Securing Browsers Through Isolation Versus Mitigation

Discussion in 'other security issues & news' started by WildByDesign, Feb 24, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Securing Browsers Through Isolation Versus Mitigation
    The big difference between the Chrome and Edge approach security
    By Justin Schuh (Chromium security dev)

    Link: https://medium.com/@justin.schuh/securing-browsers-through-isolation-versus-mitigation-15f0baced2c2


    Excellent read on modern browser security and also highlights some differences between Chromium and Edge security design. :thumb:
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Nice read, thnx for sharing :thumb:
     
  3. I always womdered what happened with Nozzle and Sozzle studies of Microsoft (sanatizing JavaScript), it seems it has found its way into the JIT compiler

    Thx @WildByDesign
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. Yeah I always find it quite interesting to see the different mindsets of some of these brilliant developers and what makes them come up with certain designs. Within that active twitter feed, several of those browser security heavyweights came to the conclusion that they will likely all end up with similar security mechanisms in a few years but with different development roadmaps to get to that point.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is cool and all, but what about improving usability, like a better bookmark manager and the ability to put tabs on bottom, have those geniuses ever thought about that? But yes, both Chrome, Edge and in the coming year probably also Firefox will become very hard to hack, especially when combined with AE. Perhaps Sophos/Invincea can make less restrictive versions of SBIE, that will be focused mostly on virtualization and leave the isolation to the browser itself.
     
  6. guest

    guest Guest

    indeed better for them and the users , it becomes too resources/time consuming for them to keep up with the browsers; each major update code broke the sandbox software and during the time they fix it , you are vulnerable.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, or perhaps browser developers can implement a way to disable the sandbox, but that is much less likely. On the other hand, Chrome 40 is running blazingly fast controlled by SBIE. And Vivaldi is also running smoothly, so apparently it's possible to run a sandbox on top.
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    As a SBIE user I can't agree more with this. Quite interesting your comments guys. Do you think this is actually technically possible?
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's possible but how much time would they be willing to spend on it. On the other hand, I can imagine it's also annoying for them to keep making sure the SBIE sandbox doesn't break the browser or causes performance problems. And we shouldn't forget that SBIE is also used for testing software. So virtualization is not enough, it should also isolate, but sometimes I believe it's too restrictive.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    Well I thought this was the main reason for separating browser own isolation mechanism from Sandboxie's one. Breakages and low performance is the current and eternal struggle for sbie developers, ask Curt if I'm wrong.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The funny thing is, I wouldn't know about all of these problems, because I almost never immediately update browsers. It only annoys me sometimes when certain apps can't be correctly installed inside the sandbox.

    But yes, perhaps SBIE could disable certain isolation features as soon as certain browsers are loaded, would be cool if this is possible. Of course I would still like to use the data protection and virtualization feature. Perhaps we should ask about this on the SBIE forum.
     
  12. guest

    guest Guest

    Personally i use ReHIPS to isolate Chrome 56 which run with Appcontainer enabled. Im very very happy with it. never face any crashes since, as i had with Sbie.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    I sent a pm to Curt yesterday when you both posted your comments, looking forward his opinion on this matter. No response so far and he already read my pm.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Is it already available? But I don't see myself switching to it, I will always prefer virtualization. And hjlbx (not active anymore?) already gave me some inside info about ReHIPS, it would probably get on my nerves. It's really hard to beat SBIE, I remember BufferZone, SafeSpace and GreenBorder all tried it, but they were all too bloated. I do believe the GreenBorder team worked on Chrome.

    Perhaps it's better to start a topic. I wonder what they think about the future of SBIE now that almost all browsers use their own and more restrictive isolation method. But keep us posted.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Is there ETA for 2.2.0 version? Last announcement is almost 1 year old.
     
  16. guest

    guest Guest

    We are approaching the end of the closed beta i think, most stuff solved recently are user-friendliness based; public betas demos are available. Stable should come very soon.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Great, thnx for feedback :thumb:
     
  18. guest

    guest Guest

    @about hjlbx, he changed his username , and is very active here :p

    I think you won't like the virtual desktop model, about the application control feature it is not more annoying than any HIPS.
    I liked the concept of Geswall and waited for a "replacement" , ReHIPS seems to fit the position. isolation + Application Control.

    i can see the shift from browser isolation to apps isolation.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    I like virtualization like SBIE's too. I like the way it works and how it can delete everything as soon I close a browsing session.

    @hjlbx is now @Lockdown , fyi.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  21. guest

    guest Guest

    seems so or maybe "deny publicly" and "work hard on it internally" :D

    keeping a good look is important in business ^^
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What the hell, didn't even know this, and apparently he is now an AG developer? Pretty cool. And BTW, I hated GeSWall even though it was quite effective according to certain malware tests that were done.
     
  23. guest

    guest Guest

    More an internal tester (Quality Control & Assurance) , his job is to find vulnerabilities/incompatibilities and report them (if any) to the devs to fix them.

    everybody is different ;)
     
  24. guest

    guest Guest

    Isolation in Google Chrome - (experimental) command-line flag: --site-per-process
    After enabling --site-per-process (which is mentioned here: #1035)
    and visiting the test page,
    the iframe is rendered in a different process, which can be seen in the task-manager of Chrome:
    Chrome_--site-per-process_enabled.png
    After removing --site-per-process and disabling Site Isolation, they are now rendered into the same process. They are not isolated anymore from each other:
    Chrome.png

    Edit: images
     
    Last edited by a moderator: Mar 6, 2017
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.