hi there,
i was just reading this article:
http://handlers.sans.org/tliston/Thwart ... koudis.pdf
and i wondered how vunerable sandboxie is to these attacks and detection methods.
maybe we can learn from it and make sandboxie even stronger.
vunerability
-
Unknown_User_596
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
I think these detection techniques are not a problem for sandboxie because they are focused on Virtual Machines.
Detecting sandboxie is much more easier! => But if the number of users of sandboxie is small nobody will make a extra detection for that.
In the end sandboxie works similar like a rootkit. => That way it is already detected by tools like rootkit unhooker as a possible rootkit. (Random change of the process names (sandboxiedcom,...) would add already a lot of protection)
Detecting sandboxie is much more easier! => But if the number of users of sandboxie is small nobody will make a extra detection for that.
In the end sandboxie works similar like a rootkit. => That way it is already detected by tools like rootkit unhooker as a possible rootkit. (Random change of the process names (sandboxiedcom,...) would add already a lot of protection)
-
Unknown_User_596
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
To break out of sandboxie in a planned way, detection is the first step.
I'm not going to use sandboxie for the hard stuff => vmware is definitiv much more secure. Sandboxie is one additional security layer that is available on my pc. Before sandboxie i did use limited user accounts for more security. Sandboxie is just much more comfortable and works also for applications that want to have administrative rights but of course it has some security leaks. I personally think it is not very difficult to get around sandboxie if you know that it is sandboxie where you want to get around.
I'm not going to use sandboxie for the hard stuff => vmware is definitiv much more secure. Sandboxie is one additional security layer that is available on my pc. Before sandboxie i did use limited user accounts for more security. Sandboxie is just much more comfortable and works also for applications that want to have administrative rights but of course it has some security leaks. I personally think it is not very difficult to get around sandboxie if you know that it is sandboxie where you want to get around.
This thread seems to imply that the strength of Sandboxie is in its relative obscurity, and if only the malware could detect Sandboxie, then that malware could circumvent Sandboxie.
I strongly disagree.
By comparison, suppose a program has detected that it is running under a limited user account, rather than an administrator account. But does this insight allow the program to elevate itself to administrator privileges? Of course not.
I strongly disagree.
By comparison, suppose a program has detected that it is running under a limited user account, rather than an administrator account. But does this insight allow the program to elevate itself to administrator privileges? Of course not.
tzuk
-
Unknown_User_596
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
Perfect security?
@tzuk: You are right. It will not be easy to get around sandboxie. For average virus programmers it will be impossible.
A lot of File Services like NTClose, NTCreateFile,NTDeleteFile, NTQueryxxx and the Driver Services like NTLoadDriver or also Interprocesscommunication and some other services are hooked by sandboxie. But to be honest, there are a lot of other ways to get to the system level! Without going into details to much cause I don't want to make some sample code just to show it is possible i think sandboxie has of course as any software some limitations. I think that is fine because the security that you get by the use of sandboxie is very good.
However everybody has to keep in mind that every security solution has limitations:
No Virus Scanner is really protecting you from a virus. No trojan scanner will protect you from beeing infected by a trojan. No personal firewall will really protect you from unwanted traffic. ... the same is true for sandboxie
A lot of File Services like NTClose, NTCreateFile,NTDeleteFile, NTQueryxxx and the Driver Services like NTLoadDriver or also Interprocesscommunication and some other services are hooked by sandboxie. But to be honest, there are a lot of other ways to get to the system level! Without going into details to much cause I don't want to make some sample code just to show it is possible i think sandboxie has of course as any software some limitations. I think that is fine because the security that you get by the use of sandboxie is very good.
However everybody has to keep in mind that every security solution has limitations:
No Virus Scanner is really protecting you from a virus. No trojan scanner will protect you from beeing infected by a trojan. No personal firewall will really protect you from unwanted traffic. ... the same is true for sandboxie
@tzuk
my post was in no way to imply sandboxie doesn't do what it's supposed to do, as far as my experience with it goes it's very secure. (as you can read in other posts of mine)
i just posted it as a note, maybe we can find weaknesses and make it even stronger.
I've had some emailing done with Roger from infoworld.
He told me it was peanuts to break out of any sandbox or VM environment.
I asked for specific methods or weaknesses on how he thought sandboxie could be 'hacked'. Funny enough he couldn't tell... he didn't try it with sandboxie, but was strongly convinced it was piece-o-cake too.
so that made me wonder and so i put up this topic
just for the benefit of security, i like - LOVE sandboxie!
my post was in no way to imply sandboxie doesn't do what it's supposed to do, as far as my experience with it goes it's very secure. (as you can read in other posts of mine)
i just posted it as a note, maybe we can find weaknesses and make it even stronger.
I've had some emailing done with Roger from infoworld.
He told me it was peanuts to break out of any sandbox or VM environment.
I asked for specific methods or weaknesses on how he thought sandboxie could be 'hacked'. Funny enough he couldn't tell... he didn't try it with sandboxie, but was strongly convinced it was piece-o-cake too.
so that made me wonder and so i put up this topic
just for the benefit of security, i like - LOVE sandboxie!
Thank you for the praise, I didn't mean to say I was taking offence to what you say or anything like this. Not at all. I'm just surprised at some people jumping to conclusions. For instance:
Oh, I wish you would go into that detail. Otherwise you're just saying "there are other attack vectors ... I think! ... But anyway I'm not telling" which is just . . . puzzling.... there are a lot of other ways to get to the system level! Without going into details to much ...
tzuk
@ Tzuk
i think i found at least one weakness...
when i send a HWND WM_CLOSE broadcast from a program running in sandboxie, practicaly my whole system shuts down...
can't be good i think?
also i was able to inject code into processes outside the sandbox (ofcourse again from an application running inside)
i think i found at least one weakness...
when i send a HWND WM_CLOSE broadcast from a program running in sandboxie, practicaly my whole system shuts down...
can't be good i think?
also i was able to inject code into processes outside the sandbox (ofcourse again from an application running inside)
Did you use BroadcastSystemMessage?-
OwenBurnett
- Posts: 112
- Joined: Mon Dec 18, 2006 11:36 am
Do you meen http://programmerstools.org/node/348 ?
To inject code have you also used this app?
but I have string doubts that it is possible to escape from an Virtual Machine (like VMWare).
I would realy like to know how this can be achieved.
Owen
To inject code have you also used this app?
Escaping an SB can be indeed possible when a week point is found sure,street011 wrote: He told me it was peanuts to break out of any sandbox or VM environment.
but I have string doubts that it is possible to escape from an Virtual Machine (like VMWare).
I would realy like to know how this can be achieved.
Owen
)-
OwenBurnett
- Posts: 112
- Joined: Mon Dec 18, 2006 11:36 am
Who is online
Users browsing this forum: No registered users and 1 guest
