Sandboxie Technologies (SBIE Open source)

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by bo elam, Apr 22, 2020.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Sorry, no idea. Never used ..box --no-sandbox.. before 86.x.
    FWIW ~ @zmechys
     
    Last edited: Oct 9, 2020
  2. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,179
    Location:
    Viena
    IIRC the order of the arguments does not mater unless thy have a paramater following them
     
  3. AnonyMiss Returned

    AnonyMiss Returned Registered Member

    Joined:
    Jun 20, 2020
    Posts:
    3
    Location:
    UK
    :) Me too, thanks everybody. Brave was unusable before I changed the target entry.
     
  4. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    964
    Location:
    usa
    You were able to go around that "annoying" Sandboxie glitch.
    Does it mean - You are a Sandboxie pro?
    Does it mean - You know why it happened after the Chrome update?
    Another one.
    Usually, I try to open my browsers not in Sandboxie in order to update extentions/add-ons, but...
    After following your instructions on "fixing" a glitch of Sandboxed Chrome, I could not open Chrome without Sandboxie.
    Any ways to go around it?
     
  5. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    964
    Location:
    usa
    David,

    Somehow it happened, that, currently, you are one of very few Sandboxie developers.
    I wonder if after providing all that Sandboxie coding to the whole world, Sandboxie could become vulnerable?
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Interesting, earlier in this thread I also mentioned to try to disable Vivaldi's internal sandbox, but can you only do it via this command? Isn't it possible to simply add the "no sandbox" prefix to the Vivaldi shortcut? Of course Vivaldi should be forced to run sandboxed.

    https://www.wilderssecurity.com/thr...-sbie-open-source.428156/page-18#post-2953366

    Aren't you a Win 8.1 user? Then perhaps you can test if Vivaldi 3.4 works correctly on your system WITHOUT having to disable Vivaldi's sandbox. If so, you don't need this workaround.

    OK I see, I thought you still had an older machine with Win 8.1. I will soon buy a new laptop with Win 10, but I will also keep using my desktop with Win 8.1 installed.

    Perhaps you can also test it on Win 8.1, because I'm not having these problems. So Chromium 86 combined with Sandboxie seems to behave differently on Win 10.
     
  7. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,179
    Location:
    Viena
    There is no real security through obscurity.
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Regarding "annoying" Sandboxie glitch > Thanks @g17 > #505
    Regarding "could not open Chrome without Sandboxie" > I have shortcuts for browsers w/wo --no-sandbox.
    For example:
    png_7848.png
    Target: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    Target: "C:\Program Files\Sandboxie\Start.exe" /box:Edge msedge.exe --no-sandbox --test-type"

    @zmechys
    I run discrete browser sandboxes.
    Since 86.x. I created shortcuts for each browser.
    Note: Shortcuts may not be your preference.
    Prior to 86.x. I used Forced n' Disable Forced for browsers.
    I'd prefer to go back to Forced n' Disable Forced for browsers.
    Just saying.
     
    Last edited: Oct 10, 2020
  9. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,179
    Location:
    Viena
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Regarding latest Plus build > #581
     
    Last edited: Oct 11, 2020
  11. diversenok

    diversenok Registered Member

    Joined:
    Oct 7, 2018
    Posts:
    18
    Location:
    Russia / Netherlands
    You are insane people. Using --no-sandbox flag is a terrible idea that weakens your security tremendously. Vulnerabilities that allow sandbox escaping from Chrome's renderers are extremely rare. I cannot say the same about Sandboxie, especially about Tom's branch.

    Don't get me wrong: Sandboxie is still a great piece of software, but it is a general-purpose sandbox. All Chromium-based browsers have their special-purpose sandbox that is significantly more restrictive than Sandboxie can ever be. They have complete control over the code that runs in the sandbox and, therefore, can apply the Least Privileges Security to the fullest. Sandboxie, on the other hand, must maintain compatibility with tons of third-party programs that break when you put them into a too restricted environment.

    I encourage everyone to use David's fork since it is more secure and doesn't have an incompatibility with most web-browsers. I know that it has an inconvenience with the signing certificate and, therefore, false-positives, but if you can't configure your antivirus to make an exception - find another one that does not fool you by ignoring your preferences.

    Tom, Bo, you should really do something to keep up. I will need to publish the details about the CVEs I requested more than a year ago eventually. David has the security fixes for you; all you need is to release them.
     
  12. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,227
    Location:
    Brooklyn, NY
    You put this so well and succinctly. :thumb: I'm just a casual user and upon reading about the "workaround," it was clear: a workaround for a security program with no official remediation in sight (yet), hmmm, not for me. Sandboxie needs to be whole for me. Again, I have to reference stapp who said:
    So, watching and waiting for the Plus fork to mature.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Don't you say, really?
    Tomorrow first thing in the morning: application for the mental asylum.
    Reason? Someone said I'm insane for disabling chromes built-in sandbox.
     
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,179
    Location:
    Viena
    The plus fork for the time being also provides a legacy installer for the classical sandboxie, no fancy new UI, just all the bug fixes and new features if you use edit the the ini by hand. Nothing but a proper certificate to wait for.
     
  15. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    It's all in Tom's hands. There is nothing Bo can do except tell people Tom has not replied to his mails for months.

    Bo started this thread writing: "I think this is the right time to create this thread". Sadly he should start thinking when it's the right time to close it if Tom doesn't show up soon.
     
  16. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    452
    Location:
    Austria
    I don't know if David will be willing to deal with the classical Sandboxie in the future too. But at least at the moment - if I judge the situation correctly - users with a preference for the classical version (like me) do not depend on Tom's return and his further development of (classical) Sandboxie, as David has done this work - and still does it at least for the time being (as he writes himself). (Many thanks, David. :thumb:)

    In other words: At the moment David obviously offers us two models of Sandboxie which are up-to-date: the one designed by himself and the classical one in the way it was announced by Tom. The only problem with David's continuation of the classical Sandboxie is indeed the inconvenience caused by the missing certificate.
     
    Last edited: Oct 10, 2020
  17. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    964
    Location:
    usa
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,995
    Location:
    Nicaragua
    I don't know what you are talking about. Sandboxie is as restrictive as it can be. If it was more restrictive, most programs wouldn't be able to run sandboxed. And that's not what we want. We want balance between usability and security and to be able to run sandboxed most programs that are popular and widely used. Thats what we always gotten with SBIE.

    This, whats better, Chrome's sandbox or Sandboxie has been discussed many times before here. Personally, that discussion bores me. So, I wont get into it. But for what its worth, I wouldn't trade Sandboxie for anything. And, in the case of the Firefox sandbox, I have been disabling it forever. Never had compatibility issues with Sandboxie's sandbox but I been doing it because I think it is likely Sandboxie works better that way. So, disabling the Chrome sandbox doesn't make me blink at all. In fact, doing it is probably better for the proper functioning of Sandboxie.

    Bo
     
  19. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    964
    Location:
    usa
    I trust Bo.
    I remember, many years ago, Bo told me about Sandboxie, while we were discussing various Antivirus/Malware products.
    And Bo was right.
     
  20. diversenok

    diversenok Registered Member

    Joined:
    Oct 7, 2018
    Posts:
    18
    Location:
    Russia / Netherlands
    Except... It is a bad idea.

    Do you want me to publicly disclose a complete chain of exploits that allows a sandboxed program started by a user without administrative privileges to escape the sandbox all the way up to NT AUTHORITY\SYSTEM (which is more powerful than administrators)? I would love to. David already fixed them, so everyone can stay safe using his fork.

    Bo, you don't need to take my word for it. I sent you two proof-of-concept programs that do precisely what I mentioned. Have fun.
     
    Last edited: Oct 10, 2020
  21. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    964
    Location:
    usa
    Thank you. As a trial, I've added my Sandbox folder to the BitDefender exception list.
    Somehow, I've downloaded that "fancy, new UI" David's Sandboxie.
    After rebooting, I could not find ANYWHERE that Sandbox Plus. I was looking and looking for that "fancy" new Sandboxie Plus to no avail.
    LOL.
    I know it's me just getting old/older.
    After my tremendous failure to find that Sandbox Plus, I've downloaded David's Classic version, and easily installed it.
    Just a question.
    In order to accelerate David's Sandbox installation, I've added the whole Sandbox folder to my BitDefender exception list.
    I think I need to add just one file from it.
     
  22. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    I'm a little confused but I think I understand your concern.

    Prior to V86 in Chrome, there were no issues. Does this mean the sandbox in Chrome was not functional until v86? Sandboxie certainly has not changed, we know that.

    If that's the case, how can disabling it in V86 be any less safe than it was in V85?

    I'm not sure anyone knows precisely why the update broke it, I could be wrong.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,781
    Location:
    U.S.A. (South)
    Absolutely on Windows 8.1 and staying until Microsoft gets a new brain and develops a Windows 11 if they even have the courage to do it.

    I will try the version mentioned and see if some improvements come thru or not.
     
  24. diversenok

    diversenok Registered Member

    Joined:
    Oct 7, 2018
    Posts:
    18
    Location:
    Russia / Netherlands
    As we know from David's fix, a new flag they started using in version 86 to tighten job-based restrictions broke process creation because it is incompatible with Sandboxie (that uses jobs as well).

    I don't think there are any significant architectural differences between 85 and 86 since the code already runs with virtually zero permissions. I suppose these are just cosmetic changes to address potential attack vectors.

    You made me realize that I should write a post that explains Sandboxie's architecture. It is an interesting topic that should clarify a lot. Chrome's sandbox already has similar documentation, for example. Sandboxie effectively uses the same security context as they do (because it is as secure as you can get). However, to run third-party programs, Sandboxie includes a huge compatibility layer that introduces more attack surface (since it contains privileged components — a driver and a service). Therefore, Sandboxie cannot provide the same level of security guarantees as Chrome sandbox. We are still talking about a highly isolated environment, so it is a reasonable trade-off for more functionality. That's why you should not use --no-sandbox flag. But Bo is correct; we should not say that one of these sandboxes is better than the other; they have different applications.
     
  25. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,179
    Location:
    Viena
    Since V86 chrome started to try to add the started worker processes to a job object while creation,
    that is what broke the call to CreateProcessAsUserW -> ... -> NtCreateProcess the fix for that was to override an kernel32 api function an just don't do it.
    Earlier chrome builds did that step separately and as far as I can tell that just silently failed,
    as sandboxie in normal operation makes all processes run within job processes already.


    I will continue providing the classical version forever if Tom doesn't return, it is really no afford doing that.
    When Tom announced to continue the classical version I just thought no need in providing essentially the same files twice so I said I'll make the Plus only.
    But now I'll make booth, no problems there.

    That may be remedied in the months to come. I'm looking into options to get that cert through a friends company, that might just work, so stay positive ;)

    David X.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.