Windows build-in Sandbox

Discussion in 'sandboxing & virtualization' started by Windows_Security, Jun 6, 2016.

  1. Has anyone tried the DESKTOP-TO-APPCONTAINER converter? LINK I am not on 64 bits, so can't use the tool?

    Let's keep this thread about Windows internal mechanisms and software which allow us to use them.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,965
    Location:
    Toronto, Canada
    I followed through with the process successfully. The resulting applications did end up within AppContainer protection as hoped. However, the overall procedure was rather cumbersome and also involved quite a bit of additional disk space which was problematic within virtual machines for me.

    I had more hope with a developer (Andrea Allievi) who had created a simple win32 to AppContainer portable program and had promised to release it shortly thereafter. However, I assume that he ended up having problems with his company and was not able to release it to the public. See here (http://www.andrea-allievi.com/blog/first-week-of-june/) and further juicy kernel-mode details here (https://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/). Some promising stuff which fizzled out.

    On a side note, I've been speaking to Florian in recent days regarding creating a simple kernel-mode driver with simple configuration that can convert processes within the kernel into AppContainer which would be fantastic, although it is more complicated than it might seem. He is interested and researching it further, though. There are those methods contained in the link above, but also there is the sneaky method in which Chrome Security Team developers have figured out to allow chrome.exe processes to be contained within AppContainer. You know those brilliant minded, ridiculously high-paid Google developers, they seem to be able to make magic happen with code. So I am looking further into the Chromium source code over the past few days to see what kind of tricks they have done. Chromium devs don't seem to use the official/appropriate registry method mentioned in the above blog with kernel details. So they have done something different to achieve AppContainer sandbox for chrome.exe and quite likely a unique method. Anyway, I will let you know as I find out anything more interesting or hear back from Florian regarding modifying AppContainer process permissions within the kernel specifically.
     
  3. Okay this is my promise: I will send you a six pack amber blond (=amber blond) Dutch Beer (3 ringen a small brewery from Amersfoort), rogge brood (pumpernickel in dutch litteraly rye bread) and Old Amsterdam (Yes that is old cheese from Amsterdam in old Dutch, in modern Dutch we now pronounce old as oud) when Florian is picking up this challenge
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,123
    Location:
    The Netherlands
    That was already clear, this is a little side discussion. But I'm trying to figure out why Windows_Security thinks that the "protected process" feature can be used to block exploits from running. He pointed me to this thread, but when I ask him to figure things out, he refuses.

    No it's not. Or are you saying that the "protected process" feature offered by MemProtect will automatically block exploited processes from spawning child processes? Then perhaps you guys are on to something. Because AFAIK, MemProtect comes into play when malware is already running. While AE tools try to stop malware from running at all.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,776
    @Rasheed187

    I agree that this needs to be put to rest so I am going to post this once while hoping that this thread sticks to it's original purpose.

    1. Malware delivered through exploits need not necessarily come in the form of a portable executable format.

    2. While most exploits still do so, there are exploits that do not require spawning a new process.

    3. AE (while effective against most ITW malware delivered through exploits) are actually pretty late in the exploitation chain process. They only stop the final stage but attackers do not need to enter that stage to get what they want (e.g steal info)...they just do it because it's convenient and has a higher rate of persistence.

    4. MemProtect comes earlier into the picture as it aims to prevent an exploit from successfully manipulating the memory of the "protected processes". This may thwart an exploit altogether or at the minimum contain it to the exploited process.

    Now, let's get back to topic.

    P.s. WS...hope you don't mind.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,123
    Location:
    The Netherlands
    Interesting reply, thanks. The debate is basically about point 4. And perhaps you're right, but I have a different view.

    The way I understand it, is that a "protected process" is protected from OTHER processes that may try to read from or write to process memory. But when such a "protected process" is attacked from the inside, it will still get exploited, with that I mean, the payload will be able to run, no matter if it's in-memory or file-based. MemProtect can't protect against this.

    Of course, when this payload (keylogger, ransomware or trojan) tries to inject code into other processes, this will be stopped by MemProtect or other HIPS, if configured correctly. But the goal of anti-exe and anti-exploit is to block this payload from running in the first place. If the AE is successful there is no need to "contain" any malicious behavior.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,776
    @Rasheed

    It all depends on the exploit itself.

    If an exploit chain requires access to the memory of another process before it reaches it's final stage, MemProtect may be able to break the chain.

    If an exploit manages to reach the final stage (run a payload), MemProtect may help to prevent access to critical system files, prevent access to processes with higher privileges (and gain EOP) or prevent access to explorer (to steal info).

    Exploit mitigation consist of multiple techniques. Memory protection is one of it.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,123
    Location:
    The Netherlands
    I don't believe you need access to the memory of another process to get the payload running. And the focus should always be on to block the payload from running at all, this is something that MemProtect is not designed for, you need AE for this.

    So if you want to recommend an alternative to HMPA, it makes more sense to name tools like MBAE, Bouncer, VS and ERP. That's the part that I'm trying to explain, MemProtect can be used as a companion to these tools, not as a replacement.

    It's these kind of posts made by member Windows_Security that makes me believe that he doesn't understand the purpose of MemProtect and also doesn't understand how tools like HMPA and MBAE exactly work:

    https://www.wilderssecurity.com/threads/windows-build-in-sandbox.386322/#post-2594544

     
  9. @Rasheed187

    Code:
    [BLACKLIST]
    C:\Program Files\Google\Chrome\*>*
    
    When a chrome bug causes a memory exception in chrome, Chrome does not have access to other process memory, so the bug can't be exploited. Please respond in the Bouncer thread, because Wildbydesign confirmed my test

    When it makes you happy: I don't understand anything and know nothing about exploits, so no need to parrot that anymore and more important stop polluting this thread.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,123
    Location:
    The Netherlands
    Actually, you may be on to something, so perhaps I'm totally wrong about certain things. But you can't blame me for thinking that you got it wrong, because MemProtect does in fact not have "similar protection" as HMPA. But perhaps with "similar" you meant that it will also do the job. But I will continue this technical discussion in the Bouncer thread. :D
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,965
    Location:
    Toronto, Canada
    @Windows_Security I apologize if this is the incorrect thread to share this, but I figured that you would be interested.

    cfg-chrome.png

    Landed in Canary builds today (https://codereview.chromium.org/2412983006) and confirmed working. They are only enabling CFG on chrome.exe & chrome_elf.dll so far to keep an eye on performance implications and will expand upon it later.
     
  12. @WidByDesign
    Thx,also works for 8.1
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,965
    Location:
    Toronto, Canada
    @Windows_Security Some fantastic per-process mitigation details you may be interested in:
    Link: https://raw.githubusercontent.com/TheRyuu/theryuu.github.io/master/ifeo-mitigationoptions.txt

    This seems to be the way in which Edge enforces its process mitigations.

    Particularly the sections for Windows 8+, Windows 10+, and Windows 10 TH2+ are quite interesting. I believe that Chromium uses those Windows 10 TH2+ mitigations. It would be great to see a developer create a program similar to EMET to easily set these per-process mitigations.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,965
    Location:
    Toronto, Canada
    Yes, I ended up trying some of the ones which are specific to 64-bit systems on latest Windows 10. I did not use any complicated programs though, just some rather simple/portable executables such as speedyfox.exe and then using Process Hacker to verify that these mitigations were applied to the process. So many nice process mitigations on latest Windows 10. This ended up being productive and positive testing.

    I also tried testing some additional process mitigations via Powershell in latest Creators Update (Windows 10 Build 15042) build in which the remainder of EMET process mitigations (including ASR) are supposedly a part of now:

    Source: https://twitter.com/dwizzzleMSFT/status/819226684163432448
    Source: https://twitter.com/dwizzzleMSFT/status/823005481245540352

    But unfortunately I had zero success with applying process mitigations via Powershell in a virtual machine. I also looked thoroughly through the registry to find any new locations for these mitigations but no luck. With RTM for Creators Update getting close, hopefully someone will detail these mitigations via Powershell better in the coming months.
     
  16. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
    That is nice, with those kind of tweaks, we can tighten the OS a bit more and somehow ditch some apps doing the same.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,965
    Location:
    Toronto, Canada
    Some interesting testing following the per-process mitigations:
    • Explorer++ previously modified to run as Low IL
    • Explorer++ 64-bit specifically (some process mitigations ignored on 32-bit process)
    • Processes launched from Explorer++ carry forward the following mitigations to child processes:
    • Images restricted (remote images, low mandatory images)
      • Remotely located images cannot be loaded into the process.
      • Images with a Low mandatory label cannot be loaded into the process.

    process-mitigations-01.png process-mitigations-02.png process-mitigations-03.png

    MitigationOptions Value Data 111100101111111 (this was Windows 10 for testing)

    Or regkey:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer++.exe]
    "MitigationOptions"=hex(b):11,11,11,01,01,10,11,01
    "DisableExceptionChainValidation"=dword:00000000
    
    
     
  18. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    69
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,123
    Location:
    The Netherlands
    Interesting, browsers will become really hard to exploit, you can already see this with Edge and Chrome, there are almost no successful attacks being reported the last few years.
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
    Indeed, in the near future browser-sandboxing apps won't be necessary except for some specific situations, the vendors should start focus their attention to isolate the unsafe areas of the OS.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,823
    Location:
    Cape Town, South Africa
    Including ReHIPS?
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
    Why would you sandbox a browser already tightly sandboxed (chrome) or even virtualized (future Edge)? would make no sense except for FF (which has no sandboxing option) but don't worry , we are not there yet. :D
     
  23. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,140
    :thumb:
    Chrome has already enough own protection. AppContainer, an "own sandbox", further isolation-features, etc.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
    The advantage of ReHIPS is that it uses Windows mechanisms to sandbox, which is also what does Chrome; so the compatibility between them is optimal. It is why i have no issues isolating Chrome with ReHIPS.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,823
    Location:
    Cape Town, South Africa
    I seem to have 'Aw, Snap!' issues with Chrome / Chromium, and have always preferred Firefox. But it does seem to be 'behind the curve' on security, though probably not privacy.
    But with upcoming changes that will break many add-ons etc., I guess I may well be heading the Chrome route anyway :doubt:.
     
Loading...