Sandboxie technical tests and other technical topics discussion thread

Really thank you, nothing would make me happier than praise from such an English expert!
I'm learning English to study abroad, but my TOEFL score is currently far from goal...

 

Hi, Yuki, first of all thank for your answers, nerves, patience and time above all, and I think I finally understand what you meant, but I have one quick and short question can I use any anti-exploit (HitmanPro.Alert, Malwarebytes Anti-Exploit or EMET and etc.) with Google Chrome?
IE and Mozilla Firefox are never the problem, but the reason why I ask about Google Chrome are the following:
I read one post from FleischmannTV where he said that using anti-exploit with Google Chrome will only decrease Google Chrome's security and protection level?
Is this true, is this more attack surface thing or something else, because I'd happy to use an anti-exploit with Google Chrome but if it's true that an additional program in this case anti-exploit I want to use will only decrease Google Chrome's protection, than no thank you, than I will use them only for Mozilla Firefox and Internet Explorer.

Hopefully, you and also FleischmannTV will both see this post and give me some insights and recommendation what choice to choose in the end.

 

CWS maybe this can give you some answers: http://www.chromium.org/Home/chromium-security/chromium-and-emet

 

@CoolWebSearch

I know what you meant, but at the time I wrote this, I had just read on the Chromium wiki that third-party content injecting into Chromium or other components like web scanners are the biggest security risk for the sandbox on Windows, aside from fundamental operating system vulnerabilities. Since I am no security expert - and I apologize, should I have ever given that impression to anyone - I cannot say whether third-party tools are beneficial or not.

The stuff I am most sceptical about is web AV components. Tools like MBAE, HMP.Alert or EMET are probably beneficial, but all this is just a guess.

 

I know I'm a noob on this matter (security, and many others lol) but I share a post of mine I did at Sandboxie's forums, maybe someone could care about the info in it:
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=19839

 

Speaking about DW I can just say what Ilya told me once I asked for a x64 version of it that due PatchGuard restrictions he could never make it unless he was willing to sacrifice security/robustness, but as we saw he wasn't to.

 

(Curt@invincea)

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19163&sid=eba4b41c50a277f48de88fe003c13750

Anup Ghosh, founder and chief scientist, Invincea Inc.

http://searchsecurity.techtarget.co...re-security-but-it-has-weaknesses-expert-says

Anup Ghosh, CEO of virtualized containerization vendor Invincea.

As for the vulnerabilities discovered by Bromium, Ghosh doesn't deny the imperfection of the
sandboxing approach. Vulnerabilities are part of any security architecture, he says.

http://www.darkreading.com/risk/is-...xt-endpoint-security-must-have/d/d-id/1139739


I would still though run a browser with no "SANDBOXING TECHNOLOGY" under Sandboxie.
(change default settings)
Harden the OS your using and update it and all apps for security fixes. Have image backups in place.
Sandboxie is not perfect, but I'll continue to use it along with other security measures to be as much
protected as possible.

 

As there has been some discussion of kernel exploits in this thread, I'd like to note that Metasploit has some kernel exploits, such as this very recent one.

Is anyone interested in tests of using Metasploit to try to break out of Sandboxie containment?

 

Hi, FleischmannTV, I finally found what I was looking for; this is strictly/directly from Chromium projects website:
http://www.chromium.org/Home/chromi...t-Chrome-against-attack-on-Microsoft-Windows-

There are known compatibility problems between Microsoft's EMET anti-exploit toolkit and some versions of Chrome. These can prevent Chrome from running in some configurations. Moreover, the Chrome security team does not recommend the use of EMET with Chrome because its most important security benefits are redundant with or superseded by built-in attack mitigations within the browser. For users, the very marginal security benefit is not usually a good trade-off for the compatibility issues and performance degradation the toolkit can cause.

So your first post was actually right, EMET and all other anti-exploit security softwares do actually decrease Google Chrome's protection. So this means that Malwarebytes Anti-Exploit and HitmanPro.Alert 2 and 3 with anti-exploit protection also decrease/weakens Google Chrome's protection level. However, this also means that using Google Chrome under Sandboxie's supervision/protection also weakens/decreases Google Chrome's protection level as well.

 

@CoolWebSearch

Maybe a language issue. But this bold sentence...

only speaks about redundance and a potential marginal benefit.

So a conclusion like that

is completely wrong. Beside that: MBAE and HMP.A differ from each other and differ from EMET...some time more, some times less. So you can't conclude from one tool to another. Chrome/Chromium itself has implementet many of the mitigations those tools offer (ASLR and so on...)

 

Of course I reply you if it is not about that discussion.
However in this case it's off topic as Pete says.
And actually I already mentioned it in #214

While MBAE can increase attack surface, it adds something Chrome doesn't have.
It's quite hard to correctly evaluate advantage & disadvantage of them, but those AE tools have less duplication than SBIE.
Also note, such attack surface matters only in APT scenario.

I believe, someday finally we'll see bypass Chrome in the real world, probably in a scenario of targeted attack.
I don't know in that time EMET or MBAE can make sense (if it is APT, probably don't, or at most a little. But not all targeted attack is sophisticated as such.)
Anyway I don't put 100% trust on any program including Chrome.

Since there're fewer duplication, it's more of the matter of preference.
So far, either (protect or not protect by AE) will be fine in practice.
But I suppose, we have to keep on topic.

 

I know and had interest once, but gave up because, I have to learn how to use Metasploit and BEEF, and also because it's quite a time since I gave a friend my sub-computer and also dropped all Ubuntu(both dual-boot & VM).

Now I only have main Windows computer, so I firtstly have to install VM and introduce Linux on it, update packages, then install Metasploit and Apatch, launch the server, then confirm I can access it from Windows host (IIRC, it took some time for me to find the way), and put exploit with Metasploit after I learned it...too much trouble for me.

I leave it for more techy people or anyone who have time & interest.

 

Could I add some more perspectives to this interesting discussion?

It seems to me that application-based sandboxing (as in Chrome, Adobe etc) is an act of desperation acknowledging that their code is too big, bloated and unverified. The proper solution is to make the code far smaller and preferably verifiable; but this is expensive and doesn't give immediate gratification. In addition, it should be the operating system that gives a profile for application-to-operating-system requirements (and limiting that), again, the existence of Sandboxie and other virtualising technologies is a damning indictment of the operating system. On top of that, browser extensions make this much worse.

When we talk about attack surfaces, the code size and focus for (say) Sandboxie and MBAE etc. is far smaller, and the risks are way smaller in my opinion than the benefits.

Can I reiterate a huge benefit of Sandoxie which goes way beyond malware containment, which is that it is able to restrict access to my important data in a granular way from inside the sandbox, which would otherwise be available to exploits which hadn't even managed to escalate or even be persistent. Ultimately, I care much more about the integrity and confidentiality of my data than I do about my system.

 

I wonder if Sandboxie's code is smaller than Chrome's, so let's see which one has smaller attack surface.

 

Agreed. The fact is most folks being hit by the bad guys are folks only depending upon an AV and FW to protect them. Most of the folks in this thread are using some combination of VMs, Sandboxes, lite vms such as ShadowDefender, etc., HIPs programs ... come on, in order for YOU folks to be hit you really have to do something stupid.

Acadia

 

What I'm wondering is why people bother with Drop Rights if they don't have UAC fully disabled or non-existent, other than forcing admin programs to run with limited rights. And I'm curious as to if/how it breaks programs that works fine with UAC, unless they normally prompt for admin privileges.

Personally, I don't mind running admin programs (malware included) in SBIE, I trust my setup regardless. Just seems rather inconvenient hearing about compatibility issues plenty of times. The security benefits can be discussed of course.

 

J L, I think Drop Rights is an important setting. 99% of the times that I read about a POC or lab test bypassing Sandboxie or about a vulnerability that can be taken advantage to bypass Sandboxie, if Drop Rights in enabled, the vulnerability can not be taken advantage or the POC wont work. I think using the setting whenever its possible its wise.

In some cases, using Drop Rights can cause compatibility issues but it is rare. Right now there is an issue with Chrome and Drop Rights but for most programs we should be able to run them in a sandbox with Drop Rights and without issue. That is my experience. I run all programs in my XP and W7 sandboxed, only in the case of Word in XP, there is a huge difference in what I gain in usability by not enabling Drop Rights.

Bo

 

True, but I wonder about the redundancy with UAC enabled.

That's what I find strange, Chrome doesn't require admin privileges unless you're updating it, yet Drop Rights somehow breaks it?

 

It has been found that Chrome crashes with Drop Rights in this particular situation.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=49&t=19837&start=15#p104610

Bo

 

Well, I thought that Chrome has at least some kind of protection against memory based exploits, even Sandboxie has against memory-based Angler exploit kit and other exploits, however what's the point if it steals your passwords and etc.

 

To clarify, to me it's not a "must have" feature, because in a way you can already do it by combining SBIE with HIPS and anti-exploit. But it's just that those "attack reports" are so darned cool.

http://www.invincea.com/2014/03/a-dfir-analysis-of-a-word-document-spear-phish-attack/

I've found another pic (see link), now with other type of kernel hooks being mentioned, so I guess I will have to do some more reading. But it basically means that security tools still have plenty of options when it comes to kernel hooking on Windows 64 bit, so would be cool to know which ones SBIE is using.

http://postimg.org/image/54b89slvt/

 

I guess these available hooks or API's or whatever they're called must be external to Patchguard? I'm still puzzled as to how they do it, as well as how they compare to what software developers can achieve on 32 bit systems.