Chrome, Adobe Reader, Sandboxie, Dell Protect Workspace and BufferZone have been analyzed

Jul 24, 2013 21:01 GMT  ·  By

Bromium Labs has released an interesting study called ”Application Sandboxes: A Pen Tester’s Perspective.” The study analyzes several publicly available application sandboxes such as Google Chrome, Adobe Reader, Sandboxie, Dell Protect Workspace and BufferZone Pro.

“The report is about pen-testing and we used and wrote several exploits in our research. However, we did not use any unknown zero days or even try to find vulnerabilities in any of the above mentioned products. That was not needed as the opportunities for attackers are huge already,” Rahul Kashyap, Head of Security Research at Bromium, and co-author of the report explains in a blog post.

The experts used several attack techniques, including sandbox bypass, sandbox leakage and sandbox vulnerabilities.

The report shows that while off-the-shelf exploits are blocked by most of the sandboxes, OS kernel exploits and OS user mode exploits are easily achievable on Sandboxie, BufferZone and Protected Workspace.

On Google Chrome and Adobe Reader X, experts have graded the difficulty of breaking out of the sandbox as “medium” for OS kernel exploits.

Stealing files is difficult in Sandboxie, BufferZone and Protected Workspace. However, other tasks such as key logging, remote webcam access, clipboard hijacking, screen scraping and network shares access are “easy” in most cases.

“Sandbox vendors love to quote statistics showing that introduction of sandboxing drastically reduced the number of publicly known exploits for their product. However, our analysis shows that the attack surface, although reduced, is still large and exploitable. Users still need to patch and are always at risk from zero day vulnerabilities,” the report reads.

“A particularly notable fact is that all described sandboxes still rely significantly on the security of the underlying operating system. We have shown examples that some OS vulnerabilities, both in kernel and user mode components can be exploited to break out of the sandbox. This clearly shows the need for security solutions that cannot be bypassed via underlying OS bugs.”

The complete report is available here.