2010 Will Be the Year of Sandboxing Apps 203
Trailrunner7 writes "In a guest editorial on Threatpost, Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about sandboxing untrusted data in desktop apps. 'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time. The largest Internet security threats now arrive through malicious web pages or e-mail attachments. This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall. Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software.'"
Wow.... Welcome to Java applets, 1995... (Score:2, Interesting)
Sandboxes are a tried and true idea, they work well. It's about time
Already here. It's on my family PC.. (Score:5, Interesting)
sandboxie... Great program, will NOT work on a 64 bit OS.
IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it. Click on everything, it's all sandboxed.
Re:And the year of.. (Score:2, Interesting)
Exchange takes the file cache into account when setting its cache size. If you start paging it can reduce its memory usage. The point here is subtle:
Free memory = Bad (wasted resources which can be used to reduce I/O)
Paging = Bad (bad performance)
So Exchange increases its memory usage unless the machine is paging.
you mean like an operating system is supposed to? (Score:4, Interesting)
Sandboxing is basically what virtual machines like VMWare, VirtualBox, KVM, VirtualPC all do. Off of Windows, it gives users a way to run Windows without rebooting their main OS. On Windows, it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows. But for app protection? That's what the OS is supposed to be doing.
LoB
Whatcha gonna do, if the CPUs don't sell anymore.. (Score:1, Interesting)
...because nearly nobody needs even more power...
Just sandbox everything, and sandbox it again, then interpret, sandbox, and interpret again. Until you can barely get the framerate of a small handheld console from 15 years ago (remember that JavaScript Tetris?)
Just don’t feel the urge to actually write clean code. And cling to C-like languages, ’till the bitter end. Since C in a generic VM is oh-so-much faster, than Java (in its Hotspot VM) or Haskell on the bare metal...
Yay. I wonder how much I will kick the butts of others by writing clean straight-to-the-metal code without having to micromanage (C-style)... ;)
Instead of validating inputs (Score:4, Interesting)
Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing. Awesomeness!
Fundamental Problem (Score:3, Interesting)
How about reducing the surface area? (Score:4, Interesting)
Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox. The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to. So the sandbox can't be very "strong".
Instead of adding a leaky sandbox, how about reducing the surface area exposed to attack in the first place? Simplify the application. Get rid of things like XPI in Firefox and ActiveX in IE. Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here). Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example). Don't even *offer* to automatically open a file after downloading. Remove that option from the browser completely. Get rid of Acrobat and other plug-in document viewers.
Yes, this might make it less convenient for websites to "wow" the user. So what? I'd rather be safe than "wow"ed.
Re:And the year of.. (Score:2, Interesting)
Great Idea, but it looks like exchange is doing it wrong since the exchange machines I have seen are often using more memory then is installed so they are paging and using all the RAM it can. These are not the massive exchange systems that large companies have. These exchange systems have 5-20 email accounts on them. Not large at all. So why is exchange using between 5GB (on a systems with 4GB installed RAM) and 18GB (on a system with 16GB installed RAM) of RAM? I am not the exchange admin, I pointed it out and the exchange admin said not to worry the system is running fine. I still think something is very wrong.
Re:Windows 7 (Score:3, Interesting)
Doesn't FreeBSD has some sort of "jail" functionality? And has since the year 2000?
I'm not convinced that virtualizing a whole frigging OS is always the best. It's great for running XP or Linux on a MacBook; or XP on a Linux box (if Wine isn't enough), but the RAM use high enough to severely limit it's uses for security.
I'm not using a browser if it opens a new OS for every damn tab, for example.
OS tools (jails, lower level user accounts, etc) are going to be better. Or using a State Machine, or some other real engineering paradigm (instead of nasty hacked up code that kinda looks like it works).
Re:And the year of.. (Score:3, Interesting)
I'll also note that IE8 has more security than IE7, and yet curiously runs much faster than its predecessor. Seems like security vs speed is a false dichotomy.
Re:Windows 7 (Score:3, Interesting)
you're looking at the chroot [wikipedia.org] command, Linux has it too. /tmp or /etc.
It basically restricts an app to the directory and subdirs only, which only causes problems when they try to reach out of the jail to, say
According to wikipedia, chroot has been around since... 1982.
(yes, FreeBSD jails [wikipedia.org] are better, but still based on the same concept).