Window Zones-- a new sandbox?

Discussion in 'other anti-malware software' started by aigle, Dec 31, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Looks interesting. But how does it compare with all those other 'sandbox' type applications out there? Does appear to be very simple to use. Has apparently had a beta phase but I have not heard of it until now.

    Anyone out there have any more detailed knowledge?:)
     
    Last edited: Jan 1, 2007
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes I would like to get some feedback about this app, positive things are that it does not use that many resources, interface is also quite simple. My virtual machine did crash twice upon exit though, might be a conflict with SSM Pro.

    But of course the question is how powerful is this tool? I have noticed that you can sandbox/unsandbox applications "on the fly" but does this basically mean that it strips admin privileges from processes, or is it a real sandbox? :rolleyes:
     
  4. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    Gave it a very quick test. It's real kernel based sandbox. A simple one that uses no virtualization, just imposes restrictions on the process that runs inside sandbox like blocking driver installs, blocking process modification (buggy btw), denying write access to Program Files folder, etc. Can be compared closest to DefenseWall, i.e. not that impressive IMHO.
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Kenjin

    Thanks for the update. Can you provide some more detail as to why you think that it is not impressive? That would be very useful for someone who is not really into this sort of app, but is interested in using them in the future.:D
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried it very briefly. Light weight. No slow downs at all and uses little resources.
    It,s somewhat like GesWall and DefenceWall( with a bit of mixture of two). I threw some malware on it that were effectively blocked.
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Still playing aigle?.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, it,s gone alredy. Sorry
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Anyone else with an opinion? Is this a truely powerful sandbox or is it all hype? I´m especially interested to hear about their patented technology that can move processes into and out of the sandbox "on the fly". ;)
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've installed it under VMWare, but it doesn't works propertly for me. Can not move anything into the "Safe Zone". But, according their driver's size and structure I don't think it is 100% driver level defense (but it, naturally, need to be checked on propertly working WZ).

    As about "patented technology"- half of it (move processes into "untrusted" zone on the fly) have been implemented with DW in 2005. Other half is highly dangerous staff- 100% insecured.
     
  11. davepl

    davepl Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    5
    I work for the company that produced it, so I'll give you a little more info on exactly how it works. I'm biased, of course, but hopefully the info will be helpful! If you have other feedback, please post it to this thread and I'll make sure it gets heard for the next version!

    What WindowZones does is create a sandbox zone called the "SafeZone". In the safezone any process that is launched within it (for example, by creating a rule to run IE in the safezone) is hooked -before- it can execute any instructions at the kernel level.

    The token for the process is then inspected, and a new token is created for it. This new token will be a clone of the original except that any and all administrative rights will be stripped. This of course gives you the benefit of running the process as a guest, except you retain your original SID identity so that your favorites, links, etc all still work.

    The original token is cached, so that if you want to revert the process, just drag it back to the Admin zone. Of course once a process has -ever- been in the admin zone you can't fully trust it (it could create new threads or tokens for later malicious use, but you presume a known app like IE won't intentionally do this).

    One of the patent-pending features (by the way, its the lawyers that patent things and the marketers that mention it, as programmers we just thought it was a cool idea) is the ability to swap out tokens on the fly. This means you can move an app in and out of the sandbox without a restart, and the only change to the process is whether it will hold administrative rights... nothing else changes from the process's point of view. This is useful because you can keep IE in the safezone until you need, temporarily, to be in the admin zone so that you can install something like Acrobat reader. Do the install, then move it back to the safezone with no restart of the process.

    We spent a ton of time on app compat, not in terms of hacks, but in terms of the underlying token management to ensure that apps just work. As you're likely aware, if you try to run Outlook with a restricted token (as created by the CreateRestrictedToken api) it doesn't work at all. With WindowZones, as far as we know, all apps work perfectly (except those that actually need admin rights, for example).

    There is -no- process overhead, so no slowdown. It doesn't do any virtualization, because it relies on the NT kernel to do any security enforcement. Another nice aspect of this approach is that we couldn't "miss" anything. Whereas a virtualization approach has to hook all the important APIs, and you could forget one, we delegate all enforcement to the kernel itself, so in so far as the kernel does security correctly (and we assume it does), then WindowZones enforcement is reliable.

    For the casual user, we recommend running just your internet-facing apps (Outlook, IE, Messenger, Napster, etc) in the safezone. You could run the explorer and Word and so forth in the safezone for more thorough protection, but personally I don't. To each their own!

    Another, even more secure, way to use WindowZones is to actually make your account a guest account and run as guest (or limited user). Then at those times you actually need admin rights, promote an app. You then have to supply an account with admin credentials. This is more akin to the Unix approach of using SU, but it goes a step further because you can do it to a live process rather than only at launch, and move it back later. The once scenario we know this approach doesn't work is when your admin account does not have a password (such as under XP Home defaults), but we doubt that applies to many people here!

    Hope this helps... again, I'm not the marketing guy, but I'll do my best to answer any questions or offer any help I can!

    Thanks,
    Dave
     
  12. davepl

    davepl Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    5
    It does not work under a VM. That's a limitation of the license activation code, not WindowZones itself... my debug version works fine in a VM, for what that's worth :)

    Note sure what you mean by "highly dangerous stuff, 100% insecured". But if you can expound on that, I'll try to address it.

    Thanks,
    Dave
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    :D
    The approach is very nice and shares similarities with GeSWall and DefenseWall.
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Dave

    Thank you for the explanation. All very interesting. I understand what you mean by "For the casual user, we recommend running just your internet-facing apps (Outlook, IE, Messenger, Napster, etc) in the safezone. You could run the explorer and Word and so forth in the safezone for more thorough protection, ..." but it would be cool if there was some way of (i) identifying types or groups of applications that should be run in the safezone or, more importantly, being able to tell Window Zones to run ALL application in the safezone, ie, a panic option that you could hit if you felt there was an issue, were not sure what app was the cause and just want to make sure that everything is bolted down. Whether you could do this automatically for programs already running outside the safezone is an interesting question...but it would be cool and very useful.:rolleyes:
     
  15. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    What are the differences between WZ and programs like DropMyRights and RunSafe that make programs run with limited system access rights?

    Thanks.
    Lu Chin
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    :thumb:
     
  17. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I see. So WZ is basically like DropMyRights and RunSafe except the applicaton's security token can be changed on the fly rather than at program launch time. Protection wise it does not seem to offer a lot more than DMR or RS. Or maybe I am missing something.

     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Although it´s not mentioned, I guess WZ may have the ability to track objects created by sandboxed processes and the ability to protect critical/trusted processes from hijacking/tampering.
    So, it´s basically DropMyRights without lost functionality.
     
  19. davepl

    davepl Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    5
    As an example, I was never able to get Outlook to even run (when using exchange server) using any of the solutions out there that are based on the CreateRestrictedToken API. We spent months ensuring appcompat was very high. In terms of technical differences, other than those enumerated by others, I'm not really the person to speak to alternatives.
     
    Last edited: Jan 14, 2007
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    How will this work with Vista? Cause this is a very nice program, easy to use and it is filling the gaps 'on the fly' ... like advertised ....

    but like I said .. how about vista?

    Thanx in advance,
     
  21. davepl

    davepl Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    5
    We released before Vista, so it was untested. With Vista making some sweeping changes to the security infrastructure, I imagine there will be issues that we can address in a future release if there's demand for it on Vista.

    Vista of course contains similar functionality, but I found myself always clicking "ok" to their security prompts to the point where they probably didn't do much good once I'd learned the reflex. As I said, I'm biased, but I find the WZ model a lot easier, so it may indeed be that people still want it on Vista. That's something the market will have to decide though!
     
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    DefenseWall doesn't rely on Windows Managment and security tokens.

    This means that if compromised process with low provilegse will be granted wiht high ones on the fly, this may case big problems.
     
  23. davepl

    davepl Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    5
    WindowZones introduces no vector that didn't already exist if you were running as admin without WindowZones... WindowZones only ever -LOWERS- rights, and never increases them.

    Now, just like SU on Unix, if you were running as guest and promoted an app to admin, you could intentionally create a bad scenario. But you're never any worse off than running as admin in the first place. Unless you specifically promoted a process, which you would have to intentionally do, and supply your username and password, that can't happen.
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks for the correction :) but I was talking about user-friendly "sandboxes" which aren´t too restrictive.
     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    well, it seems to be impossible to use SSM and WZ together, however I think using them together would be perfect for my needs.

    but everytime when I install SSM and reboot, it says Driver not found...

    too bad, have been trying to contact them but probably have to wait.
     
Loading...
Thread Status:
Not open for further replies.