Sandboxing of applications/systems


#1

I don’t truely understand everything about sandboxing. I understand the concept but I do not truely understand how different parts of running a sandbox works for applications to not access data from other applications but itself. Would be interested how partial sandboxing and how some sandboxing techniques are better than others. Also, how does qubes work in that it is more secure as I understand it opens a new machine for each task but how can it be contained as such and why is it better than virtualisation? Also, why doesn’t windows 10 or 7 work as a qube.


#2

In theory, all modern OSes (newer than Windows ME) have process separation that prevents them to read memory of other processes.
Then there’s bugs.
And APIs. For example, capturing the screen and the keyboard. Those APIs were made before the Internet was a (common) thing, were useful and looked innocent.
Without the Internet it is also not a real threat if all apps can look at all your files.
So, those are the obvious ones. If you ever read some articles about security flaws, you probably also sometimes thought “never would have thought of THAT!” - which is a problem of sandboxes: their authors should basically think of everything. Which is hard. And almost impossible to prove.

Opening a new virtual machine for each task is virtualisation.
The advantage of virtualisation is (I think) that the surface that needs to be controlled is small in comparison to whole OS architectures.

  1. Microsoft doesn’t care. (Because the average user doesn’t)
  2. Virtual machines are slower. Even more so after some recent Intel CPU bug fixes.
  3. Plus, you need a lot of RAM for each VM.

#3

“Better” is a word that is likely to attract subjective answers but … for me, you ask the question: What happens if the hacker escapes the box? What does the hacker have access to?

A related question is: At what level does the sandbox operate?

So at the highest level, you might have something like Java or JavaScript running in a browser where the browser runs untrusted code, imported randomly from a web site, in a sandbox - but this is only as good as the weakest of

  • the browser implementation (i.e. there can be bugs)
  • the API offered to the sandbox (i.e. what seemed like a good idea at the time giving the sandbox access to turned out to be not such a good idea but by then it is too late unless you want to break compatibility)
  • bugs that are outside the control of the browser (like Intel CPU bugs or operating system bugs)

So the browser might take it to the next lower level and put the untrusted code in a separate process. That means that the browser code writers know that they are not perfect (so best to have ‘defence in depth’) but you are still exposed to a reduced amount of bullet point 1 and both remaining bullet points (although operating system bugs might be less severe in some cases).

So the user might take it to the next lower level and run multiple browsers for greater isolation. But …

So the user might take it to the next lower level and run multiple VMs or other container technology. However different technologies may have different properties as far as providing isolation and you could still be vulnerable to hypervisor bugs and CPU bugs and other implementation bugs.

So the user might take it to the next lower level and have multiple physical computers. However that is likely to have cost implications.


#4

You misspelled “convenience implications” :stuck_out_tongue_winking_eye:
(some olden secondary device doesn’t have to be costly)

I mean, if you really care, you have of course two machines.
One for the Internet and one for Data.
And possibly, no USB stick will ever know both devices.

It DOES have cost implications if you use two Librem laptops for that - it’s for a reason you can order them air-gapped (without WIFI) :slight_smile:

Of course, you would never have them both turned on at the same time - or otherwise, everytime your Librem unexpectedly has it’s fans full blast, you’d be very worried that it tries to exfiltrate data from the air-gapped computer by modulating fan speed :sunglasses:


#5

:weary:

Okay like we weren’t paranoid enough as it is around here :laughing:


#6

Let’s see what your boss has to say

Security is a game of depth. “How deep do you go”

Personally, I’m more the casual player. :grin:


#7

That’s why I only use fanless computers. :rofl:

Being serious for a moment, my final suggestion of “multiple physical computers” was not intended to imply air-gapped - so the convenience implications are not as severe.

Multiple physical computers air-gapped would be the next logical step.