Is it worth it to sandbox Firefox with ReHIPS?

[Glashouse]

@Umbra : I am not going to start a quoting battle
But you have to admit that you took my example and put it the way I said that this is the only use case...
I just said it depends on the use case and the habits if a sandbox is a benefit or not.
Saying a sandbox always raises the security level is something I can't accept. There are too many parameters and circumstances you have to take into consideration.
And again: the question is "what do you want to protect against?" Just throwing in as much security software as possible is not the solution!
I like sandboxes but not just for the sake of sandboxing...

 

[Deleted member 178]

@Glashouse not my attention to do a battle as well

"what do you want to protect against?"

as i said above: drive-by downloads, XSS/script attacks, weaponized legit executables (like Ccleaner case), etc... with a sandbox, i'm at least safer than without.
There is too many ways to compromised a system, using only "common sense and safe habits" doesn't work anymore.

 

[Sunshine-boy]

not going to raise your

Its like I say an av is not gonna protect me by default because I disabled the real-time protection or other security features!

 

[overdivine]

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

i can click any link but i can't use extensions and i must use bing search
uses about 1.8gb ram with 1 tab

 

[Deleted member 65228]

uses about 1.8gb ram with 1 tab

It will keep you protected though hahahahaha. It is aimed at Enterprise anyway and they will have more demanding specifications for their systems

Personally the built-in sandbox container in Microsoft Edge or Google Chrome is enough for me; I only visit trusted websites and I rarely download on my Host environment. I use a Virtual Machine for various things so I just use that normally, and since I have an AMD CPU with 6 cores at 3.2ghz, I give the VM at-least 2 of those cores and 4GB ram out of my 16GB DDR4... So I don't have any problems.

But I think @Umbra is right, sandboxing with Sandboxie or ReHIPS is a lot safer than using a browser without it.

I just said it depends on the use case and the habits if a sandbox is a benefit or not.

You said that a sandbox doesn't raise security by default but user habits will. Umbra said that a sandbox does raise security by default but user habits reduce it. There's a difference. but you both more or less agree anyway so it doesn't matter

 

[Glashouse]

You said that a sandbox doesn't raise security by default but user habits will. Umbra said that a sandbox does raise security by default but user habits reduce it. There's a difference. but you both more or less agree anyway so it doesn't matter

I think both of us like the discussions about the tiny differences but you are right, the idea is somehow the same!

 

[shmu26]

You don't need to sandbox your browser to protect against unwanted downloads being executed. You can achieve this with anti-exe or software restriction policy or even just a little caution and will power.
So when we talk about the benefits of sandboxing, I think we should focus on its unique benefits, the ones that are hard to get in other ways.

 

[bribon77]

I think everything is valid, as long as the same is not done in duplicate. Antiexe / srp / Signatures / Sandbox / and Most importantly do not run anything that you do not know what it is.

 

[Sunshine-boy]

When I was using the Eset hips I found the Yandex do many things related to the registry (delete, aaces keys or other actions)
Its good for sure if we block the browser from writing to the registry with the sandbox(we cant detect the malware if smth bad happen because the Avs sucks when they want to scan the registry)! but will it harm the browser operation?!

 

[Sunshine-boy]

Opcode the rank 1 hacker in the world xd pls tell me will it break the browser or no!? what if the browser wants to optimize itself via registry or idk smth like that?some security-related operations!

 

[Deleted member 178]

1- If I'm not using Appcontainer or something that sandboxes the browser, can malware affect me through those xss/script attacks that you're mentioning?
2- Like, if it gets exploited do I have to worry about something?
3- Will my AV catch it and stop any bad actions, like stealing personal data or something, that the exploited browser may perform?
4-What about an anti-exe or srp like appguard?
5- Also about the ccleaner malware, how will sandboxing chrome prevent the ccleaner malware from connecting to the internet? Isn't this the firewall's job, or does it "go" through chrome or something?

1- Yes and no, depend the way the XSS is made. If the XSS uses a vulnerability in the browser, it will work.
2- yes you have to worry.
3- Maybe, all again is about what the attack does.
4- they only block executables. they are not designed to stop every XSS only the XSS downloading a executable and executing it.
5- Chrome won't prevent anything, because people download infected Ccleaner somewhere on the system and run it, this is out of the scope of any browser's sandboxes.
It is why i said 3rd party sandboxes gave more security, because they can isolate what you download or run; and since they have the options to cut internet connection made from an app isolated, Ccleaner won't connect to the attacker framework .

 

[shmu26]

Sandboxing prevents attacks on the memory of non-sandboxed procesess, and prevents modification of the real file system. If your browser gets exploited, the exploit is locked inside the sandbox. If a payload is spawned or downloaded, it runs inside the sandbox. The attack will not be able to load dlls or drivers into the real system, change registry, etc.
But to prevent the exploit from even happening, you need something like Hitmapro.Alert, or an AV with anti-exploit capability, and no guarantees the anti-exploit will actually work.

 

[Deleted member 65228]

My chrome seems to be more protected than urs, it also has ASLR Force Relocate, whatever that is?

Force relocation is basically relocating addresses for images even if they are not compiled with the flag for having a dynamic base. It could simply be related to the Windows modules loaded within Google Chrome. Recently I dipped into research for features like Data Execution Prevention and Address Space Layout Randomisation among the others supported in Windows mainly through manual logging but I'm still learning on it... I do not know why you have one which I do not however it can depend on many things. For example, which version of Windows are you running (and architecture for the environment)? Do you have any force mitigations enabled through exploit protection software (e.g. Windows 10 Exploit Protection)? Etc.

For example, if I have a module which is loaded within a process but does not have the flags for a dynamic base, even if ASLR is enabled without the force relocation, the addresses can be the same I believe (unless its for a Windows module -> changed at each reboot). Whereas with force relocation, I believe it would be forcing the addresses to change in-memory which makes it harder for an attacker to predict the addresses. They'd have to scan the memory remotely (externally -> access the process' memory to scan it with various routines to locate the correct addresses, e.g. via byte-signature scanning) or inject into the process and then work out the correct address calculations before proceeding.

Therefore, I would say it is safe to assume that your Google Chrome will adapt to which addresses it has. As in, it won't know in advance what the various addresses are... However it'll still function. An attacker trying to rely on static addresses would fail considering the addresses are forcibly altered (relocated).

The term "relocate" basically means to move elsewhere. When you apply it with memory, you'd be moving the memory to another destination to relocate that section in-memory, and thus you'd have a new address which represents where that relocated section of memory is now present within the address space of the process in which the memory which had been relocated resides within.

 

[CoherentCrayon]

But does the built-in exploit protection in Windows work for sandboxed processes?

 

[Deleted member 65228]

But does the built-in exploit protection in Windows work for sandboxed processes?

Yes I'd say but it depends.

Even with sandboxing through virtualisation I am pretty sure the mitigation policies will still be enforced. Only thing is that it isn't surprising if some of the mitigations can cause a sandbox to break. I mean look at all the fuss with Google Chrome and crashing - there have been problems in the past where users have had to disable AppContainer for the protection to work.

I wouldn't use a sandbox if the mitigations like DEP and ASLR cannot function properly, unless it manually handled it to provide the same features itself. Which can definitely be done, MBAM have done force relocation for years in their Anti-Exploit and before Windows 10 Exploit Protection, EMET did it (EMET is now the new W10 protection built-in haha).

64-bit processes will have features like DEP anyway by default, I don't believe you can even work-around this. I never write software which is insecure by not using these features but I do recall once doing a test where I disabled such features and it was enforced nevertheless because it was compiled as x64 binary.

 

[Deleted member 65228]

Yes I do have Mandatory ASLR enabled for chrome.exe from the exploit protection settings, it's how it came by default, do you not have it enabled by default? It's Off by Default from the System Settings tab though

I don't make use of the Windows 10 Exploit Protection features, so that would explain why mine doesn't forcibly relocate whereas yours however will. I heard about some bugs with the Windows 10 Exploit Protection lately about features not actually working properly when claimed they are though, so I'd keep my eye open

 

[CoherentCrayon]

So what are you using for protection from exploits? Also how would I know if it works or not, I just hope it does

Currently nothing except for my antivirus (I don't know if F-Secure has built-in exploit protection, but I think DeepGuard will try to block such things) and the built-in exploit protection in Windows if it covers my browsers

 

[Deleted member 65228]

Also how would I know if it works or not

I am not sure. I've looked into Windows 10 Exploit Protection settings with forcing relocation in memory just now and cannot seem to find any differences between the memory of chrome.exe processes prior to it being enabled, and then once its enabled.

The following is what I did.
- Enabled Windows Defender again
- Allowed chrome.exe to override the settings to enable force relocation
- Restarted chrome.exe
- The memory was more-or-less the same. Slight exceptions for modules which are listed but are not actually "executable".
- Rebooted the system
- Started up chrome.exe and logged things regarding memory again (e.g. module base addresses)
- Restarted chrome.exe and checked it in comparison -> more-or-less the same again, no real changes.

I think this is the problem that was being allegedly discussed on other forums recently, I heard something about a discussion with the Windows 10 Exploit Protection not working properly and I am pretty sure it was related to ASLR... And I assume this is what was happening for others if that is the case.

From my understanding, force relocation should cause the base addresses of loaded modules to be changed on each start-up of the affected processes for the mitigation -> the addresses in memory are different each time. Regardless of whether the dynamic base flag was set at compilation or not. I already know this isn't the case by default with Windows modules because they are automatically changed at each boot (there's also a specific order of which modules are loaded first, ntdll.dll always being the first -> for process start-up) but I would expect at-least the modules from Chrome itself to have had their addresses relocated if it was working correctly.

If I deployed an exploit for chrome.exe with a static address for a function I wanted to hot-patch in memory, with force relocation ASLR working correctly, this should be failing. Even if I used a hard-coded address and then chrome.exe was restarted, now the address should be different after restarting so the static address being used before the process restart should be no longer valid. This is my understanding, but isn't what is happening.

Interesting...

 

[ichito]

One of the very old rules in security says "aplication should run in system with the lowest rights as possible" and what for me means...inter alia...that especialy app like internet browser should run as restricted. I don't know how is it in Windows 10 but Firefox works not only on that system.

 

[Deleted member 65228]

@Yo Whats Up

I don't use Malwarebytes Anti-Exploit so I haven't tried it on my Host environment, and don't plan to adding it any-time soon. I'll install it in a Virtual Machine sometime this upcoming week and do some tests with ASLR with its functionality and hopefully get back to you about the differences.