What's the point of sandboxes?

Discussion in 'sandboxing & virtualization' started by Someone, May 23, 2009.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Apps such as Sandboxie, GesWall and DefenseWall are very popular here. But what's the use of them? Does it really provide any extra level of protection if you use alternate software and keep them updated? Such as Firefox instead of IE and Foxit instead of Adobe.
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Layer, layer, layer.

    I run FF with NoScript. But if visiting a questionable part of the web I will Sandboxie it for the added protection. My normal full time security apps. fall into a back up roll instead of the primary.

    The SbieSvc. exe only uses 2,132K mem. Peak usage is the same running in the background not in use. A very small price to pay for the add`d on-demand security IMO.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I agree with what ThunderZ said. For me Sandboxie provides that 'warm and fuzzy' feeling when running online apps. I also think all of the sandbox apps give extra protection for those of us that run as admin.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The whole point is creating an area as it were, that is segregated from your real files and OS. The notion of a Sandbox is that you play in it, build castles and moats, then rake it over fresh and flat to start again.

    I relations to a computer, it is an area that you may play in, that is help seperate from the real stuff. The castles you build could become infected with spiders (malware, virii, etc) which might then migrate to your bedroom :( . The moats you make (changes in critical files) could threaten the whole yard with soggy flooding and mud. You don't want your Sandbox where you play to threaten your real world, your house or yard. So you place a 10-foot thick cement wall around it and padlock it. Now you can play in your Sandbox, no matter the threat. You can play today building a castle. Go to bed and come back tommorrow and continue. No rain or wind will destroy it because you have walls and roof around it. Nothing can escape it either. When you tire of it, or the spiders scare you too badly, or you are too wet from your moats, you can simply rake it out flat (delete contents of Sandbox). You may start over. You can play and play, without the risks of what you do in there effecting anything you care about.

    It is a great concept. One of the truly innovative ideas in the last number of years. Not just for protecting you from some nefarious website, but also for trying different things out you may not otherwise try on your real system.

    vmWare is the ultimate sandbox, because it acts exactly like a real computer and you can do some things in it you cannot in a sandbox, like install an OS or put on heavier applications like firewalls.

    The point is, they give you a method to keep things seperated, and that is a very very good point.

    Sul.
     
  5. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Yes, I've used Sandboxie for more than a year and GesWall for several months.
     
  6. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    If one only uses Sandboxie only for their web browser and not for trying new programs, wouldn't the only protection Sandboxie offers is against ulnerabilities and drive-by downloads?
     
  7. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    As I see it, sandboxes are a good way of -- how shall I say it -- "deceiving" malware of their true purposes.

    It makes it think that it has damaged the system, when all it did was damage the 'virtual system', to put it loosely.

    Sandboxes, as a branch of system virtualization, is a good layer of protection.
    Some others even believe it to be the BEST form of protection against all online threats.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Leaving aside "trying new programs," comments in this and other threads on sandbox seem to assume that it's inevitable that malware will sneak in, therefore, a sandbox is necessary to contain it.

    To me, admitting that scenario, is admitting defeat and giving in to the malware scene. It's more fun to outwit the malware writers and prevent any intrusion of malware whatsoever.

    I've never seen a web-based malware attack (drive-by download) that gets by Opera when properly configured. (From what I've observed in other forums, I suspect this would hold true of other browsers, but I've not tested except with Firefox and the PDF exploits: they fail.)

    Considering the final barrier against malware intrusion, I'm reminded of fcukdat's challenge to provide a link to a web-based malware attack that gets by ProcessGuard.

    Combine PG (or a similar solution) with a properly configured browser, whence the need for a sandbox, except for "that 'warm and fuzzy' feeling?"

    ----
    rich
     
  9. IBadget

    IBadget Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    59
    Location:
    Waipahu, HI
    I personally don't need any of the sandboxing programs to protect me because I use CIS on Proactive Security. If I were to download something and try to execute, CIS will alert me that the executable could not be recognized and I have a chance to block the executable from running. When CIS is on Proactive Security, it acts as an anti-executable. So, I have no need for Sandboxie, GeSWall, or DefenseWall. If I were rich and interested in payware, I would have bought AntiExecutable from Faronics. While sandboxes and other features of HIPS, e.g., blocking reg changes, file changes, device driver installations, etc., can protect against known attack vectors, an anti-executable can protect against unknown attack vectors because the malware can't even run.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's a useful feature. I forgot about that - it was discussed in another thread, where I was looking for something to replace Faronics Anti-Executable v.2 which will not run on Vista.

    My requirement for family computers is that there be nothing to configure, as in the case of AE2 which automatically creates its own White List, meaning that no other executable process can run w/o permission in any part of the system - USB for example.

    ----
    rich
     
  11. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    That's exactly my point! From what I can see if you switch to alternate applications and keep them updated what's the point of Sandboxie/GesWall/DefenseWall?
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Someone,

    This is the Achilles heel of your assumption ". . . and keep them updated". So let's look at the life cycle of a patch release

    1. some where in time everything is sunny and malware does not known an exploit

    2. Mhh an exploit is discovered by malware writers

    3. An exploit is actually used by an malware writer

    4. After some time this gets noticed in the wild by the security world

    5. The exploit will get an error severity code and resources will be allocated to create a solution for this vulnability.

    6. Resources are available and a code change will be written and tested

    7. Next the update will be released

    Yes the patch works as intended


    So I would agree with your statement when you were running Win3.1 Win95 or any other old operating system with software tested to the ultimate bounderies of their coding, so the chances of finding another exploit and a malware writer considering it beneficial to write an exploit is minimal.

    In all other situations I would say, what about being protected from phase 3 and 7.

    The picture below illustrates the impact of using SBIE/GW/DW/SafeSpace on your risk contingency. Draw your own conclusion.
     

    Attached Files:

    Last edited: May 24, 2009
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Another thing I like about Sandboxie is that whatever exploit code you may stumble upon is in the virtual space and easily deleted when finished surfing. I like to keep my distance from anything bad so that's a plus for me. I don't have to run ccleaner as often as I used to.

    With the policy based sandboxes or at least DefenseWall would treat any new downloads as untrusted from what I read. This could limit the damage if you happened to download something bad a execute it.

    P.S. Sandboxie has a lot of little tricks that can be configured which I haven't taken advantage of. You can force a program and/or a folder to run sandboxed so anything you may download to that folder would run sandboxed if you would like to check it out. The limited executables and internet access in the sandbox has been mentioned. It can also block access to specified areas from anything running in the sandbox. In otherwords, Firefox or whatever doesn't need to be looking in my D: partition or my tax file on C: so I block the files, folders or partitions I want.
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I agree if no malware can get in in the first place then what is there for Sandboxie to contain and isolate??

    Rmus have you tried malware defenders file and folder rules? I have set it up so as my Browser is Blocked from creating new files. All New Files are Blocked from being Created, so as a result all incoming files from the internet are Blocked. I can't see how its possible for malware to get passed this strategy.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In my view, a security setup should protect without the need for a patch.

    Take the PDF exploits as an example. At least two went for several weeks before Adobe released a patch. It got so bad that at least one vendor threw in the towel and gave up:

    F-Secure says stop using Adobe Acrobat Reader
    http://news.cnet.com/8301-1009_3-10224449-83.html
    Yet those who understood that these exploits are triggered by javascript code in the web page knew that configuring scripting per site in the browser nullified the exploit right from the start.

    Also, those with the final barrier I mentioned earlier were also protected from the malware executable from running, should the expoit get that far.

    I've not seen any drive-by attacks that require a patch if proper protection against such attacks is in place. This is not to say "don't patch." Rather, that fear and uncertainty need not occur just because a new exploit surfaces in the wild.

    Unfortunately, the mainstream media don't talk about this, where the usual recommendations are to keep patches up to date, and keep AV up to date - the two least reliable solutions against the drive-by download attacks.

    ----
    rich
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't want anything where the average home users have to configure rules.

    As long as WinXP is around, I can keep things simple. When it's no longer viable, I'll probably retire from home-use help, unless something as simple as AE2 comes along.

    ----
    rich
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Whats the use then? If we take a look at SB, we see it can be set up nicely. For example, I cofigure it to work something like this:

    2 boxes:

    1 Browsers -- Rules:
    forced folders -- meaning my list of browsers are always forced into SB
    only allow items on list outbound network access -- browsers are on the list only.
    do not allow virtual writes to virtual registry autostart/autorun locations
    poke hole in SB to have access to special 'my downloads' folder -- don't need to recover as files are written directly.
    * all browsers no longer ask where to save to, they just save to special 'my downloads' folder

    2 Downloads -- Rules:
    forced folders -- only allow and force the special folder 'my downloads'
    no outbound network access to anything
    no virtual registry writes to autorun/autostart

    Method of use:
    special folder 'my downloads' is in SRP rule to start as limited user only (any executable), so anything that might start is first line of defense limited to Basic User

    as now this 'my downloads' executables start as Basic User, also SB forces anything there into a sandbox with no access to the internet. Since SRP rule says executable is Basic User, installing something like adobe flash would normally fail, as a Basic User has no rights to modify/create in program files directory. However, since sandbox is virtually in c:\Sandbox\box\.. the limitations to program files do not apply to the thread started by sandboxie. Benefeit === IF anything in that 'my downloads' directory started and actually escaped sandboxie to make it to the real file system, it would then be restricted by the Basic User settings of SRP

    any browser or program I use online essentially is forced to start in SB, including media player etc. I open holes for favorites as well in browser sandbox, so I can save files to 'my downloads' folder and create favorites/bookmarks, and both are written directly to the real file system, with no need to recover etc.

    I agree with Rmus very much. But I do like that 'warm fuzzy ' feeling in the way I am implementing it. I think it is more of an extra backup than a front line for anything. Besides I primarily use SB to test new apps and settings in rather than worrying about what the browsing might be doing.

    Sul.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rich,

    See the picture in my post, I do not think we basically disagree, disabling script is a deny, so it stops as early as possible in the flow.

    Only the quote below has a high degree of what we call in Dutch "circle reasoning".

    Those who understood = what % of Internet users is your guess?

    configuring scripting per site = means you have to know know per site (I am not clear sighted). I think you intended a default deny and whitelisted allow.

    Regards Kees
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    FF No Script.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very impressive! Much too complicated for me, however.

    Very logical question. I have no idea as to the answer, but that is irrelevant to the fact that the information is out there for those who wish to understand. For those who do understand and are in a position to inform/help others, well, that means more people who will not become victims in botnets.

    Wilders requires Javascript if you want to use the HTML in posts. So, I enable scripting:

    wilders-sitepref.gif

    This is easy to do for regularly used sites. Is this what you are referring to?

    ----
    rich
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, I haven't found that necessary. With AE2, the parents control the installation of all programs/software. No executables can download/install without their permission.

    ----
    rich
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Rich

    In general I'd agree with you about keeping malware out in the first place. But sometimes that isn't practical. I have two people who work for me, and use my computers, and they are very careful, but we use Outlook for Email and a host of other things it can do.

    Another email client isn't viable at this point, but aside from that when we occasionally have emails from clients with attachments we almost have to open them to see what they are. Also voicemails come as email attachments. So attachments are an issue. This way the folks can open them see what's going on, and if it's really bad, the just close outlook and the sandbox is automatically emptied. THen they can restart and delete the offending email. Tested, works, and we don't have to worry.

    Pete
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ad 1

    I had not realised that this is complicted, left most protective and restrictive is a default deny through OS or a ProGram (like Trust-No-Exe or Anti Executable2).

    AE2 is what you are using and applying. Picture illustrates that when you apply a deny, there is little added value using SBIE or DW. When you run as Admin though, moving to the left on the horizontal line (e.g. with DW or SBIE) has clear advantages.


    Ad 2

    Yes a default Deny and whitelist/allow for trusted sites :)
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Pete,

    Yes, you mentioned this in another thread, and I agree that yours is a good solution since you indicated that it is not practical to lock down the system.

    ----
    rich
     
    Last edited: May 24, 2009
Loading...
Thread Status:
Not open for further replies.