chrome and sbie

If it's not about a problem in the program
Gator
Posts: 180
Joined: Thu Jan 19, 2012 5:20 pm

chrome and sbie

Post by Gator » Sun Jul 13, 2014 12:36 pm

Since chrome is sandboxed already, is it ok to run in sbie without any issues?

Someone posted this on wilders is partiall why I ask...
It is noticeable because my computer is very fast and Chrome is blazingly fast when nothing tampers with it. However dll injection becomes noticeable every time I open a new website. This is because Chrome closes the old tab process and launches a new one. I have also witnessed it happens with Sandboxie, as this program massively tampers with Chrome's own policy in order to make it work in its own context. This shows when opening a new webpage as well because Sandboxie has to manipulate this new process the same way (I wouldn't use Chrome in Sandboxie anyway, just tested it to measure the performance impact).
http://www.wilderssecurity.com/threads/ ... st-2390732

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2876
Joined: Wed Apr 22, 2009 9:17 pm

Re: chrome and sbie

Post by bo.elam » Sun Jul 13, 2014 8:02 pm


Gator
Posts: 180
Joined: Thu Jan 19, 2012 5:20 pm

Re: chrome and sbie

Post by Gator » Sun Jul 13, 2014 11:35 pm

Thanks, so it is a good layer...I have mine set to block any program other than chrome so nothing can run and invade my privacy even though it is sandboxed.

Der Moloch
Posts: 82
Joined: Sun Jun 23, 2013 11:22 am

Re: chrome and sbie

Post by Der Moloch » Mon Jul 14, 2014 7:47 am

There is no useful information in that linked thread. The link to the CVE's there regarding Chrome does not mean that these are sandbox escapes. These could all be remote code execution vulnerabilities which are contained by Chrome's own sandbox. But since it's a vulnerability, there is a CVE for it, regardless whether it's contained or not. If you have a working kernel exploit in handy, remote code execution in a sandbox is all you need to compromise the system. Hence these are still dangerous, even if they are contained in most cases because the attack lacks sophistication.

Of course if you ask Invincea, they will tell you that you need Sandboxie for Chrome. If you go to the Google forums, they will tell you it's not necessary and it possibly only breaks things. The only real research in that regard comes from Bromium. Of course they sell their own product, but they don't sell Chromium, so you can take their word about Chromium's security seriously. At least Bromium shows proof of concept on how they can bypass everything whereas Invincea's demonstration videos only include insecure browsers and intentional attempts of self infection (lol), which are then contained by Sandboxie. They couldn't show you how they bypass Chrome and how this attempt would be contained by Sandboxie. All they can show you is how they download a file and execute it in the sandbox...
One hour of FleischmannTV saves one square kilometre of precious peble wasteland.

Der Moloch
Posts: 82
Joined: Sun Jun 23, 2013 11:22 am

Re: chrome and sbie

Post by Der Moloch » Mon Jul 14, 2014 9:27 am

Here is an example of how Sandboxie tampers with Chromium's own policies.

These are the defaults:

ImageImage

This is how Chromium looks in Sandboxie:

ImageImage

The differences are 12 job objects in default as opposed to 5 in Sandboxie. On top of that processes under Sandboxie's control run with nt-authority\anonymous as opposed to Logon SID and NULL SID.
I have mine set to block any program other than chrome so nothing can run and invade my privacy even though it is sandboxed.
As you can see Chromium tabs run with the job object "Active Processes = 1" by default, which means they cannot create any child processes anyway. Yet if you run it in Sandboxie, this job object does not exist and now Chromium processes can create child processes unless you apply start/run restrictions and once you have applied these restrictions you get the same as you would have gotten before without Sandboxie.

Awesome, isn't it? This is just one example of how Sandboxie disables Chromium's security features and you have to make manual adjustments only to get something back which had already been there by default.

If you want to read up on how the Chromium sandbox works, I suggest this link:

http://www.chromium.org/developers/desi ... ts/sandbox
One hour of FleischmannTV saves one square kilometre of precious peble wasteland.

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2876
Joined: Wed Apr 22, 2009 9:17 pm

Re: chrome and sbie

Post by bo.elam » Mon Jul 14, 2014 2:59 pm

Gator wrote:Thanks, so it is a good layer...
Hi Gator. I never used Chrome but if for some reason I had to, I wouldn't ponder about whether I should or should not run it under SBIE. I would definitively run Chrome under Sandboxie. Gator, I trust Sandboxie and Invincea while I don't trust Chrome. If something in Chrome has to be disabled in order for Chrome to work under SBIE, so what. For me, that's the end of that and its OK. Besides, Sandboxie has nothing to prove to me, in over five years of using it, its record is outstanding as I have never seen anything to make me doubt or wonder if the program is doing what its supposed.

To me, that's worth plenty more than the POC that Fleishman/Der Moloch keeps bringing up over and over. For some reason, he never waste any opportunity to post about it when he can. That thing came out a year ago and nothing out of it has become real. Five years from now, we still gonna have Fleishman talking about it but the end result still gonna be the same. Nothing.

Bo

Der Moloch
Posts: 82
Joined: Sun Jun 23, 2013 11:22 am

Re: chrome and sbie

Post by Der Moloch » Mon Jul 14, 2014 5:05 pm

Gator, I trust Sandboxie and Invincea while I don't trust Chrome.
This is about whether the Chromium sandbox benefits from Sandboxie and if there is actual proof of that and not about your personal trust issues. Just because you trust something more doesn't make it more secure. Guess what, I trust the Chromium sandbox just as much as I trust Sandboxie. So who's trust is more important?

Should the OP run Chrome in Sandboxie because bo elam trusts Invincea and doesn't trust Chrome or shouldn't he do it because Der Moloch (FleischmannTV is my nickname on Wilders and not here) trusts Chrome just as much as he trusts Sandboxie?
If something in Chrome has to be disabled in order for Chrome to work under SBIE, so what.
Yeah, you have to disable the ability to restrict the creation of child processes and then set up start/run restrictions on your own in order to compensate the lacking of something which had already been there. So what, of course...
Besides, Sandboxie has nothing to prove to me, in over five years of using it, its record is outstanding as I have never seen anything to make me doubt or wonder if the program is doing what its supposed.
I have never been infected using Google Chrome either. In fact I haven't been infected in more than 15 years. I haven't been infected using Firefox without Sandboxie either. I have been using Firefox as my main browser without Sandboxie for years. So clearly there is no need for using Firefox in Sandboxie as well, but that's just your logic.
Five years from now, we still gonna have Fleishman talking about it but the end result still gonna be the same. Nothing.
You just don't get it, do you? I am not talking about bypassing Sandboxie. Again, this topic is about whether the Chromium sandbox benefits from Sandboxie and not if bypassing Sandboxie is becoming a reality. In fact I don't think bypassing Sandboxie will become a common reality any time soon either. Neither will bypassing Chrome. We won't see an attack which bypasses Chrome but is stopped by Sandboxie either.

The reality is that drive-by infections have become very rare now actually and this is because of proper application sandboxing (as in Chrome and the latest iterations of IE to some extent) and better OS security mechanisms like memory mitigations, integrity levels and UAC. Bypassing these protections is now more difficult and expensive than before, so it will mostly be restricted to the part of the corporate sector which is targeted by APTs and not to lock up some 70 year old's computer with an FBI lock screen while he is surfing for explicit material.

Aside from that the typical victims of drive-by attacks are turning away from Windows systems anyway and mainly use smartphones and tablet PCs now and the target audience is shrinking rapidly.

But this discussion isn't about whether there is actual proof that shows that Chrome should be run in Sandboxie. It's about trust issues above all else. These trust issues mainly come from a lacking of understanding of how the underlying technology works. Same goes for the blind trust that is put in Sandboxie because the lacking of understanding of how things work will also inhibit you from understanding the deficiencies.

And if you don't understand how things work, trust, faith and fear is all you have left. On top of that anyone who disagrees is discredited and ridiculed on a personal level. It's just like you have insulted someone's faith.
One hour of FleischmannTV saves one square kilometre of precious peble wasteland.

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2876
Joined: Wed Apr 22, 2009 9:17 pm

Re: chrome and sbie

Post by bo.elam » Mon Jul 14, 2014 5:49 pm

Der Moloch, you are the one who discredits people who don't agree with your views. I posted the link to a thread that's exactly about what Gator is asking and you said that "There is no useful information in that thread." Just because you don't agree with the views expressed by some of the people regarding using Chrome along SBIE doesn't mean that the thread is useless.

Anyway, one of the reasons that I enjoy using computers and the internet is due to using Sandboxie all the time. If there is a program that I want to use but don't work well with SBIE, I forget about that program and look for something else. If I had so much trouble as you do to get Chrome working, I would just drop it. If its not SBIE its something else but you are always complaining about something not working with Chrome in your superfast computer. You should listen to .....your computer.

Bo

Gator
Posts: 180
Joined: Thu Jan 19, 2012 5:20 pm

Re: chrome and sbie

Post by Gator » Tue Jul 15, 2014 12:11 am

I appreciate both arguments guys, but as long as there's no major conflicts between sbie and chrome I will continue to use it for piece of mind. :)

Nix
Posts: 248
Joined: Wed Sep 11, 2013 12:15 am
Location: Philippines

Re: chrome and sbie

Post by Nix » Tue Jul 15, 2014 4:44 am

Gator wrote:I appreciate both arguments guys, but as long as there's no major conflicts between sbie and chrome I will continue to use it for piece of mind. :)
Nice one...

@Der Moloch
As you can see Chromium tabs run with the job object "Active Processes = 1" by default, which means they cannot create any child processes anyway. Yet if you run it in Sandboxie, this job object does not exist and now Chromium processes can create child processes unless you apply start/run restrictions and once you have applied these restrictions you get the same as you would have gotten before without Sandboxie.
Clarification:
1)What restrictions should be applied?!
2)About your example is it safe to say that sandboxie is now handling those Job limit?!
3)Chrome's sandbox is for its own protection(exploit), correct?!... If the attack is let's say thru an email attachment(or downloaded thru chrome), could chrome sandbox handle that?!
Regards,
Nix

Win7 Ultimate (x64)

Image

Der Moloch
Posts: 82
Joined: Sun Jun 23, 2013 11:22 am

Re: chrome and sbie

Post by Der Moloch » Tue Jul 15, 2014 10:18 am

Chrome's sandbox is for its own protection(exploit), correct?!... If the attack is let's say thru an email attachment(or downloaded thru chrome), could chrome sandbox handle that?!
Downloads and e-mail attachments are not handled by Chrome's sandbox. If you are unsure about files you download and open, you can run them in Sandboxie but there is no need to run Chrome in Sandboxie in order to achieve that. You can achieve the same thing by forcing folders. Java applications you launch are not handled by the sandbox either. Furthermore third-party plugins like Silverlight are not as restricted as Chrome tabs and pepperflash. This is why the developers are working to ban all insecure third-party content by the end of the year.

If you are using a lot of third-party plugins, running Chrome in Sandboxie can be beneficial. If you are launching Java from Chrome, running it in Sandboxie is beneficial as well (or you could force Java in Sandboxie). If you are the kind of user who cannot trust himself, running Chrome in Sandboxie is definitely beneficial. From my perspective there is no reason because I have no third-party plugins installed and I don't blindly download and open fishy files.

Thank you for asking this question by the way, because it is important to point out that the Chrome sandbox does not protect the user from himself. That's something Sandboxie is perfect for!
About your example is it safe to say that sandboxie is now handling those Job limit?!
Regarding the "active processes = 1" job limit: if you have manually set up start/run restrictions in Sandboxie, no child processes can be created. The "active processes = 1" job limit is just one thing Sandboxie changes.

As far as the other job limits and security features are concerned, I cannot say because a lot of that is too technical for me. This is why I once inquired on this forum how exactly Sandboxie modifies and / or disables Chromes own security features but I didn't get an answer to this question.
One hour of FleischmannTV saves one square kilometre of precious peble wasteland.

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2876
Joined: Wed Apr 22, 2009 9:17 pm

Re: chrome and sbie

Post by bo.elam » Tue Jul 15, 2014 12:19 pm

Der Moloch wrote:If you are launching Java from Chrome, running it in Sandboxie is beneficial as well (or you could force Java in Sandboxie).
Nice to finally see you recognizing that it is beneficial to run Chrome in a sandbox. But by the way, if Java is launched through the browser, you cant sandbox Java by forcing Java. To sandbox Java you have to sandbox the browser (Chrome). Java is a plugin, you don't Force plugins.

Bo

Nix
Posts: 248
Joined: Wed Sep 11, 2013 12:15 am
Location: Philippines

Re: chrome and sbie

Post by Nix » Wed Jul 16, 2014 12:19 pm

Downloads and e-mail attachments are not handled by Chrome's sandbox. If you are unsure about files you download and open, you can run them in Sandboxie but there is no need to run Chrome in Sandboxie in order to achieve that. You can achieve the same thing by forcing folders.
This is what I do with my downloads... This is just to put aside both sandbox difference and usage!

If you are using a lot of third-party plugins, running Chrome in Sandboxie can be beneficial. If you are launching Java from Chrome, running it in Sandboxie is beneficial as well (or you could force Java in Sandboxie).
You'd have to force the browser for that(java, flash)

If you are the kind of user who cannot trust himself, running Chrome in Sandboxie is definitely beneficial. From my perspective there is no reason because I have no third-party plugins installed and I don't blindly download and open fishy files.
Technically I'm not... also use SBIE to redirect FF/Chrome disk write activity to RamDisk.
For a parents perspective, I have many reason to run my browser in Sandboxie. Currently I'm using Firefox :mrgreen: !
Regards,
Nix

Win7 Ultimate (x64)

Image

Jarmo S
Posts: 83
Joined: Fri Aug 30, 2013 3:21 pm

Re: chrome and sbie

Post by Jarmo S » Fri Jul 18, 2014 8:59 am

I do always run Chrome sandboxed, also in incognito mode, so that my surfings don't get remembered. It is easy to make on your desktop icons to start Chrome in that mode.

I noticed some trouble yesterday, Chrome not starting right. The reason was that there was an update to it. Needed to run it unsandboxed to get it updated, and after that all was fine with Sandboxie.
Sandboxie 4.15.1, TinyWall Windows firewall controller, AppGuard 4.1, Avast free, Firefox with NoScript, Chrome with uMatrix, keeping them updated, W7 64 bit, using standard user account

Dun
Posts: 353
Joined: Mon Jun 23, 2014 5:00 am
Location: Poland

Re: chrome and sbie

Post by Dun » Fri Jul 18, 2014 2:48 pm

Jarmo S wrote:I noticed some trouble yesterday, Chrome not starting right. The reason was that there was an update to it. Needed to run it unsandboxed to get it updated, and after that all was fine with Sandboxie.
Disable "Google Update" plugin via chrome://plugins/ in sandboxied chrome version. Now it should stop tring to update in Sandboxie. If you have "Google Update" service startup setting on "Automatic" then Chrome will update in background outside of sandbox and you will get new version ready to use inside sandbox next time you launch it.
Sandboxie 5.27.1 personal lifetime license user || Win10 x64 Pro b17134 (up to date) || ESET IS 11+ x64 || Google Chrome 69+ x64 || UAC on

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests