Windows build-in Sandbox

Already posted, but for Windows users nice to know:

Chrome sandbox: restricted user, job object, alternate desktop, untrusted integrity level, see chrome info According to authors of ReHIPS this is C level 2 sandbox implementation according to US Department of Defense.


AppContainer
Demistifying AppContainer explanation by blog nextexpert (2013) and The Joy of (Windows) Sandbox Mitigations by James Forshaw (2016)

 

Comment to James Warshaw's dreamed Sandbox feautures

Protecting Medium Level processes
New option is protected processes to protect medium level processes from being tampered with. Not a sandbox or a container, but a different protection mechanism (Windows has Access Control Lists, Applocker, Software Restriction Policies, Smartscreen, Users, UAC*, Integrity levels, Protected Processes).

See this tweak to add LSASS.exe to the protected processes (explanation by Alex Ionescu when playing with PtH Pass the Hash option of LSASS), see picture LSASS after the tweak running as Protected Process Light.



*Note when UAC is set to deny elevation of unsigned it acts as a boundery.

 

I am familiar with this tweak since I have read about it a few times previously. However, I have not actually followed through with trying out this tweak because I was more worried about potential problems since LSASS.exe is quite an important process.

Have you experienced any issues since implementing this tweak?

That document by James Forshaw is quite nicely detailed along with helpful visuals. It is interesting how quite a number of users have been hating on Windows 8.x and Windows 10 in recent times, yet, clearly under-the-hood Microsoft has been making tremendous improvements to security by leaps and bounds with each release.

 

No problems for at least a month (including Windows & Chrome update). This tweak is also explained on Microsoft technet, that is why I tried it.

 

@Windows_Security
Thanks for this interesting info.

 

Excellent, thank you. I decided to go ahead and try this tweak out on Windows 10 64-bit and it's working great without any issues. I just had to remember to turn SecureBoot on since I typically have that disabled. Confirming the mitigation is nice and easy with Process Explorer and Process Hacker which is great. I will continue to use this tweak since I recall LSASS being targeted over the years, particularly with older versions of Windows.

 

Yes, I remember Sasser exploiting Lsass vulnerability. Windows firewall, turned on in Windows XP SP2 and system update stopped it. Didn't hear about newer exploits though.

 

Another good catch, Kees

thanks

 

I just wanted to note briefly that I've been running with this tweak now for daily use since Monday when Kees brought this topic to our attention and I have experienced zero issues. It's great to see Microsoft adding more and more under-the-hood mitigations.

On that note, I've just recently read a fantastic article with regard to utilizing what the OS has to offer for computer security and discussion from Proactive security measures through Reactive security measures. It is an article written by Justin Schuh who works on the Chrome Security Team. I just was not sure where to post this article, but also realized that the folks who are interested in internal OS security measures would definitely appreciate this article. It's a fantastic read.

Link: https://medium.com/@justin.schuh/stop-buying-bad-security-prescriptions-f18e4f61ba9e#.93bcx3wsb

 

In the wishlist of James Warshaw's dreamed Sandbox feautures the side by side attack risk of Medium level processes is mentioned. I found the tweak to run LSASS.exe as a Protected Process Light, so medium level processes could not infect this critical Windows process.

Microsoft first made the protected processes for Anti-Malware processes (to prevent those processes to be attacked themselves). In Windows 8.1 and 10 the Protected Process Light version was introduced and a lot of critical system processes were protected from tampering by making them RunAsPPL (run as protected processes light). This closed down the attack surface of side by side infection of one Medium Level Integrity process infecting or misusing (hollow process) another Medium IL process.

MemProtect offers granular control of Windows's PPL feature. Here is some english information on them https://excubits.com/content/en/news.html You can download them from excubits MemProtect is a mini driver plus service whch is installed through right clicking the inf file (see WildByDesign post for how to install).

So I decided to add some rules to protect the remaining system processes running with Medium Level Integrity. On my ASUS transformer I run only Chrome, Office and Skype. I have disabled/deinstalled all other stuf (like IE, WMP, etc). So I have rules to contain those medium level processes and added some rules to protect the remaining medium IL system processes (explorer, taskhostex.exe and RuntimeBroker.exe).

MemProtect ini

Code:

[LETHAL]
[#LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\*
!C:\Program Files\Office\*>C:\Program Files\Office\*
!C:\Program Files\Skiype\*>C:\Program Files\Skype\*
!C:\Program Files\*>C:\Windows\splwow64.exe

[BLACKLIST]
C:\Program Files\Google\Chrome\*>*
C:\Program Files\Office\*>*
C:\Program Files\Skype\*>*

C:\Users\*>*explorer.exe
C:\Users\*>*dllhost.exe
C:\Users\*>*taskhostex.exe
C:\Users\*>*RuntimeBroker.exe

D:\*>*

[EOF]

Bottem line
Together with AppContainer the PPL feature and MemProtect already can protect medium IL system processes from infection (ticking off one wish of James Forshaws wishlist.

I have added an Access Control List restriction to Downloads folder and the Chrome Appdata folder (set a deny execute/traverse folder for Everyone ACL on those folders) to enforce the Chrome Sandbox (all folders to which the medium IL Chrome broker process has write access to).

 

Great link @WildByDesign and some good ideas @Windows_Security
Some day I just might try Excubits' products

 

I wish I could help on that man. Problem is I dropped Excubits products weeks ago. My head aches when playing with ini lines
So I decided to go for ReHIPS which seems an excellent product so far. Only time will tell...

 

@Windows_Security I am intrigued and happy to test this MemProtect setup protecting certain system processes. Very well planned, I like it. So far no issues here but I will continue running this setup for the next few days or more.

 

TH.

 

Thx, Dave

Windows has five integrity levels, system- high-medium-low-untrusted integrity level processes. Lower IL can't touch higher IL. High and System are protected by UAC and ACL when running as admin. Most internet facing run in Low IL sandbox, so medium IL processes are protected during internet sessions. Only worry is persistent data stored on the system and processed by Medium IL and side by side attacks due to zero day exploits.

Microsoft was so nice to provide protected processes feature to protect improtant systems processes (even system/high IL can;t touch them), reducing the attack surface substantially from Windows 8.1 and higher. With MemProtect we are able to use the Protected Process Light option to close down this Medium IL attack surface.

The setup posted isolates internet facing and rich content programs from the rest of the system and protects the remaining Medium IL system processes from being infected from user folders (non UAC protected folders). It works without any problems.

Regards Kees

 

@Windows_Security I appreciate and enjoy the way in which you are able to describe technical aspects. You always explain details in such a way that the information is easy to take in and understand.

I recall initially when Florian was describing MemProtect concept to me prior to release, he was suggesting that MemProtect on it's own (if configured thoroughly and tactically) could prevent the majority of exploits from occurring and suggested that the user might not even need to use a traditional anti-executable. I think that with MemProtect (and potentially Pumpernickel as well), we have only really scratched the surface as to how much protection we can achieve. The difficult part, as many know, is having that initial creativity and imagination to create some wonderful rule sets.

I applaud your boldness by opening up your mind with MemProtect and extending that to provide protection rules for critical system processes. So far this rule set is working great with zero issues. I imagine that this could be extended further as well but with care and caution as to not block any intended system activity.

With MemProtect used for example as an analysis/forensics tool, someone who analyzes malware regularly could program MemProtect in such a way that it logs the malicious activity from initial exploit, to execution, to finish. Those types of detailed logs would be extremely useful for creating complex rules to stop exploits and malicious activity at the earliest stages. After all, MemProtect (PPL) is essentially a sandbox for protecting the memory of running processes as configured by the user.

 

Thx I would not have used them without your support.

I don't understand why Florian does not create application specific sandboxes for Firefox and Thunderbird for example using Micro licences as usual on smartphones (a year license for Firefox sandbox for 2 euro)

 

Kees, when you set the deny ACL on Chrome AppData folder, is Chrome still able to update itself? Or do you have to switch the ACL to allow mode for updates?

 

Chrome (installed version) extracts new version to the folder C:\Program Files\Google\Chrome\Application\[version]\Installer
for example C:\Program Files\Google\Chrome\Application\51.0.2704.84\Installer



Although last time Chrome updated, it would not delete chrome.exe and rename new_chrome.exe to chrome.exe. And it would show previous version number after update and relaunch of Chrome.

I will try to isolate this issues further and come back to you (it is probably because I don't allow Chrome to touch explorer with MemProtect)

 

Test with HPMA test tool. Only non exploit test launch and start calculator is succesful (to proof HPMA has access to the tested program) and last two non exploit tests (Webcam test and Keyboard logger test).

 

Most likely, yes. Explorer.exe is responsible for a lot of I/O operations, therefore you are quite likely right that you may need to give explorer.exe access to Chrome during updates. But you'll have to try to do some logging and test to see if that is the issue. I am definitely curious to know.

Excellent, good to see. Protected Processes Light in general seem to be quite solid and consistent. It is nice how even processes with higher privileges cannot access that protected memory.

 

Chrome, just updated to Version 51.0.2704.103 m on Transformer, Laptop all with MemProtect blocking Chrome to touch Windows Explorer with no problem.

Found the cause on my Desktop. I had PumperNickel also running with a very tight experimental Chrome file access restriction. Problem was that I thought I had it running to see what kind of issues I could get using this file access restriction, while the reverse was configured (lethal no loging ). Chrome used to put old_chrome in the Application directory, now uses a TEMP directory within Chrome's application folder. This change is new and was blocked by Pumpernickel. Correcting Pumpernickel ini file did the trick. It now also installs on correctly on my Desktop.

 

After some more reading on build in Mitigations of Windows

Microsoft documentation: https://msdn.microsoft.com/en-us/library/windows/desktop/hh871470(v=vs.85).aspx

Note the ProcessSystemCallDisable is the WIN32_lockdown protection.

This is link explains about new mitigations to prevent processes being injected, http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/

And work of James Warshaw (post 1) for the sandbox analysis tool https://github.com/google/sandbox-a...mmit/2c6010febf92a473ac84f3333bb9c28bbc69bc6a

Assumption: when the Chrome Sandbox Analysis tools measures something there is a fair chance this is implemented in the Chrome Sandbox itself (why would you analyse it when you would not use it)?

Maybe some real security experts can tell something about this, but to an outsider and amateur it seems that Chrome also does something with these Mitigation options (non system fonts is probably loading remote fonts)

ProcessFontDisable
The policy that turns off the ability of the process to load non-system fonts.

ProcessImagePolicy
The policy that turns off the ability of the process to load images from some locations, such a remote devices or files that have the low mandatory label.

ProcessSignaturePolicy
The policy of a process that can restrict image loading to those images that are either signed by Microsoft, by the Windows Store, or by Microsoft, the Windows Store and the Windows Hardware Quality Labs (WHQL).

 

Chrome sandbox

Some experimental features called SITE ISOLATION (enabled with -site-per-process), here is a presentation on --block-cross-site-documents switch which is part of the site isolation

Cross site protection for documents https://docs.google.com/presentatio...ViixZe4DRBs/edit?hl=en#slide=id.g296ad4674_00

You can use the highly -site-per-process also for testing on specific websites.


Although this feature is designed to prevent site data leaking, I would not use it on HTTPS://* since all internet commerce and banking is done via HTTPS://* and you don't want to break something when buying/paying something on the internet (--isolates-sites-for-testing=HTTP://* seems to work okay on my PC).

Video explaining the benedits of site isolation https://www.chromium.org/developers...solation#TOC-2015-Site-Isolation-Summit-Talks

 

Another feature in chrome About://flags

This is not a security feature. It encourages website to move to asynchronous loading of (scripted) content to speed up webpage loading. About 10 to 15 percent of the pages still use synchronous loading, so this setting would break compatibility (website functionality). Good thing is that (quote)

So while this setting breaks website functionality it has a temporary side effect of blocking the stuff you probably don't want anyway (some ads and trackers).