Thanks, Curt, but I have to ask you would you say that using Google Chrome under Sandboxie's protection is not so good, because people use to say that Sandboxie increases attack surface of Chrome and makes it more vulnerable, meaning it weakens Chrome's protection, but it also weakens Sandboxie's protection-any opinions?Curt@invincea wrote:Yes to both questions.Lumberjack wrote:
Curt, 2 very quick questions, first question: Does Sandboxie (3x and 4x versions) use a kernel mode driver combined with user-mode hooks on both 32-bit and 64-bit versions?
Second very quick question: Does Sandboxie (3x and 4x versions) use the Windows kernel to ensure that system changes are made only inside the sandbox on both 32-bit and 64-bit versions?
Big thanks in advance.
Also, how big or small is Sandboxie's attack surface comapred to Google Chrome, does Sandboxie have greater or smaller attack surface than Google Chrome, big thanks in advance for this.
Also, an poster said the following:
"I know 2 Chrome bypassing, the former is performed in Pwn2Own, which is done by determined and dedicated researcher and he had almost 1 year to prepare penetration to Chrome, and he also needed help of OS exploit to make real damage.
Honestly, I doubt that SBIE can stand for such a thorough analysis by highly skilled researcher, especially when SBIE seems to be build by C or C++ which is one of the most vulnerable language (I think Chrome also).
The latter is found recently, again it is quite advanced and tricky, also requires help of extension and sync. Common criminals will never find such complicated exploit by themselves.
Increased attack surface may be theoretical one though hypothesis that SBIE can stop exploit which bypassed Chrome is also just theoretical one, but not mystical because it's based on widely acknowledged facts that, more code means more attack surface and the best way to secure your code is make your code reviewed by as many 3rd party experts as possible (Chrome fulfill this but SBIE doesn't). And kernel exploit is not simply harder than common exploit. Kernel exploit requires different knowledge than common one, and while yes there're fewer people who can write kernel exploit, that is no relevant when we're talking sophisticated APT.
Chrome is more thorougly analyzed by lots of people, not only experts but even DIY programmer. I know some actual cases that DIY programmer found serious vulnerability which even experts missed, the one case is relatively recently and it was about Android browser.
So it is more likely SBIE has more vulnerability currently unknown, but even so, attacker still have to reverse-engineer or fuzz SBIE and hove to find vulnerability. And I believe Invincea already have such audit process, so it must be also difficult for attcker. However, whatever effort Invincea made, it can't reach Chromium's degree. Also you know, Google have a big bug bounty program this is one more factor."
What do you think about all of this?
Also:
"You also misinterpreted what Curt said, he just spoke about user-mode hooks generally. The difference btwn user-mode hook and kernel-mode for bypassing is the former needs to take all measures to block bypass one by one, while the latter won't be bypassed unless attacker get admin privilege. Chrome takes all counter-measures so bypassing Chrome is very hard, and it have been well proven. But while Adobe Reader uses basically the same sandbox with Chrome, it's implementation is much weaker than Chrome so there was real escape for it."
So in the end what is the truth in all these posts, what is harder to bypass Sandboxie or Chrome, user-mode hooks or kernel-level driver, dll, bat, sys?
They also say it's not a good idea to use sandbox inside sandbox, it's like using antivirus with antivirus-it weakens protection of both!
Also another key question is if Chrome cannot protect against an exploit, if exploit breaks through Chrome's protection mechanisms, would Sandboxie be able to protect against this exploit (that breaks out of Chrome's sandbox).
Chrome, as far as I know, has mitigations against many exploits, but does Sandboxie also have mitigations against exploits as well (comapred to Google Chrome)?
Big thanks in advance, again.
