"Sandboxieing" Google Chrome, is it recommended?

Discussion in 'sandboxing & virtualization' started by fsr, Jul 31, 2010.

Thread Status:
Not open for further replies.
  1. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Or is it redundant? In other words, is the built-in sandbox in Google Chrome good enough?

    Thanks.
     
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Sandboxie is quite light-weight. While Chrome by itself has not been hacked as yet to my knowledge, I see no harm in the double protection. Sandboxie also is not a disruptive aspect.

    I'm running Chrome portable 5.0.375.125 in Sandboxie 3.46.

    While I'm not using any extension other than WOT, I don't understand how or whether extensions are controlled by Chrome's sandbox. Case in point is IETab (Davetotski?).
     
  3. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
  4. chris45

    chris45 Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    94
    i never understood chromes sandboxie. Dont you need to move files in and out of the sandbox? where is chromes sandbox that i can move files in and out of
     
  5. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    i'm no chrome expert but that's what you do, when you acept a download, plugin installation, etc., you actually give a file permission to run outside sandbox
     
  6. chris45

    chris45 Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    94
    thanks for the input. Its just sandboxie, bufferzone, returnil use their sandbox differently so i thought there actually was a sandbox area you would know about like those products have. So if you get malware through surfing the net its contained into the sandbox and you just have to close and reopen the web browser to remove the malware?
     
  7. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Except for zero-day malwares yes, i think so. Read this:

     
    Last edited: Jul 31, 2010
  8. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Hi to all,
    I would like to stress that sandboxie does not merely utilize OS security to fully protect a pc, but it goes way above and beyond that to ensure that malware doesn't infect the host. in a way, one can say sandboxie almost 'hacks' the kernel in order to gurantee true isolation and monitoring of sandboxed parent and child processes.

    with chrome's sandbox, one priveledge escalation exploit in the OS and you're done - it would do little to protect from zero day. meanwhile sandboxie would ensure that even if there was an ie bufferoverflow or priveldege escalation under a system running LUA, you'd still be covered.

    installing the two is by no means an overlap as sandboxie simply operates in another league:cool:

    sandboxie also has other options that make it watertight when compared with chrome's minimal approach. extra settings include start/run restrictions that block unknown droppers from loading crap unto your system and also a basic robust firewall that prevents unknown software(hence viruses) from calling home.

    do yourself a favor and try sandboxie, you will be addicted :argh: :D
     
  9. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    @Serapis
    Did you actually read anything i have written/quoted? Cheers.
     
  10. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I guess not well enough :D
     
  11. chris45

    chris45 Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    94
    does sandboxie slow down your pc?
     
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    No,you hardly even notice its there,give it a try!
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Don't mean to argue but is the link with reference to Win 7 alone? What about Win XP3?

    And what exactly is the status of extensions? Are they also kept in Chrome's sandbox?
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The link is regarding ACL this also works on XP. When you are a happy Sandboxie user on XP, I would stay using SBIE to guard your browser of choice. Due to UAC limitations on objects and processes I would only consider Iron/Chrome plus 'some lazy admin precautions' a substitute for Sandboxie.

    When you move something out of a Sandbox you are unprotected. The major streght of SBIE was that it offered a strong safety net behind your browser for what happened in your browser.

    Most people don’t realise that nearly every time they load a Web page, they’re are inviting code (JavaScript), written by an unknown party to execute on their computer. Since it would be very annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you.

    I think IE8's protected mode was a good step. Chrome's sandbox was the first real security border. Chrome was not Owned in the pawn2own browser contests for two years in a row. Set up decent policy management behind it (f.i. what is included in your OS) and you are fine.

    When you are playing with malware, there is off course no greater fun playing in the sandbox with Sandboxie and Buster-Sandbox-Analyser (add A VM to and your are fine). My guess is that more than half of Wilders folks enjoy throwing stones at their window to see whether it holds.
     
    Last edited: Aug 1, 2010
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're right

     
  17. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Hi Kees 1958 (or anybody out there),

    Please could you answer this (which I've asked before):
    While I'm not using any extension other than WOT, I don't understand how or whether extensions are controlled by Chrome's sandbox. Case in point is IETab.


    You can be rude if you wish! But please do answer!

    Lack of clarity on this issue is keeping me off extensions in Chrome and there are some that seem really, really nice!
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Here you go for explanation on extention security http://www.youtube.com/watch?v=DO-nzPqhdXw

    Next you have the problem of installing extentions from a known/trusted source only.
    a) Only implement extentions from Google, no other source unless it is from a trusted source
    b) Extentions I have tried and were safe at that time: McFee SiteAdvisor for Chrome, Wot, New Tab Behaviour, Adsweep, Simple Print (a print button) and Click & Clean.
    c) I start chrome using --safe-plugins switch
    d) I disable the third party default plug-in from the options > Privacy content > Plug-ins > Manage plugins seperately

    Regards Kees
     
  19. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    I found something when using the --safe-plugins switch. If Chrome is in Sandboxie when using this switch it prevents the viewing of PDF files within the browser. When you click on the PDF, error messages from both Adobe Reader and SBIE pop-up and Adobe crashes. If you remove the safe-plugins switch, everything works fine. I'm not sure if I should call this a bug or a feature, maybe Adobe Reader is trying to do something the switch is programmed to stop. I haven't tried any other PDF readers yet to see if the issue continues. o_O
     
  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Thanks Kees. I did notice that the commentary dealt with privileges and how the developer chooses to use them. There was also a clear warning against malicious extensions. (But no mention that any mischief is restricted to the Chrome Sandbox, which is my original doubt.)

    So your point a is very important. I just have WOT currently.

    Could you clarify point d? Is this seen in chrome://plug-ins/? If yes, are you referring to
    Default Plug-in - Version: 1
    Description: Provides functionality for installing third-party plug-ins
    Location: default_plugin


    Just to confirm, is this, the default plug-in, to be disabled?
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, I can not find it any more, but I had read somewhere that thi sone was needed for 3rd party plug-ins to install properly http://www.scriptol.com/chrome/about-plugins.php
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I removed it. Now the only one I have enabled is Java JRE which I need for viewing some charts on-line.
     
  23. chris45

    chris45 Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    94
    but i still dont really get the chrome sandbox. If you get malware through surfing the net does closing the browser remove the malware? how does it remove malware when you get it
     
  24. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Chris, I can't answer your question. I just take satisfaction in the reports that Chrome hasn't been pwned as yet in competition with other browsers that went down in minutes.

    Despite that, since Sandboxie runs light, I have no problem in keeping a double safety net, one of Chrome and one of Sandboxie.
     
Loading...
Thread Status:
Not open for further replies.