to install things, as well as system-less MSI mode would be still a quite decent protection.
     
  7. superkryo

    superkryo Registered Member

    Joined:
    Jun 9, 2021
    Posts:
    27
    Location:
    Anywhere
    Sounds like a great plan, really looking forward to these
    What exactly does "Application Container" entail? Isolation of both registry and userdata? Is it possible to have an option for registry isolation only?
     
  8. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Application Container means that we virtualize file system and registry, but we don't change the process token or apply other more limiting restrictions, hence a process could potentially escape the virtualization if it would purposefully try to, the up side is that in this mode the over all compatibility should be greatly improved.
     
  9. superkryo

    superkryo Registered Member

    Joined:
    Jun 9, 2021
    Posts:
    27
    Location:
    Anywhere
    Thanks, then would you consider an option for registry isolation only without virtualising/limiting the processes? The rationale is to keep a clean registry but much more reliable/secure than PortableApps or equivalent.
     
  10. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    407
    Location:
    Austria
    Personally I am a great fan of different colors in software and often I miss them in user interfaces.

    But here we obviously have to do it with seven different colours which will make it difficult for the users to see respectively to remember which color represents which mode.

    The following explanation gave me an idea for a possible alternative:

    What I see is that by chance every of these elements has a different initial letter: H - R (or C) - A (or AC) - P - N ;)

    So my idea is:
    Perhaps these 6 basic situations could be represented by the appropriate letters (instead of a color)?
    That means for example:
    H / P
    H / N
    R / P
    R / N
    A (or AC) / P
    A (or AC) / N

    I think that users will more easily remember that e.g. "H" means "Hardened" or "N" means "Normal" and so on - instead of having to combine every situation with a certain color. (If necessary, additional constellations could indeed be characterized by different colors).

    The problem is that I have no convincing idea where these letters should be placed so that they are easily readable. Perhaps within the icon? I only fear that then the dots won't be visible any longer clearly.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,977
    Very appreciated. Maybe one on each corner, no overlap.

    I would accept 3 or 4 colors, but not 12, that is overkill, even dark/light blue is too much.
     
  12. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Ok I see
    so how about
    1.) Hardened Sandbox
    2.) Regular Sandbox / Custom Sandbox / Legacy Sandbox
    3.) Application Container

    We avoid red and green and draw a rectangle around a box if it has privacy mode on,
    or a large + sign indicating its a plus sandbox with privacy protection
     
  13. sevenstar

    sevenstar Registered Member

    Joined:
    Oct 19, 2010
    Posts:
    37
    Looks good!
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,959
    Location:
    Mexico
    Create New Box

    Select restriction/isolation template:
    • Hardened
    • Default
    • Legacy Sandboxie Behavior
    Which one I should select for appcontainer?
     
  15. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    appcontainer is not yet implemented its a upcomming feature around version 1.0.x
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,959
    Location:
    Mexico
    Thanks.

    So, from those three current modes which one is the less restrictive?
     
  17. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    hardened is most restrictive the others are mostly the same with minor variations
     
  18. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    179
    Location:
    uk
    Default v Legacy (general) differences?

    And how about different colours with a letter for the mode in it (H,D,L)? So long as the colours are sufficiently different, even if I can't initially remember the differences, it should be enough to prompt me that there is a difference to be aware of. The likely problem for me is going to be the empty/full recognition.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,959
    Location:
    Mexico
    My old geezer crappy slow third-world lappy lol, is struggling with chrome + sbie 0.9.3 legacy mode which I consider less restrictive. Struggles with chrome in a way that it takes ages to fully open and load its gui.
    By any chance do you have an alpha or the likes version to try even a less restrictive mode?
    Anything its better than browsing naked.

    @DavidXanatos
     
    Last edited: Aug 13, 2021
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,433
    Location:
    The Netherlands
    Interesting stuff, I remember months ago you was already thinking about this. So basically it's a bit of a less secure sandbox, but it will make more (trusted apps) run correctly inside the sandbox.
     
  21. Survivor

    Survivor Registered Member

    Joined:
    Jul 11, 2020
    Posts:
    128
    Location:
    Land of Oz
    Like the idea, how about just frame it, here is a new Pizza. Like container, legacy, with Firewall, hardened. (16x16x256)
    SBIE Colored Pizza.png
     
  22. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,081
    I think that drop shadow makes the text harder to read and it looks very small

     
  23. Survivor

    Survivor Registered Member

    Joined:
    Jul 11, 2020
    Posts:
    128
    Location:
    Land of Oz
    This is the smalles size we need, bigger is always easier, so I did the smallest 16px x 16px, which would be in list view. The text is the setting in my grabber and only as description here. :cool: Point was to demonstrate with 16x16 if that would work and I think it does. But that is only me. (I still like my Sandman too)
    @DavidXanatos if you want to make it really crazy, allow custom icons. However I think that would destroy the reconginzing of the tool, which should be there. That's also why I think the old Pizza is quite important, also as hommage to the original.
     
  24. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    179
    Location:
    uk
    Bring back the pizza!
     
  25. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,081
    +1
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.