SANDBOXIE INTERNALS REDESIGNED IN VERSION 4

The 64-bit edition of Windows 8 introduces a new version of the Kernel Patch Protection (PatchGuard) component, which limits Sandboxie v3 in establishing some of the kernel hooks that it needs in order to fully supervise programs.

To ensure a high level of sandbox isolation on Windows 8 and future versions of Windows, and to mitigate the risk that a future update to Windows 7 will include the new PatchGuard, and break compatibility with Sandboxie, version 4 introduces a change in the way Sandboxie works under the hood.

In version 4, Sandboxie is designed to not rely on unofficial hooks into the kernel. (A few such hooks are still in use on Windows XP.) Instead, a program under the supervision of Sandboxie v4 runs with no permissions and cannot access or manipulate objects in the system outside the program's own memory. (This restricted security context can be seen by looking at a process in the sandbox using Process Explorer.)

Sandboxie 4 on 64-bit Windows removes the Experimental Protection feature, and no longer has to suggest use of Drop Rights option.

Minimum Windows Version

Features in the Windows kernel which guarantee that a program cannot improve its own set of permissions are only available starting with Windows XP SP 2, with additional security features in Windows Vista.

Sandboxie v4 officially supports Windows XP SP 3, Windows Vista with Service Pack 2, Windows 7 with Service Pack 1, and Windows 8. Other variants may or may not work at this time.

Please note that these changes do not mean that Sandboxie now supports Metro apps.

KNOWN PROBLEMS IN VERSION 4

Important Note: This is a major revision, and some stuff will break. Following is a brief list of issues that are known at this time.

- Printing doesn't work for 32-bit programs running on 64-bit Windows

Thanks for your efforts. I have been on Windows XP SP2 for years and it is not clear (to me)
from your first post (quoted above) if sandboxie v4 and higher will continue to support XP SP2.
Thanks.

That really depends on the changes between XP SP 2 and SP 3. I didn't test with earlier service packs than the latest service pack for each version of Windows, because that would multiply the number of setups I have to support. You can easily check if Sandboxie 4.01 works on your XP SP 2, and easily go back to version 3.76 if it doesn't. Maybe it works fine and this is a non-issue.

I might just do that once the dust settles on v4
Thanks for the testing update on XP machines.

EDIT: I assume sandboxie v4 does not check if
service pack SP3 is actually installed.

Cool.



I'm curious to know more about the "runs with no permissions part and cannot access..." But of course Resource Access stuff will still all function as expected, even in a restricted context? Is this "restricted" context like the Restricted level using RunAs (in XP at least)? e.g. Less than "Basic User?" I don't guess so, since it sounds like Drop Rights still exists, therefore programs CAN still have admin permissions in a sandbox? (admin+restricted, hmm... ) Well, barring any bugs, I guess everything is still supposed to operate the same from a user's point of view?

Besides improving things for 64-bit systems, do these changes in general (inc. 32-bit, XP, etc.) help to protect even "better," by locking things down even more or anything...?

Thanks!

At this time no. But I'm not ruling out doing something like that eventually.



Yes, exactly the same, including Resource Access and even Resource Monitor.

The way this works is Sandboxie reduces the permissions of the program to nothing, so the program has to go through Sandboxie to access resources, or else the resource access is guaranteed to fail. If Sandboxie thinks the access is ok, it will do the access on behalf of the program with the original permissions of the program. So Drop Rights can still determine if those original permissions will include Administrators or not.

These changes don't make much difference in 32-bit systems in terms of protection, or compared to 64-bit systems with Experimental Protection for that matter.

Hoooooly crap, definitely some amazing changes. I just spent a couple hours messing with stuff on the laptop's fresh Windows install, since I'm still keeping 3.74 running on the main system to see IF I have any EMET+Firefox problems (9 days so far...). Anyway, don't want to be too excited in case there's something wrong that I haven't noticed yet, haha. But some interesting findings -- some good, some bad (hopefully fixable, will post in other topic). Looks like good news about this: Run Sandboxed + SRP doesn't work? Thanks!


tzuk, after your reply yesterday, I was going to say/ask: Sounds more like a full "proxy" for resources now, instead of something like a "gatekeeper" up until now? Does the new way of handling stuff have any impact on performance?


I see in Process Explorer that Job Objects are being used now (which I guess is part of what you described), and under the ANONYMOUS LOGON user name. Chrome users: Is that the same way it works? (Yeah, I still haven't tried Chrome , and only found out about Jobs when reading about its sandbox.)

Makes it easier to see sandboxed processes in Task Manager, etc. with the different name... I was wondering if that meant files needed different permissions, or would be created with that ANON owner, but no, everything is as before. (Don't know if that's Sandboxie handling things, or just part of the Job system.)

I also noticed a small (but unlikely) security hole with file permissions that I never posted about has been fixed as well! (I was going to post about it awhile ago with another possible hole, which I haven't investigated further yet...)

I was hoping that it will possible for Sandboxie 4 supporting from Windows 200 SP1, I have now Windows XP 3, but how long will you support this?
I still have old computer which works just fine for my usual needs and it would be a shame if Sandboxie stops supporting this version.

My friend has windows 2000 sp4, he was afraid that future versions of Sandboxie will not support these systems anymore what a shame..., and he bought a lifetime license like me...
I wonder what he will use for protection if Sandboxie does not support older windows systems anymore...

I'm not sure if I understand, does this mean the Patchguard in Windows 64-bit systems does not allow to Sandboxie to reach its full protection level like in previous version of Sandboxie on both 32-bit and 64-bit systems?

Will we also get a new, cool, modern interface to Sandboxie?

Please?

Sorry guys, too much stuff going on here, so I'm going to be brief.

DR_LaRRY_PEpPeR:
- I suppose you can still say it's a gatekeeper. It used to be about closing the gate on the program, now it's about opening it for the program.
- There are a few similarities to the Chrome sandbox, but also many differences, the chief one being that there isn't a separate proxy, like in Chrome. The program will be able to access the resources it needs, but only if Sandboxie says it's ok.

Lumberjack: The point of compatibility with old versions of Windows and service packs was already mentioned in this topic.

So making it simple for me I have MS Office 10 32 bit running on 64 bit W7 i7.

does this mean no printing will be possible for word, excel etc etc?

this feels stable enough, i didn't find bugs also.

Sounds good!

But how does Sandboxie decide what kind of permissions to grant to a program ? (i.e. whitelist or heuristics ?)
What kind of permissions will the default configuration grant ? (i.e. disk operations and everything else that can be allowed or blocked)
Can a malicious program within a sandbox take control of a more trusted program in the same box and abuse of its permissions ?

Side question, why doesn't Sandboxie support Metro apps ? I don't use Win 8 but am wondering.

Thanks and keep up the good work
All I need from Sandboxie 4 is an even more detailed understanding of its internals, and a better looking interface / icon. No I'm not shallow!