Slashdot Mirror

← Back to Stories (view on slashdot.org)

2010 Will Be the Year of Sandboxing Apps

Posted by timothy on from the layers-within-layers dept.

Trailrunner7 writes "In a guest editorial on Threatpost, Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about sandboxing untrusted data in desktop apps. 'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time. The largest Internet security threats now arrive through malicious web pages or e-mail attachments. This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall. Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software.'"

39 of 203 comments (clear)

  1. And the year of.. by sopssa · · Score: 2, Insightful

    .. bloat.

    Just look at how slow IE8 is to use.

    1. Re:And the year of.. by SnarfQuest · · Score: 2, Funny

      If you want to leave a lot of openings in your sandbox for malicious software to work through, you have to expect things to slow down.

      --
      Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
    2. Re:And the year of.. by spun · · Score: 4, Informative

      and what exactly is the point of having RAM go unused?

      File cache. RAM unused by bloated applications gets used by (most) operating systems to cache files, resulting in quicker disk access.

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    3. Re:And the year of.. by alen · · Score: 2, Insightful

      unless you're using SBS, most organizations will only run Exchange or SQL or one major app on a server. on our servers we're running the HP software and SQL on our database servers. we even put all the third party database drivers on a separate server so as not to cause any potential issues.

    4. Re:And the year of.. by Anonymous Coward · · Score: 2, Interesting

      Exchange takes the file cache into account when setting its cache size. If you start paging it can reduce its memory usage. The point here is subtle:
      Free memory = Bad (wasted resources which can be used to reduce I/O)
      Paging = Bad (bad performance)

      So Exchange increases its memory usage unless the machine is paging.

    5. Re:And the year of.. by lgw · · Score: 2, Insightful

      It's easier to snap-and-rollback a virtual machine than a physical machine when the user causes it to get pwnt.

      It's easier to snap-and-rollback a sandboxed (jailed) app than a virtual machine.

      It's easier (at least in Windows) to give the user admin control of his virtual machine than not. That doesn't mean he needs any sort of privledges on the host machine. Depending on the app sandboxing paradigm, the app can run as admin (as far as it knows), but the user doesn't have the ability to escalate the apps permissions.

      From a security perspective, both VMs and app sandboxing are attempts to address the "user will escalate anyway" problem, and both are real progress over the pre-virtualizion norm IMO.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:And the year of.. by LordLimecat · · Score: 2, Interesting

      Chrome uses a sandbox model, and it seems to do OK. Programs running in Sandboxie seem to run pretty quick too. Is it possible not all sandbox apps are created equal?

      I'll also note that IE8 has more security than IE7, and yet curiously runs much faster than its predecessor. Seems like security vs speed is a false dichotomy.

  2. Windows 7 by gbjbaanb · · Score: 3, Funny

    Great, I just upgraded from XP to Windows 7 and now all my apps have to be run in XP Mode's virtual machines. Thanks Microsoft. :)

    1. Re:Windows 7 by wisty · · Score: 2, Interesting

      Doesn't FreeBSD has some sort of "jail" functionality? And has since the year 2000?

      I'm not convinced that virtualizing a whole frigging OS is always the best. It's great for running XP or Linux on a MacBook; or XP on a Linux box (if Wine isn't enough), but the RAM use high enough to severely limit it's uses for security.

      I'm not using a browser if it opens a new OS for every damn tab, for example.

      OS tools (jails, lower level user accounts, etc) are going to be better. Or using a State Machine, or some other real engineering paradigm (instead of nasty hacked up code that kinda looks like it works).

    2. Re:Windows 7 by gbjbaanb · · Score: 2, Interesting

      you're looking at the chroot command, Linux has it too.
      It basically restricts an app to the directory and subdirs only, which only causes problems when they try to reach out of the jail to, say /tmp or /etc.

      According to wikipedia, chroot has been around since... 1982.

      (yes, FreeBSD jails are better, but still based on the same concept).

  3. Wow.... Welcome to Java applets, 1995... by haemish · · Score: 2, Interesting

    Sandboxes are a tried and true idea, they work well. It's about time

  4. Already here. It's on my family PC.. by Lumpy · · Score: 4, Interesting

    sandboxie... Great program, will NOT work on a 64 bit OS.

    IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it. Click on everything, it's all sandboxed.

    --
    Do not look at laser with remaining good eye.
  5. Let's just stop using the browser as an OS. by Anonymous Coward · · Score: 4, Insightful

    Maybe we should just stop using the goddamn browser as an operating system. It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.

    While some interactivity is of course useful and sensible, some fools have gone off the deep end and think we should treat the browser as some sort of an application development platform.

    Of course, anyone who has done real application development under a real operating system, even if it is just Windows, knows how poorly the browser is as such a platform. It's clear that everything, from JavaScript to AJAX to Flash, has been tacked on as a shitty afterthought.

    The answer isn't sandboxing. The answer is that we need to go back to using the browser as just a browser, and nothing else. And any real applications that demand network connectivity should be written as such, and run outside of the browser.

    1. Re:Let's just stop using the browser as an OS. by phantomfive · · Score: 2, Insightful

      The answer is that we need to go back to using the browser as just a browser, and nothing else.

      It's never going to happen. The browser is too useful for too many other things. If somehow we managed to get the browser to return to being just a page viewer, someone (like Microsoft) would create an API for online applications and call it a non-browser. In fact, this was the original idea behind .net, and why it is called .net. Online applications AKA cloud based applications are here to stay.

      --
      Qxe4
    2. Re:Let's just stop using the browser as an OS. by AvitarX · · Score: 2, Insightful

      It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.

      You are wrong wrong wrong. For many years now the browser has been meant for more than that. It originally may not have been meant for more than that, but to say it never was is stupid. The reason MS panicked about it was there was an express intent of making the browser more than that.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    3. Re:Let's just stop using the browser as an OS. by Locutus · · Score: 3, Insightful

      and things like ActiveX don't apply to the "been tacked on as a shitty after thought" comment? From what I've seen, Microsoft is the king of tacking things on as a shitty after thought otherwise they'd not still be known for security and reliability problems. Rebooting a Windows computer is still the number one recommendation for 'fixing' a broken Windows system across many IT orgs and reinstalling Windows is probably still in the top 10 things done to 'fix' the computer.

      Besides, it's been Microsoft's attacking of software application vendors on their platform which has lead to so much being attempted in the browser since it isolates them so much from Microsoft. You don't hear so much of what software vendors software broke at every release of a new version of Microsoft Windows. That's because more and more business applications are fed from app servers to browsers and a minimum standard feature set must be met in the browser for it to be useful across the web and therefore IntraNet.

      This has little to do with the browser being the problem, it is about the design of the Windows OS not doing it's own memory protection and letting applications run many things as admin when they should be run as the user and they should not be accessing OS or other application space memory. This is another crutch for a bad design but it'll help sell more hardware if that's what you want.

      LoB

      --
      "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  6. Re:Already here. It's on my family PC.. by sakdoctor · · Score: 5, Funny

    Whoa! Your daughter is off the rails, and your soft approach to parenting is not helping.
    Install linux on her system right now, and don't give her the root password until she's 18!

  7. requires sophistication & motivation; not opti by bcrowell · · Score: 4, Insightful

    All security problems are easy to solve if you have users who are sophisticated about security, and motivated to put up with inconveniences. The real world isn't like that.

    A proposal like this inevitably requires that the user understand something about the sandbox, and also requires that the user go through various hassles because of the sandbox. They're going to perceive it as a hassle, because the sandbox is going to prevent them from doing things they would otherwise have done. If they're unsophisticated and unmotivated, they'll just see it as something to work around.

    Not only that, but this isn't an optimal solution. A flash game has to be a Turing-complete program. A memo doesn't have to. The simple solution is just to stop embedding Turing-complete programming languages in file formats that don't require them. Adobe actually started by designing postscript as a Turing-complete language. That had some unfortunate consequences, since, e.g., you can't predict whether a program written in a Turing-complete language will halt, so in principle you can't predict whether a document will take forever to come out of the printer. The realized that that was a mistake, and when they designed pdf, they intentionally made it not Turing complete. Now we've come full circle, and they've added a Turing-complete language, javascript, back into pdf. That's just bad design. The solution for users is actually pretty easy: if you're using Adobe Reader, turn off javascript.

    --
    Find free books.
  8. Re:Already here. It's on my family PC.. by CannonballHead · · Score: 2, Informative

    "Windows 64-bit: Full support for 64-bit is available in recent beta versions of Sandboxie. Click here"

    Looks like they are working on that. :)

  9. Re:This is the year of wishes being predicitons by csartanis · · Score: 5, Funny

    I predict this will be the year of Kari Bryon on the desktop!

  10. Re:Already here. It's on my family PC.. by CannonballHead · · Score: 4, Insightful

    Yes. Linux has many, many things that are pretty cool.

    Unfortunately, they haven't had a good all-together tied-in user experience.

    Claiming things like "we have chroot" and "we have sudo" and other code/geek-ish type of coolnesses is like claiming that your car has awesome engine with new piston technology, very secure door locks, and can run on almost ANY fuel currently available; unfortunately, the seats are rather uncomfortable and the controls on the dashboard look more like a commercial airliner's cockpit.

    Yes, I know it's getting better. That's good. I hope they keep it up and continue to improve issues that apparently many geeks don't care about and many average users do (like flash video [youtube] and audio) and being able to use their iPods and scanners). :)

  11. Re:Already here. It's on my family PC.. by Anonymous Coward · · Score: 2, Funny

    [dont-take-it-personal][joke-to-easy-to-resist]
    "Much like her mother"? she has poor taste in men?
    [/joke-to-easy-to-resist][/dont-take-it-personal]

  12. Re:Old news? by MrEricSir · · Score: 2, Funny

    Yes, but a big bully came and stomped on all our sand castles. Now that we've grown up a little, it's time to try again.

    --
    There's no -1 for "I don't get it."
  13. Sorry. The WWW is now a huge API by Colin+Smith · · Score: 4, Informative

    Web servers don't serve html documents any more, they serve remote procedure calls from javascript front ends.
     

    --
    Deleted
  14. wha? by jasno · · Score: 2, Insightful

    Security is not and never was about SYN packets

    Security is about everything, period.

    --

    http://www.masturbateforpeace.com/
  15. Re:A wish, not a prediction by tempest69 · · Score: 2, Insightful
    Sandboxing is long overdue. It's a primitive step in the right direction, but it's needed to take the whole host of steps that can make a stable system. There is a freakload of work that needs to be done to get past the mess that exists in current operating systems. But instead of making a really innovative system, we keep getting more of the same: incremental improvement to the desktop system.
    Sandboxing is a decade late, we should be so much further by now.. dang.

    Storm

  16. you mean like an operating system is supposed to? by Locutus · · Score: 3, Interesting

    really? sandboxing desktop apps? Look at what one of the design goals of any real OS is and providing security, memory protection( from other apps and OS space ), indirect access to hardware, and smooth multitasking between apps and OS are right up there near the top. Memory protection is WAY up there near the top unless you're looking at special purpose realtime applications or micro-controller apps. Now what we are seeing on Windows is yet another layer in an attempt to fix a bad design and one which will continue to slow down the system while pushing the hardware. It's great if you are out to sell more expensive hardware and you don't want lower end( cheaper priced ) hardware to run your software. You know, like how Vista ran so good on netbooks and how Windows 7 is better than Vista at that but still worst than Windows XP.

    Sandboxing is basically what virtual machines like VMWare, VirtualBox, KVM, VirtualPC all do. Off of Windows, it gives users a way to run Windows without rebooting their main OS. On Windows, it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows. But for app protection? That's what the OS is supposed to be doing.

    LoB

    --
    "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  17. Awesome! by InlawBiker · · Score: 4, Funny

    I was just handed a memo from a collection of all major software and hardware vendors on Earth, saying that security will be put ahead of profits from now on! It was delivered by a Unicorn, who got here on the gumdrop express via the rainbow highway.

  18. Correction needed ... by Viol8 · · Score: 3, Insightful

    "unless you're using SBS " or run unix/linux " most organizations will only run Exchange or SQL or one major app on a server"

    There, fixed it for you. Curiously unix can generally cope with running more than one app/DB without falling over or having one app
    screw up the other.

    "we even put all the third party database drivers on a separate server so as not to cause any potential issues."

    Well that sums up running a Windows server doesn't it.

  19. Instead of validating inputs by vlm · · Score: 3, Interesting

    Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing. Awesomeness!

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Instead of validating inputs by jpmorgan · · Score: 3, Insightful

      Sandboxing only needs to be done right once. Validating user input needs to be done right every time. I'm not saying don't validate your user input, but if your first line of defense is a fairly brittle mechanism, having extra protection is a good thing.

    2. Re:Instead of validating inputs by jhol13 · · Score: 2, Informative

      We have tried the "validating" approach for 20 years and it is still failing at a tremendous rate.

      Maybe it is time to try something else?

  20. Re:you mean like an operating system is supposed t by jpmorgan · · Score: 5, Insightful

    This isn't a Windows specific problem. The fundamental problem is the user/process model that's been popular since the inception of UNIX (maybe even earlier, I don't know enough about Multics to say): the idea that only users have identities and programs run under the identity (and permissions) of the user who runs it. If I'm running a game, there's no reason why it needs access to my tax spreadsheets, etc...

    All software should be running under its own identity and access to user documents should be through standardized user interfaces... i.e., the 'File Open' dialog is actually a part of the OS not the application, and also grants temporary permissions in addition to just selecting a file.

    We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.

  21. Fundamental Problem by Ohio+Calvinist · · Score: 2, Interesting

    The fundamental problem is that users want their computer to do things. They want responsive rich media web applications so conventional wisdom to turn off everything but HTML rendering causes their computer to not do stuff it used to be capable of. The second problem is that in order for computers to do things, particularly in networked environments, is that processes could be working with trusted, semi-trusted or untrusted stuff (be-it content, code, whatever, it doesn't matter for the purpose used.) When security tools attempt to figure out what ought to be trusted or not trusted and gets it wrong, you either do something unsafe or you block the user from doing what they want to do (even if you or me would consider what they want to do as foolish or downright dangerous.) When users are expected to indicate what is trusted or not trusted they generally lack the insight to know what to pick, and vendors are at peril of designing annoying software that provides little true security if users always click "yes" causing the unsafe action to happen, or prevents their computer from working as expected, if they always click "no." Sandboxing can be effective to limit access to other application's data, but can greatly limit interoperability and requires the developer make some decisions on behalf of the user, or makes the developer ask the user how isolated the process is from other resources in a way that is meaningful and they they can understand what the consequences in either case will be if they approve (ideally at setup).

    --
    Forgive my spelling from time to time. I'm often posting during short breaks.
  22. How about reducing the surface area? by argent · · Score: 3, Interesting

    Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox. The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to. So the sandbox can't be very "strong".

    Instead of adding a leaky sandbox, how about reducing the surface area exposed to attack in the first place? Simplify the application. Get rid of things like XPI in Firefox and ActiveX in IE. Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here). Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example). Don't even *offer* to automatically open a file after downloading. Remove that option from the browser completely. Get rid of Acrobat and other plug-in document viewers.

    Yes, this might make it less convenient for websites to "wow" the user. So what? I'd rather be safe than "wow"ed.

    1. Re:How about reducing the surface area? by hedwards · · Score: 2, Insightful

      Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox. The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to. So the sandbox can't be very "strong".

      That's not really sandbox's fault, so much as the way that people design and run their OS. FreeBSD for example has the ability to combine flags and securelevel to prevent any changes to files that are so marked at all. It can be a pain in the ass, but it makes it very difficult for somebody to remotely install something to run at boot time.

      Additionally, a proper sandbox shouldn't allow one to write to any portion of the hard disk that's directly accessible to the OS, and should really require exporting the information through the sandbox to access outside of the sandbox. If you're allowing the sandboxed app to operate directly on the disk you're doing something wrong and that area of the disk probably shouldn't be directly accessible except through a utility for doing so.

    2. Re:How about reducing the surface area? by jhol13 · · Score: 2, Informative

      applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications,

      No, they don't.

      They can be made so that only way to access file system is by File Dialog (see Java Web Start / JNLP).

  23. Re:Isolate by Fnord666 · · Score: 3, Funny
    From the Isolate web site:

    isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!

    This doesn't really sound like the solution most people looking for.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  24. Re:A wish, not a prediction by mattpalmer1086 · · Score: 4, Insightful

    Not true.

    All of these systems are designed to protect users from each other on a single system, when a computer was an expensive resource. It's just that unix had a good multi-user single-machine design long before windows did.

    But the threat model these days is running untrusted code from the network. Very few machines actually have more than one user on them - they all have their own machines. And all of that code is running with the full privileges of the user, with access to all their data.

    That is the. problem these days. And it's not one that unix is any better at solving than windows is. I would add that I've used Ubuntu as my primary desktop for the last 4 years - I'm no Windows fanboy - but neither am I blind to the security weaknesses of my chosen operating system.