DEP, ASLR and Integrity Levels

[Didier Stevens]

When an application is sandboxed, I would like to be able to configure the sandbox to force the application to use ASLR and DEP (like EMET allows this to force application which are not enabled for ASLR or DEP). I know I can force this by setting the appropriate flags in the dllcharacteristics parameter (PE file format), but I would like to be able to do this with sandboxie.

And I would also like to configure a sandbox to run applications with a low integrity level. I know this can be set with a special ACE entry in the DACL of the executable, but again, I would like to be able to do this via sandboxie.

Didier

[ssj100]

Hi Didier Stevens! Nice to see you on the Sandboxie forums. I follow your blog fairly closely (as you probably know). Good to see that you are taking an interest in Sandboxie.

[Didier Stevens]

Hi ssj100, nice to meet you here.

Have been using sandboxie for a couple of years, and bought a license more than a year ago.

[soccerfan]

Welcome to the forums Didier Stevens.
OT: Thanks for your 'ariad' tool. I've been using it as a fix for autorun as well as
the .lnk vulnerability that M$ deliberately did not fix for XP SP2 users like me

[Didier Stevens]

Thanks soccerfan!

[Didier Stevens]

I would find it useful to be able to create & associate a job object with a sandbox, and force all processes running in the sandbox to run inside the job object.

Job objects exists since Windows 2000, but I've never found a decent tool to manage them.
I believe job objects & Sandboxie are made for each other. I would also like Sandboxie to provide a settings dialog that permits me to set the limits of a job object.

[tzuk]

Didier Stevens I don't really see how controlling ASLR and DEP have to do with Sandboxie. This is some low-level esoteric stuff, and you do have some low-level esoteric utilities in Windows to control this stuff, and that's the way it should remain, at least in my opinion.

As for job objects, I actually used them in Sandboxie at one time, but a process can only belong to one job object at a time. And when Vista came along and started using job objects for its UAC, I had to change Sandboxie to stop using job objects.

[Didier Stevens]

tzuk, I beg to differ.

In the Sandbox Settings dialog box, you have a Restrictions node. These settings allow you to apply several restrictions on the programs running inside the sandbox. For example, there is the Drop Rights settings for which Steve Gibson advised you on his podcast to put it in.
In this context, DEP is a restriction: you forbid processes to execute code from pages that are no meant to be executed from.
With a bid of a stretch, I can make the same argument for ASLR: it restricts statis shellcode with hardcoded WIN32 API addresses from operating.

But ultimately, it's your call.

And what about Integrity Levels, you didn't address them in your reply?

Cheers,

Didier

[ssj100]

Interesting points. I'm sure tzuk will respond appropriately with his own opinions, but I've got a few questions in the mean time.

Firstly, what DEP are you talking about? The way I'm interpreting it, you're talking about Microsoft Windows' own DEP, which comes in the form of Software or Hardware DEP. Presumably you are talking about Software DEP?

Also, if Hardware DEP is applied to all programs and services (OptOut), wouldn't it also be applied to processes within the sandbox? And if so, what would be the point of having a Software DEP configuration within the sandbox?

Thanks.

EDIT: also Didier, since you've brought up this issue of DEP, I'm wondering what your thoughts are on "Ret2Libc" attacks. From my testings, Hardware DEP fails against it:
http://ssj100.fullsubject.com/security- ... 47.htm#216
http://ssj100.fullsubject.com/security- ... 97.htm#590

[Didier Stevens]

Microsoft DEP uses hardware DEP when the processor supports it.

OptIn is the default:
On systems with processors that are capable of hardware-enforced DEP, DEP is automatically enabled only for operating system components. This is the default setting for client versions of Windows. DEP can be explicitly enabled for selected applications or the current process.

An application opts-in to DEP by having it's DLLCHARACTERISTICS flag NO_EXECUTE set, or by calling SetProcessDEPPolicy with the proper parameters.

[tzuk]

With a bid of a stretch

It's all a stretch. Now look here. You come to me and argue with me that I should spend time to implement those esoteric feature requests that you had on a whim. That's not very nice is it?

If you offered to do it yourself and contribute the code, that would be one thing. But to insist that I must do it?

* * *

And by the way, ASLR is a global system setting.

[Didier Stevens]

Now look here. You come to me and argue with me that I should spend time to implement those esoteric feature requests that you had on a whim. That's not very nice is it?

Assuming I had these requests on a whim is condescending. That's not very nice to your customer, is it?

If you offered to do it yourself and contribute the code, that would be one thing. But to insist that I must do it?

As Sandboxie is closed source, you leave me no other option than to ask for these features, as I'm sure your EULA prohibits RE.
I've contributed to open source projects before when I wanted some new features.

[tzuk]

Alright. There's no sense to keep doing this and turn this into something ugly.

My opinion as I expressed it before, is that these request are not directly related to Sandboxie. They are more appropriate as a standalone utility. There is DropMyRights which launches an executable, so you probably want a RandomizeMyDlls or EnableMyDep.

Now please don't argue with me how these things are just like DropMyRights and that I should implement them. The answer is no. Please respect that. End of story.

[Edreck]

It's all a stretch. Now look here. You come to me and argue with me that I should spend time to implement those esoteric feature requests that you had on a whim.

Ouch, that sounds a little harsh. He was only asking you nicely. If you hate the idea of people suggesting ideas, just close down the feature request section Keep your shirt on brotha

Didier, your idea sounds very good. If you are interested in making this for the contributed utilities section feel free to use some of the info in the last post about sandboxie and its structure to make this addon a reality. http://www.sandboxie.com/phpbb/viewtopic.php?t=9116 -- best of luck

Shalom

[tzuk]

Yeah, it was a little harsh. I'm sorry about that and I apologize. I still don't intend to implement this feature. Back then the Drop Rights feature was requested repeatedly and this on the other hand, is something that I feel very few people would care about. But anyway, clearly I could have handled my response better. Sorry Didier Stevens.