Sandbox to OS interaction

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
Andyb777
Posts: 4
Joined: Tue Aug 04, 2009 5:13 pm

Sandbox to OS interaction

Post by Andyb777 » Wed Aug 05, 2009 9:57 am

I am in the process of analyzing SandboxIE as an additional method to securing corporate desktops.

My initial research regarding the functionality and effectiveness of this sandbox tool is very promising. :D

I wonder how the use of SandboxIE differs from other tools used to 'bubble' applications such as Microsoft AppV - in terms of isolating an application and protecting the underlying OS.

Specifically I have a question about security vulnerabilities that may or may not exist with regard to giving a sandboxed application access to outside EXE's. For example, I have IE sandboxed and I want this boxed browser to access applications outside the sandbox (in the trusted OS zone), such as a media player or PDF reader or any other web enhancing application. Does allowing access to these out of the sandbox applications also expose the native vulnerabilities associated with each opened application? If so, doesn't this scenario present the possibility of malware from inside the sandbox exploiting vulnerabilities on trusted zone applications made accessible from inside the sandbox?


Thanks,
Andy

Peter2150
Posts: 879
Joined: Tue Mar 27, 2007 9:46 pm
Location: Washington DC

Post by Peter2150 » Wed Aug 05, 2009 11:38 am

Hi Andy

I do just what you are talking about. I have a Sandbox for each browser I use and also one for Outlook. In each browser the only app allowed to access the internet is the primary application which is the browser or outlook. I also use the start run restrictions, so say in my Firefox sandbox, I allow Foxit PDF reader to run, WIndows Media Player to run, and Microsoft Word to Run, but they also run sandboxed, and are not allowed to access the internet.

For Outlook, I allow Word,Audicity(which I use for Voicemail messages and IE to run, but only Outlook and IE can access the internet. Again all these things run Sandboxed. The benefit of this is when a email with an attachment is downloaded(either good or bad) when outlook is closed it's contained in the pst file. When Outlook is running, if the attachment is run, it runs sandboxed and can't hurt the system. Close Outlook, and the sandbox is deleted.

This has worked well for me, as I have to girls who work for me, using my computers. If an email comes in from a client, with an attachment, they almost have to open it, but the system is protected, and I don't have to worry about what may happen.

Pete

bs1
Posts: 566
Joined: Fri May 16, 2008 12:32 pm

Re: Sandbox to OS interaction

Post by bs1 » Wed Aug 05, 2009 12:54 pm

Andyb777 wrote: For example, I have IE sandboxed and I want this boxed browser to access applications outside the sandbox (in the trusted OS zone), such as a media player or PDF reader or any other web enhancing application. Does allowing access to these out of the sandbox applications also expose the native vulnerabilities associated with each opened application? If so, doesn't this scenario present the possibility of malware from inside the sandbox exploiting vulnerabilities on trusted zone applications made accessible from inside the sandbox?Thanks, Andy
Hi Andy. I can't tell from your above comment/questions if you understand that if a sandboxed browser calls upon another web-enhancing application to be started, then that application is automatically sandboxed as well. So (while sandboxed) if I'm browsing something that wants to run Windows Media Player, then WMP opens up sandboxed as well. Likewise with your pdf reader, etc.

Andyb777
Posts: 4
Joined: Tue Aug 04, 2009 5:13 pm

Sandbox to OS interaction

Post by Andyb777 » Wed Aug 05, 2009 1:20 pm

Wow, that's slick.

I didn't realize - outside the sandbox applications (i.e. PDF reader), when made accessible to the sandboxed application (i.e. Internet Explorer/Firefox), are automatically executed within the sandbox environment when fired up from the sandboxed application. That is awesome.

I'm trying to think if there are any accessibility or functionality shortfalls with this process, compared to traditional methods of using a browser and peripheral applications without isolation techniques. Apart from the need to import safe files from the sandbox which is a minor inconvenience.

bs1
Posts: 566
Joined: Fri May 16, 2008 12:32 pm

Re: Sandbox to OS interaction

Post by bs1 » Wed Aug 05, 2009 5:26 pm

Andyb777 wrote: Wow, that's slick.
I didn't realize - outside the sandbox applications (i.e. PDF reader), when made accessible to the sandboxed application (i.e. Internet Explorer/Firefox), are automatically executed within the sandbox environment when fired up from the sandboxed application. That is awesome.
You're right; it is slick and awesome. :D
Andyb777 wrote: I'm trying to think if there are any accessibility or functionality shortfalls with this process, compared to traditional methods of using a browser and peripheral applications without isolation techniques. Apart from the need to import safe files from the sandbox which is a minor inconvenience.
As explained here http://www.sandboxie.com/index.php?Prog ... ngs#linger, sometimes a lingering (sandboxed) program requires manual termination. My own experience has been this happens very infrequently and is not a deterrent. In addition, as noted on that linked page, you can change a setting to mitigate reoccurrences.

Peter2150
Posts: 879
Joined: Tue Mar 27, 2007 9:46 pm
Location: Washington DC

Re: Sandbox to OS interaction

Post by Peter2150 » Wed Aug 05, 2009 10:07 pm

Andyb777 wrote:Wow, that's slick.

I didn't realize - outside the sandbox applications (i.e. PDF reader), when made accessible to the sandboxed application (i.e. Internet Explorer/Firefox), are automatically executed within the sandbox environment when fired up from the sandboxed application. That is awesome.

I'm trying to think if there are any accessibility or functionality shortfalls with this process, compared to traditional methods of using a browser and peripheral applications without isolation techniques. Apart from the need to import safe files from the sandbox which is a minor inconvenience.
The other thing I didn't mention is you can set your sandboxes so that nothing in the sandbox, can access your data. I block the whole My Documents area, and my d: drive. Only inconvenience to this is if I want to attach a file to send, I have to move it to the desktop first.

Sandboxie is truly first rate protection.

Pete

Andyb777
Posts: 4
Joined: Tue Aug 04, 2009 5:13 pm

Sandbox to OS interaction

Post by Andyb777 » Fri Aug 07, 2009 9:32 am

Thanks for your inputs - much appreciated.

Post Reply

Who is online

Users browsing this forum: Majestic-12 [Bot] and 15 guests