tag:blogger.com,1999:blog-24586388.post366066024465255660..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Shattering the myths of Windows securityJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-24586388.post-5626249122544663422014-07-21T10:23:09.031+02:002014-07-21T10:23:09.031+02:00@dragon & anon asking about using LXC as an is...@dragon & anon asking about using LXC as an isolation provider -- please see this article:<br /><br />http://theinvisiblethings.blogspot.com/2013/03/introducing-qubes-odyssey-framework.html<br /><br />The short answer: yes, LXC might be a good option for the "poor-man's" edition of Qubes OS. Much less secure than Xen, but more than "just Linux" IMHO.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-17380503679346118512014-07-19T15:43:24.389+02:002014-07-19T15:43:24.389+02:00I was wondering about same thing what dragon788 al...I was wondering about same thing what dragon788 already mentioned. Could you share your viewpoint/alternative ideas Joanna on LXC/Docker subject?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-73265819291762607132014-05-09T03:14:04.801+02:002014-05-09T03:14:04.801+02:00Would be interested to see whether Qubes can take ...Would be interested to see whether Qubes can take advantage of Valgrind/Docker(LXC) in the future as a possible alternative or additional tool in addition to Xen. Any thoughts Joanna?dragon788noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-69497537377941726052014-04-18T13:18:43.611+02:002014-04-18T13:18:43.611+02:00So, Qubes WNI would be possible on Windows 8 Pro o...So, Qubes WNI would be possible on Windows 8 Pro or Enterprise (and Windows 7 Pro, Ultimate, etc.), because Hyper-V is available ?<br /><br />(technical question leaving aside eventual license problems)<br /><br />Another Question, how about using the free Hyper-V Server 2012 ? (once again I know nothing of the licensing angle)<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-24350062403491412212014-03-26T15:56:48.176+01:002014-03-26T15:56:48.176+01:00Although this hardly rates as news, Sandboxie was ...Although this hardly rates as news, Sandboxie was recently purchased by Invincea. Invincea is a DARPA funded start-up, with all of the requisite ties to various U.S. government defense agencies (NSA, DIA, etc). This may or may not affect your views about its utility as a <i>trustworthy</i> isolation mechanism, lol. In any event, Qubes seems like an excellent idea to the extent that the underlying hardware can be relied upon (where there can be no adequate defense, without basically giving up VLSI altogether). Good job.Perl Hackernoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9556501872785883782014-03-21T13:26:28.648+01:002014-03-21T13:26:28.648+01:00Thanks for the analysis - it's no surprise tha...Thanks for the analysis - it's no surprise that the Windows behemoth has no real plan for decent segregation, and this applies to licencing as well - there is the absurd situation that you nominally have to have multiple licences for running each VM which is only there to get around security weaknesses in the base product - how many eyes and hands do we have!<br /><br />Regarding Sandboxie, I'm disappointed that this appears to have become an antagonistic scenario, whereas, having used Sandboxie and Qubes (thanks a bunch), I see them both as rather applicable in different scenarios.<br /><br />Sandboxie 4 uses ANONYMOUS_LOGIN as the user (as well as restricting calls & disk & network access). Clearly less secure than Qubes (because it's vulnerable to OS subversion, but it does trap a lot of real-world malware) and app oriented - but lightweight and pretty easy to set up, far easier than things like AppArmor. Being able to wipe browser sessions reliably and easily is a good feature.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-80277533033881347252014-02-26T20:45:27.892+01:002014-02-26T20:45:27.892+01:00@anon-from-sydney: it makes no sense to require Wi...@anon-from-sydney: it makes no sense to require Windows Server for Qubes WNI because then we could very well use MS Hyper-V as an isolation providers, instead of OS processes/user accounts.<br /><br />And perhaps one day we will write Qubes for Hyper-V, but it will likely require consumer Windows. But this would not be called "Qubes WNI"...Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-64484311047412333212014-02-26T14:35:04.189+01:002014-02-26T14:35:04.189+01:00Interesting article, I was wondering why limit you...Interesting article, I was wondering why limit yourselves to target Win7 retail if it causes issues? I could imagine Qubes would also have some appeal to the the pro version and server edition crowds. In a way, it is almost equivalent to targeting Xen as it was back in 2009 :)<br />I'd also be curious to know your opinion on the suitability of the child sessions mechanism introduced in Win8 (http://msdn.microsoft.com/en-us/library/hh769143(v=vs.85).aspx) for security isolation.<br />As a footnote, http://blogs.msdn.com/b/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx?PageIndex=7 might contain some useful troubleshooting documentation regarding the undisciplined behaviour of desktops and dlls in alternate winstations.<br />Cheers from Sydney!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-73364765649662456422014-02-07T23:40:01.807+01:002014-02-07T23:40:01.807+01:00@anon-who-advicates-chromium-sandbox:
Could be us...@anon-who-advicates-chromium-sandbox:<br /><br />Could be used directly... for what? Did you read our paper?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-42876454823673615842014-02-06T15:32:46.517+01:002014-02-06T15:32:46.517+01:00What about the Chrome/Chromium browser sandbox for...What about the Chrome/Chromium browser sandbox for Windows, which could be used directly:<br /><br />http://www.chromium.org/developers/design-documents/sandbox<br /><br />and<br /><br />http://www.chromium.org/developers/design-documents/sandbox/Sandbox-FAQAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-55945356406726529142014-01-20T19:57:30.479+01:002014-01-20T19:57:30.479+01:00@anon-who-proposed-primitive-border-color-overwrit...@anon-who-proposed-primitive-border-color-overwrite:<br /><br />And what if the app decided to use a borderless window and will draw the decoration frame all by itself (pixel by pixel)?<br /><br />@anon-who-asks-why-to-limit-inter-process-communication:<br /><br />Inter-process communication might be a misleading term in this context -- it's really about preventing inter-process interference. Again, an MS Office app might create some (kernel) objects that would turn out to be actually owned by the sandboxed malicious app (see the paper). Being able to e.g. control a shared memory section object is quite devastating. This is, of course, completely different story, than an app exposing just some networking endpoint (which still might be dangerous, so we naturally would like to have an option to limit those too).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-73615714569538392792014-01-20T17:38:46.364+01:002014-01-20T17:38:46.364+01:00What is the necessity to prevent all inter-process...What is the necessity to prevent all inter-process communication? Couldn’t two programs in different domains which require Internet access also communicate via a third party server?<br /><br />Do you know of a program that can be used to test whether it is isolated? For example, run the program in two different domains and have them try to communicate via clipboard, files, registry, IPC, etc.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-16008206820683266722014-01-20T17:26:40.472+01:002014-01-20T17:26:40.472+01:00borderColor=0xFF0000borderColor=0xFF0000Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79731064995186005532014-01-20T11:14:47.750+01:002014-01-20T11:14:47.750+01:00@rjohnson:
Yeah, as you say, this is not an accep...@rjohnson:<br /><br />Yeah, as you say, this is not an acceptable approach, because using undocumented Windows patching to enable undocumented features in a legitimate product has at least two problems:<br /><br />1) It might be not legal (at least in some countries)<br /><br />2) It is not reliable because MS might decide to change this undocumented code we patch anytime without warning, with a new automatic update.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-27997880960255772172014-01-20T11:05:43.443+01:002014-01-20T11:05:43.443+01:00@another-anon-who-advertisies-sandboxie-without-pr...@another-anon-who-advertisies-sandboxie-without-providing-much-tecnical-facts:<br /><br />And how does Sandboxie provide the colorful frames around the sandboxed window, so that the app cannot spoof it?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-85022754453361047182014-01-20T05:10:36.838+01:002014-01-20T05:10:36.838+01:00"Pruning the application under Sandboxie will..."Pruning the application under Sandboxie will overcome most of the issues you pointed out, such as changing system preferences, inter process communication, etc."<br /><br />Back in early 2011, I conducted research with the same goal and use the same techniques, such as running in a different security context, applying local/group policies, but I also ran each application under Sandboxie. Sandboxie had the ability to give a different color to each window, protect system preferences, etc. It still falls short, but what I was trying to get at is that using all of your techniques, plus Sandboxie, adds more isolation and identification of domains.<br /><br />Your work does go into much more detail about the many methods of inter-process communication reguarding this topic than I've seen before.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-80100189069450349082014-01-19T23:21:57.121+01:002014-01-19T23:21:57.121+01:00It may not be an appropriate approach for your pro...It may not be an appropriate approach for your project, but have you seen the RDP reversing that was done a couple years ago that opened up the ability for multiple sessions and other hacks?<br />http://www.slideshare.net/alisaesage/hacking-microsoft-remote-desktop-services-for-fun-and-profitrjohnsonhttps://www.blogger.com/profile/15976316906439577385noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-49166537082318886982014-01-19T10:44:22.952+01:002014-01-19T10:44:22.952+01:00@anon-advertising-sandboxie:
... and even if we a...@anon-advertising-sandboxie:<br /><br />... and even if we assume we want to sandbox only a specific app, like in case of Sanboxie, but tailoring the policy for it. Still, perhaps you can explain, how does Sandboxie resolves some of the problems described in the paper, such as:<br /><br />1) Protecting the Kernel Object name same against squatting attacks? E.g. the sandboxed app creates objects that will later be picked up and used by MS Office run outside of the sandbox -- as a result control of the MS Office will be taken?<br /><br />2) GUI isolation?<br /><br />?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-51497826889626252192014-01-19T10:25:39.940+01:002014-01-19T10:25:39.940+01:00@anon-advertising-sandboxie:
As discussed in the ...@anon-advertising-sandboxie:<br /><br />As discussed in the paper, sadboxing of a specific app is not the same a creating a container that would work out of the box for any app (which is what is the goal of Qubes).<br /><br />Qubes is not about creating a tailroed sandbox for specific app -- instead it's about creating domains where you can run any app, isolated from each other.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9520265101780804572014-01-18T23:19:31.669+01:002014-01-18T23:19:31.669+01:00Pruning the application under Sandboxie will overc...Pruning the application under Sandboxie will overcome most of the issues you pointed out, such as changing system preferences, inter process communication, etc.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-62832056731593238622014-01-18T00:01:23.924+01:002014-01-18T00:01:23.924+01:00@anon-who-asks-about-seccomp:
Probably not, becau...@anon-who-asks-about-seccomp:<br /><br />Probably not, because, AFAIU, seccomp can only be used to sandbox specially prepared apps, rather than create isolated containers for running unmodified generic apps.<br /><br />What should be, however, possible, and without much effort I think, is to use Linux LXC as a "hypervisor" for Qubes Odyssey. And we might even do this one day...Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-74683847681081090222014-01-17T22:02:49.200+01:002014-01-17T22:02:49.200+01:00@Joanna:
> "Developers need to be careful...@Joanna:<br /><br />> "Developers need to be careful while modifying the state of the operating system in the Simulator because any changes in the Simulator will be reflected on the local machine itself."<br /><br />I expect the isolation is the same as provided by a regular Remote Desktop session. The above sentence reads to me as a general warning that this is not some artificial, emulated system (such as that presented by the Windows Phone emulator).<br /><br />> "Multiple instances of Visual Studio and Expression Blend share the same instance of the Windows Simulator."<br /><br />This could potentially be quite crippling, but it is not clear whether this is a conscious limitation of the "Windows Simulator" feature (e.g. to conserve system resources and/or reduce user confusion) or a restriction in the "loopback Remote Desktop" mechanism itself. The OS could, for instance, limit the number of simultaneously active sessions to 2, similar to what Windows Server does with Remote Desktop set to "Administration" mode.<br /><br />Two active sessions would provide the ability to interact with one isolation domain at once, while e.g. showing frozen images (last known state) of applications running in other domains (the sessions of those domains would be disconnected, just like when using fast user switching). Upon switching the foreground window to that of another domain, the session of that domain could be reconnected (and that of the previous window disconnected).<br /><br />But those are all idle musings, requiring actual experiments to verify.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-55543245778827569512014-01-17T18:35:54.732+01:002014-01-17T18:35:54.732+01:00I'm curious: would the hypervisor generalizati...I'm curious: would the hypervisor generalization work you did enable you to run under seccomp-bpf?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-71971503923880240722014-01-17T13:30:17.273+01:002014-01-17T13:30:17.273+01:00@Harry:
You're right, this could've been s...@Harry:<br />You're right, this could've been spelled out more clearly. It's hard to find a proper definition of "interactive session" even on MSDN for some reason. What I usually call an interactive session is the whole environment created for a user when they log on to the system either by a physical console or Remote Desktop. That includes a separate address space (not a widely known fact I think, but vital for loading independent copy of win32k.sys for example), window stations, desktops and finally a logon session and a shell process created during interactive logon.<br /><br />It doesn't help that Microsoft renamed Terminal Services to Remote Desktop Services in Server 2008. I think "proper" name for interactive sessions is "Remote Desktop Sessions" [1]. Of course they are a core part of the system now even without Remote Desktop server.<br /><br />[1] http://msdn.microsoft.com/en-us/library/aa383496(v=vs.85).aspxRafał Wojdyłanoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-23723700484297879622014-01-17T13:18:40.814+01:002014-01-17T13:18:40.814+01:00@Jakub:
A quote from the article you referenced:
...@Jakub:<br /><br />A quote from the article you referenced:<br /><br />"Developers need to be careful while modifying the state of the operating system in the Simulator because any changes in the Simulator will be reflected on the local machine itself. Multiple instances of Visual Studio and Expression Blend share the same instance of the Windows Simulator."<br /><br />Sounds kind of disappointing :/Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.com