Hello all,
I am investigating about running an application in virtualized environment, for security reasons, like sanboxie or how Comodo internet security sandbox mode does.
I have a few ideas how I can make this happen but I want to ask you for any directions in this area and where i can find some documentation related to this topic.
Also, I wanted to ask you if sanboxie, when creates a process in the sandbox, does it make an address space for that process that it maintains, or just redirects FILE I/O and registry of that PID to the virtual box drives created ? I want to know because, I want newly created processes by the processes already in the sandbox not to corrupt processes that are not in the sandbox by injecting custom code into memory, or calling setwindowshookex and getting in the address space of processes outside the box.
If you have any idea on this I would like to hear any suggestions, comments and tips.
Here you can get answers:
http://www.sandboxie.com/index.php?SandboxHierarchy
http://www.sandboxie.com/phpbb/
–pa
wrote in message news:xxxxx@ntdev…
> Hello all,
> I am investigating about running an application in virtualized
> environment, for security reasons, like sanboxie or how Comodo internet
> security sandbox mode does.
> I have a few ideas how I can make this happen but I want to ask you for
> any directions in this area and where i can find some documentation
> related to this topic.
> Also, I wanted to ask you if sanboxie, when creates a process in the
> sandbox, does it make an address space for that process that it maintains,
> or just redirects FILE I/O and registry of that PID to the virtual box
> drives created ? I want to know because, I want newly created processes
> by the processes already in the sandbox not to corrupt processes that are
> not in the sandbox by injecting custom code into memory, or calling
> setwindowshookex and getting in the address space of processes outside the
> box.
> If you have any idea on this I would like to hear any suggestions,
> comments and tips.
>
>
Hi Pavel,
I saw that, as I used and installed sandboxie.
I see that it make FS redirects, and registry redirects. I can figure out how to do that for a certain PID but it does more, like sandboxing Inter-Process Objects.
As they say:
How can I isolate an exe or PID to have a private object name space of its own, without making illegal kernel operations, and by that I mean hooking and other hacks.
As far as I can tell a sanboxed process cannot inject code into a non-sanboxed process, I have tried to make a program, that runs in the sandbox, all it does is allocate virtual memory into a non sanboxed process and I always get access denied. This program always works if i run it out of the sandbox.
I don’t know if this is because sandboxie hooks this event(virtualallocex) or because of something else, as I don’t know how sanboxie works, but I am really interested to know how can I isolate a program in runtime, so it cannot corrupt un-sanboxed process memory.
Also what happens if a sanboxed app loads a driver and send custom IOCTLS and tells the driver to create a file or a reg key ?
Oh, without even looking at it, it’s clear that it hooks the hell out of Windows.
Read what they say about 64-bit support:
…
Full disclosure: The 64-bit edition of Sandboxie provides a reduced level of protection compared to the 32-bit edition of Sandboxie.
This shortcoming is the result of a new security feature introduced in 64-bit editions of Windows, called Kernel Patch Protection. This feature aims to protect the core of Windows (the kernel) by regularly performing self-checks to detect changes.
The problem is that a stock Windows kernel does not provide all the facilities necessary to implement a security solution such as Sandboxie. On 32-bit Windows, Sandboxie can dynamically enhance the Windows kernel to provide the missing functionality. This is not possible on 64-bit Windows, due to the Kernel Patch Protection feature.
…
I’m not sure why this product would be more advantageous than, say, simply running a program in a VM.
Peter
OSR
Thanks for the response Peter.
Yes it is not more advantageous, and I can clearly see that is hooking a lot, it seemed very suspicious to me too and I thought I asked.
Running in a virtual machine is always safer, but if we would like to introduce this in a product like a security suite (like for example Comodo firewall has, the sandbox options for “unknown applications” ) it is not flexible at all to tell the user to just run his browser (for ex) or his untrusted applications in a VM.
Anyway as far as I can see other than a clean file system redirect and maybe registry you cannot virtualize the application at virtual memory level or name space level without making kernel hacks which I do not intend to try, and that is why I ask this here.
The more time passes the more I convince myself that windows is open to security risks and the way it is built, and what part of it documented, the security companies almost cannot deal with this without hacking kernel components.
Even with the hacking it does, sandboxie or sanboxed apps cannot stop applications from communicating with a driver and intructing the driver to make the operations via IOCTL’s so another security leak.
Actually, the other approach for this is to completely wrap the process,
including the loader in its own environment. The challenge here is that
potentially a smart malware writer could use a raw sysenter call to call
the OS directly, though even there if the wrapped process was running
with essentially no rights, and only a support process had higher rights
much of this could be mitigated.
Not sure how well this could be implemented but it was something I
looked at a long time ago for another OS and environment.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com]
Posted At: Tuesday, June 22, 2010 9:54 AM
Posted To: ntdev
Conversation: Virtual environment application run
Subject: RE: Virtual environment application runThanks for the response Peter.
Yes it is not more advantageous, and I can clearly see that is hooking
a lot,
it seemed very suspicious to me too and I thought I asked.
Running in a virtual machine is always safer, but if we would like to
introduce this in a product like a security suite (like for example
Comodo
firewall has, the sandbox options for “unknown applications” ) it is
not
flexible at all to tell the user to just run his browser (for ex) or
his
untrusted applications in a VM.
Anyway as far as I can see other than a clean file system redirect and
maybe
registry you cannot virtualize the application at virtual memory level
or name
space level without making kernel hacks which I do not intend to try,
and that
is why I ask this here.
The more time passes the more I convince myself that windows is open
to
security risks and the way it is built, and what part of it
documented, the
security companies almost cannot deal with this without hacking kernel
components.
Even with the hacking it does, sandboxie or sanboxed apps cannot stop
applications from communicating with a driver and intructing the
driver to
make the operations via IOCTL’s so another security leak.__________ Information from ESET Smart Security, version of virus
signature
database 5218 (20100622) __________The message was checked by ESET Smart Security.
> Oh, without even looking at it, it’s clear that it hooks the hell out of Windows.
This is what normally happens when someone tries to implement a feature of OS ABC under the OS XYZ, despite the fact that these two are totally different from one another. This sandboxing seems to be a “variation on the theme” of BSD jail that does not seem to map into Windows process model at all…
I’m not sure why this product would be more advantageous than, say, simply running a program in a VM.
…or, even easier, just under another user account with reduced privilege level and with no RW access to anything apart from specified folder…
Anton Bassov
I am thinking of something like wine for linux, but I never thought how could that be implemented. I can only thing that this app should have it’s own session and little emulated kernel to run.
> Actually, the other approach for this is to completely wrap the process, including the loader
in its own environment.
Seems to be easier said than done under Windows…
it was something I looked at a long time ago for another OS and environment.
This is a totally different story…
Anton Bassov
I don’t understand. You issue a SYSENTER, you wind up in kernel mode at the system service dispatcher. Not much you can do from there.
What am I missing?
Peter
OSr
> I don’t understand. You issue a SYSENTER, you wind up in kernel mode at the system
service dispatcher. Not much you can do from there.
The way I understood it, Don speaks about providing your own version of UM libraries that handle process creation and forward the actual job of process creation to the KM, effectively making some processes
less privileged than the others running under the same user account. Therefore, if you issue SYSENTER you will bypass all these UM wrappers and create a process that will have all privileges associated with a given account regardless, effectively making this sandboxing scheme worthless…
Anton Bassov
Anton has the gist of it, but the way to counter this is to make the
code that is actually executing the sandboxed program run with
essentially zero permissions and a user account that has no privileges.
This is still a complex problem, but it can be done.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Posted At: Tuesday, June 22, 2010 10:29 AM
Posted To: ntdev
Conversation: Virtual environment application run
Subject: RE: Virtual environment application run> I don’t understand. You issue a SYSENTER, you wind up in kernel mode
> at the system service dispatcher. Not much you can do from there.The way I understood it, Don speaks about providing your own version
of UM
libraries that handle process creation and forward the actual job of
process
creation to the KM, effectively making some processes less privileged
than the
others running under the same user account. Therefore, if you issue
SYSENTER
you will bypass all these UM wrappers and create a process that will
have all
privileges associated with a given account regardless, effectively
making this
sandboxing scheme worthless…Anton Bassov
__________ Information from ESET Smart Security, version of virus
signature
database 5218 (20100622) __________The message was checked by ESET Smart Security.
Don, interesting approach, but how can you intrument a process to have your UM libs as the core Windows subsystem dlls (kernel32, advapi32, user32) , or I am not understaning the hole picture ?
If you have a 0 privileged user and create a process as that user how do you wrap up the process and the loader ?
Ah! You mean something like Detours. Then, yes, I see Don’s point about the vulnerability. VERY difficult, I’d think, to get something like that working in an air-tight manner.
And, again… it’s 2010 and we have VMs that can *actually* isolate a process and its entire execution environment, all the way through Ring 0. Still, not 100% foolproof, but pretty darn good.
Peter
OSR
As I said this was a long time ago in an OS far far away. Basically,
you create a process with essentially no privileges which you are
controlling by another process (the debugger interface is what I used
way back when). The control process loads the image into the no
privilege process replacing the DLL’s that do protected things with your
own copies that communicate only with the control process. The control
process determines if the request is legal, and if so does it on the no
privilege process’s behalf.
Not easy, but it is doable.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com]
Posted At: Tuesday, June 22, 2010 10:50 AM
Posted To: ntdev
Conversation: Virtual environment application run
Subject: RE: Virtual environment application runDon, interesting approach, but how can you intrument a process to have
your UM
libs as the core Windows subsystem dlls (kernel32, advapi32, user32) ,
or I am
not understaning the hole picture ?
If you have a 0 privileged user and create a process as that user how
do you
wrap up the process and the loader ?__________ Information from ESET Smart Security, version of virus
signature
database 5218 (20100622) __________The message was checked by ESET Smart Security.
> And, again… it’s 2010 and we have VMs that can *actually* isolate a
process
and its entire execution environment, all the way through Ring 0. Still,
not
100% foolproof, but pretty darn good.
One argument I’ve heard against VM’s is Windows OS licensing. If you can
just create a secure sandbox on one OS, you can conform to the Windows
license but still run virtualized apps. It seems like a nearly impossible
task for anyone outside of Microsoft to add this kind of feature to the OS,
but some companies seem to keep trying. Even though VM software is basically
free, instances of Windows inside those VM’s generally are not.
Jan
> One argument I’ve heard against VM’s is Windows OS licensing. If you can just create a secure
sandbox on one OS, you can conform to the Windows license but still run virtualized apps.
If these apps require root privilege level in order to function properly (for example, install and run driver services) running them within a VM seems to be the only option. If they don’t…well, then you can just set up non-privileged account with no RW access to anything other than a specified folder, and run them under this account. In either case, any additional “sandboxing” software does not seem to be needed…
It seems like a nearly impossible task for anyone outside of Microsoft to add this kind of
feature to the OS, but some companies seem to keep trying.
Well, as long as technically ignorant customers are willing to buy it, why not. After all, there are various products that are based on some idea that just makes no sense it itself -so-called " RAM optimizers" is the very first example that gets into my head…
Anton Bassov