Thursday 26 May 2011

Easy sandboxing for Windows apps

Sandboxie looks very interesting....  Yet to try it, but have heard good things about it.  Without the cost of firing up different VMs, it is able to launch programs inside wrappers, to isolate different programs from each other (or to isolate different web pages from each other) - and to protect your Windows machine from the sandboxed program.

Remembering that web browsers and email attachments are the top ways to get your computer infected, it's better if those programs don't have access to most of your Windows machine in the first place.   And if you have a few Sandboxie instances, you can not only limit the exposure of the windows filesystem to any website, but you can also make cross-site attacks less likely.

If a sandbox were correctly set up :-
  • a malicious email that exploits a mail client weakness could only tamper with messages and settings on the email client;
  • an infected web page could only tamper with saved details and settings in the web browser.
Ideally you would run Outlook in one sandbox, and Internet Explorer in several others...e.g. Home Banking and frequently-used, high-reputation home shopping sites could have one or several sandboxes, and general web surfing could have another.  Facebook probably deserves its own sandbox too, in case some people's pages contain malicious HTML. 

You would definitely want PDF viewers and Flash viewers to run inside one of the less trusted sandboxes.  So you'd have a temp folder like C:\mail_attachments to save incoming PDF's to.  Then you'd manually launch a sandboxed PDF viewer in that folder.

What about sandboxing on the Mac?

We could really do with something similar on the Mac.  A quick web search suggests that a command-line sandbox facility was introduced in Leopard 10.5.  So the underlying OS hooks are all there.  But so far we seem to be lacking a nice GUI-based program to make it easy for end-users to create and control sandbox instances and policy rulesets - something which definitely sounds non-trivial.

If you know of a Sandboxie equivalent for the Mac, please leave a comment.  (Yes I know you could use VMware, but that would be slow and tedious.)

If you are a security professional, you can stop reading now.

If you are a zealous Apple fan, please read on before posting irate comments!

Sadly, some Apple fans like to think that the Mac platform wears some kind of halo that makes security problems impossible.  But before you post comments saying that Mac apps don't need sandboxing, please just think for one second.  Yes, Mac apps don't run as root by default, but so what?  Unless you run each program (or surf to each website) under a different Mac username, then a compromise in any one program means that all your user data is exposed.  Possibly the whole keychain too (I seem to recall that once it's unlocked, it's unlocked - but I try not to use it anyway, as it's always struck me as a potential single point of security failure and a high-value target).

Now, I strongly prefer the Mac to all other current OS platforms, but as a security professional by trade, I'm not naive enough to believe that the Mac is in any way resistant (let alone immune) to security issues.   A client exploit is just a client exploit: it doesn't matter what OS it's running on, as once your app has been owned, it's generally game over for the home directory and everything in it.  A privilege escalation up to root isn't necessary for you to lose all the personal data you care about, and/or to have a subtle back door inserted.  The only issue is whether the attacker's code runs as root, or runs as you.  Attack code running as you is quite bad enough, because it's your personal data that the bad guys are after.

We're way beyond the early days of crude computer viruses that spread like wildfire in a highly obvious way.   The IT security threats to worry about today are the back doors that just sit there quietly in the background hoovering up your banking credentials or whatever.

At the risk of stating the bleeding obvious, the main reason that Harry Homeowner gets infected more often when using Windows is that, until recently, there were too few Mac users to represent a decent return on investment for attackers.  With Macs becoming more popular, that honeymoon period won't last forever.  Sure, Mac OS X has fewer open TCP ports by default than Windows does.  But the main threat is from buggy web browsers, buggy email clients and buggy attachment viewers, so open TCP ports aren't relevant in many cases.

No comments:

Post a Comment

Spammers: please stop wasting my time. All comments are moderated before publication.