Add option to evaluate sandbox rules in file order
Posted: Thu Oct 20, 2011 11:02 am
After researching Windows security for 11 years, I have relied for the last year on Sandboxie for my primary security. Really great software!
There is something I have been wishing for over the last year. Other security software (HIPS I used to use, firewall I still use) achieves surgical precision and simplicity by evaluating rules in the order they appear in file. According to tzuk (see http://www.sandboxie.com/phpbb/viewtopic.php?t=9427), Sandboxie evaluates all ClosedFilePath rules, then all ReadFilePath rules and then all OpenFilePath rules. If none of these *FilePath rules apply to a file I/O, then a read is allowed and a write is sandboxed. Thus, the order of these rules doesn't matter.
I would like a new Sandboxie.ini setting that tells Sandboxie to evaluate these rules in the order they appear in file. Without the new setting, Sandboxie would work as today for backwards compatibility. I propose that this new evaluation mode would speed up execution because 1) only one pass through is needed for the three *FilePath rules compared to three passes today, and 2) I can reduce the number of rules to achieve the same effect. More importantly, the new setting provides more surgical precision in achieving security. Here is a good example: http://www.sandboxie.com/phpbb/viewtopic.php?t=11714
I further propose adding a new rule/setting, maybe called NormalFilePath, that specifies that file I/O matching the path is allowed to read, but writes are sandboxed. Today, this behavior applies if file I/O doesn't match any *FilePath rules. This new setting, which would only when rules are evaluated in file order, could be inserted between *FilePath rules to provide more flexibility in file I/O rules. I suggest that NormalFilePath behavior would still apply if no *FilePath rules match a given file I/O.
There is something I have been wishing for over the last year. Other security software (HIPS I used to use, firewall I still use) achieves surgical precision and simplicity by evaluating rules in the order they appear in file. According to tzuk (see http://www.sandboxie.com/phpbb/viewtopic.php?t=9427), Sandboxie evaluates all ClosedFilePath rules, then all ReadFilePath rules and then all OpenFilePath rules. If none of these *FilePath rules apply to a file I/O, then a read is allowed and a write is sandboxed. Thus, the order of these rules doesn't matter.
I would like a new Sandboxie.ini setting that tells Sandboxie to evaluate these rules in the order they appear in file. Without the new setting, Sandboxie would work as today for backwards compatibility. I propose that this new evaluation mode would speed up execution because 1) only one pass through is needed for the three *FilePath rules compared to three passes today, and 2) I can reduce the number of rules to achieve the same effect. More importantly, the new setting provides more surgical precision in achieving security. Here is a good example: http://www.sandboxie.com/phpbb/viewtopic.php?t=11714
I further propose adding a new rule/setting, maybe called NormalFilePath, that specifies that file I/O matching the path is allowed to read, but writes are sandboxed. Today, this behavior applies if file I/O doesn't match any *FilePath rules. This new setting, which would only when rules are evaluated in file order, could be inserted between *FilePath rules to provide more flexibility in file I/O rules. I suggest that NormalFilePath behavior would still apply if no *FilePath rules match a given file I/O.