Tell me what you think about "sandbox" solutions

General discussion about web technology.
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Fri Mar 27, 2009 2:05 am

I wanted to ask a question that has been a source of great debate among my colleagues and friends, mostly by developers but has spilled on occasions over to security and system admins too and I would welcome your views and suggestions on this. Hopefully we can benefit from each others' experiences or at least I can gain some more perspectives on this for my own knowledge.

We hear about "sandbox" solutions whether it be web browsing, development environments, security testing scenarios and etc, etc, etc :P Can you share your experiences with these solutions, what you thought, what you wanted to see, what you use, what you recommend and in general just open up your vault and share. Hope to hear from you all, especially our host. :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter » Fri Mar 27, 2009 2:26 am

I used to be reluctant to test problematic urls served up by users in NoScript support and other forums. Seemed to be inconsistent with "safe hex" practices, even with NoScript. I think a big part of what keeps my PC clean is not surfing to dodgy sites. You know, a user will click on almost anything to get a hit of pron, so I'd just as soon stay out of that trap.

Last weekend Tom T. suggested I try out Sandboxie. I now run my test profile inside its sandbox without endangering my system. I can provide much more support now.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Fri Mar 27, 2009 3:20 am

Alan Baxter wrote:I used to be reluctant to test problematic urls served up by users in NoScript support and other forums. Seemed to be inconsistent with "safe hex" practices, even with NoScript. I think a big part of what keeps my PC clean is not surfing to dodgy sites. You know, a user will click on almost anything to get a hit of pron, so I'd just as soon stay out of that trap.


I know exactly what you mean, I usually avoid such sites in my normal activity but occasionally by the virtue of associates from another lifetime who are "hackers" if you will or we worked for federal taskforces on child pornography and such, I have to go access the sites that are mostly supported by porn or ad revenue, so its a minefield to say the least. :twisted: Granted, we normally have our own space which is not affected to communicate but I get what you are saying. I am able to test those links without too much worries, since I have protocols in place, but would not feel comfortable either if I wasn't sure I was going to be safe and that does reduce ability to support sometimes.

Last weekend Tom T. suggested I try out Sandboxie. I now run my test profile inside its sandbox without endangering my system. I can provide much more support now.


I will check this out, it sounds interesting when I looked at it briefly and will do a more thorough evaluation of it. I am always looking for more utilities, tools and ways to do things. This will certainly help and thanks to you and Tom for sharing this, it never hurts to have more options and alternatives. :ugeek:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. » Fri Mar 27, 2009 5:37 am

I've been a satisfied SB user for almost two years. IMHO, the NS/SB combination, if not 100% bullet-proof, is as close as we're going to get, at least as far as lightweight, low-knowledge solutions (unlike VMware, etc.) Sandboxie plays very nicely with NS. The only hitch is that since SB deletes *everything* when you empty the sandbox (which I have set to do every time I close the browser, although Alan has different preferences), any changes you make to your NS allow/forbid list, your AdBlock list, or any other, are also deleted (not saved). There is an easy config tweak to give SB permission to write those specific changes outside the sandbox, but I'm sure you'd rather figure that one out for yourself than have me tell you. ;)

Sandboxie lets you boldly go where no man (or woman) should go.

Additional benefit: You can run *any* application sandboxed, not just browsers. For example, do you remember the recent critical vuln in Adobe 9, where opening a malicious .pdf could pwn you? I got rid of Adobe years ago, but if those pdfs were opened sandboxed, I think no harm could have resulted. Even Word docs have had critical vulns -- they can contain lots of executable code.

Installing SB gives you a new r-click context menu entry on any document or program, "Run Sandboxed". So you could d/l a movie, run with WinMediaPlayer or Apple QT inside the sandbox, without worrying about some sneaky code inside. (I won't run them any other way.)

Incidentally, alhtough even GM has suggested not to allow scripting at user-content sites like this one, I feel safe to allow it inside SB if I need it.

I browse sandboxed 100% of the time, and I think Alan is close to that, too. You need an unsandboxed, admin-privileged browser to get MS Updates, Fx and NS updates, etc., but that's about it. To d/l and install new sw, I d/l it into the sandboxed "desktop" (isolated from your real desktop, and created automatically when, e. g, you open Fx in SB). There you can scan it with your AV, poke at it, whatever, before moving it outside the sandbox. I get an automatic prompt when I d/l things, asking whether I would like to move it to my real desktop from the SB desktop, but that's a user choice.

Read the docs, try it, you'll like it. I'm no uber-geek, as I always warn people ;) but I have a lot of experience with SB, including some tweaking and config. Let me know if I can help you in any way.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Fri Mar 27, 2009 6:13 am

Cool, I will play with it, already did some. I am sure I will hit you up for your knowledge of tweaks and stuff, saves time with trial and errors allowing more time figuring out new stuff :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
therube
Ambassador
Posts: 7459
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube » Fri Mar 27, 2009 6:53 pm

Go anywhere, do anything. Don't concern myself about much. Just use a bit of common sense.

NAT firewall, Windows Firewall (only cause it's there, else I'd use some other light software firewall), no A/V, no real-time anything. No Java, rarely JavaScript ;-). No imaging software, just simply copy data for backups. No Limited user, no reduced rights.

I'll use Sandboxie - sparingly. Mainly when I want to test drive some software.

Your Very own Low-Rights IE
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Fri Mar 27, 2009 7:30 pm

therube, yeah I have pretty much always been able to do anything and go anywhere and not worry. Unfortunately it seems the common user lacks that nugget of common sense :lol: and that keeps me so busy redoing machines that I am getting so sick and tired of it. I mean there is only so many times you can clean install and reinstall everything for someone who could have avoided it before just getting ready to blow my brains out.

I wish everyone had common sense ;) Unfortunately I have not been able to get some regular users to learn and behave more responsibly. I have had some success but not enough to turn the tide, so I was hoping to maybe recommend and setup a solution that will mitigate their lack of initiative. But its good to hear that I am not the only one who thinks common sense would be a good place to start :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
Giorgio Maone
Site Admin
Posts: 8735
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by Giorgio Maone » Fri Mar 27, 2009 10:45 pm

NoScript (in-browser protection, web app isolation) and sandboxes (browser isolation from the OS) are orthogonal.
I wrote a short post about this some time ago.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Fri Mar 27, 2009 11:21 pm

Giorgio Maone wrote:NoScript (in-browser protection, web app isolation) and sandboxes (browser isolation from the OS) are orthogonal.
I wrote a short post about this some time ago.


Thank you, I agree that the first is independent of the second. I was asking more along the lines of process isolation or virtualized (using the term loosely) process that can achieve the same effect without access to critical systems, easily dumped if you will.

I also remember this post of yours, I took another look, thank you. What sandbox solutions have you used, encountered or would recommend, regardless of level of experience?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

User avatar
Giorgio Maone
Site Admin
Posts: 8735
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by Giorgio Maone » Fri Mar 27, 2009 11:36 pm

GµårÐïåñ wrote:I also remember this post of yours, I took another look, thank you. What sandbox solutions have you used, encountered or would recommend, regardless of level of experience?

I do not use any. If I need to test something in IE or Chrome, I use a clean Vista VM. For Safari, a Mac OS X VM. With Firefox I ride naked, NoScript aside.
I've got Avast installed, but I've never had any incident report aside false positives of exploit pages already neutered by NoScript.
I've heard good things about SandboxIE among my users, but I've never felt the need of trying it out, sorry.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sat Mar 28, 2009 12:26 am

Giorgio Maone wrote:I do not use any. If I need to test something in IE or Chrome, I use a clean Vista VM. For Safari, a Mac OS X VM. With Firefox I ride naked, NoScript aside.


Interesting, that's my setup too. I have a VM in each of these configurations for testing/support and so on (XP, 2k, 98, Ubuntu, Fedora, FreeBSD, Vista, Win7), I have always found this to be sufficient, since anything "risky" I do is in there anyway and when I don't want to have it bite me in the butt later, I keep it in read-only so it will have to dump the changes.

I've got Avast installed, but I've never had any incident report aside false positives of exploit pages already neutered by NoScript.


Actually I had to uninstall Avast as much as I like it as a software because of the false positives I was getting, it just got to be too much. I use Firefox with NoScript, Adblock Plus and RequestPolicy. Those are the only "security" I use and I keep the rest of the utilities to a minimum of what I absolutely like or need. No problems yet :) Mostly thanks to you actually.

I've heard good things about SandboxIE among my users, but I've never felt the need of trying it out, sorry.


No need to be sorry, thanks for letting me know, I will check it out. The solutions I am trying to evaluate are not just for web browsing and stuff, but more for testing, development, security evaluations and stuff like that. I want to know that I can let some hell loose in a realistic environment and its not going to get out and screw things up :twisted: You know, like a quarantine lab style where I did my master work (the CDC level 4 infectious diseases), just for computers :lol: I have seen enough Ebola to last me a life time.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

User avatar
therube
Ambassador
Posts: 7459
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube » Sat Mar 28, 2009 1:16 am

With Returnil Virtual System or similar programs you can turn them loose, they can do all they want, but upon reboot everything is back to where it started.

Pretty sure with Ghost & Acronis True Image too, you can set up a (like a factory) restore partition that you can just revert to - whenever you feel like it.

http://en.wikipedia.org/wiki/Returnil
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 SeaMonkey/2.0b1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sat Mar 28, 2009 1:22 am

therube wrote:With Returnil Virtual System or similar programs you can turn them loose, they can do all they want, but upon reboot everything is back to where it started.


Thank you, I will check it out.

Pretty sure with Ghost & Acronis True Image too, you can set up a (like a factory) restore partition that you can just revert to - whenever you feel like it.


I actually have used Acronis for years and love it and we use it to deploy and restore images but have not yet found a way to use them as a use and toss solution. Other than using the images to restore VMs that are destroyed :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

User avatar
therube
Ambassador
Posts: 7459
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube » Sat Mar 28, 2009 1:42 am

Acronis, http://www.acronis.com/homecomputing/pr ... tures.html: Features such as:

Code: Select all

Improved!Try&Decide

Try new software and browse the web without endangering your computer from malware or unknown software. After testing, you can decide whether to keep or discard changes to your system.

---

Acronis Secure Zone®

Protect your system by saving an image to a special hidden partition on your hard disk where it can be retrieved after a disaster.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 SeaMonkey/2.0b1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ » Sat Mar 28, 2009 1:51 am

therube, thanks for that, you pointed out something I had not looked into. I have to admit, although we use Acronis True Image Echo Server quite often, I have not checked out their website or other products in a long time, so you pointed out something worth looking into and thank you for that. I'll give the product list a good look and see what they got. Especially since they made their images VM compatible, it was that much nicer for us when it came to cloning ACTUAL systems and running tests on it in VM. Either way, thanks again.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Post Reply