
What a one line change did to the Chrome sandbox - jbredeche
https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html
======
ChrisSD
> The Chromium sandbox on Windows has stood the test of time. It’s considered
> one of the better sandboxing mechanisms deployed at scale without requiring
> elevated privileges to function.

For anyone who is interested in the history, this type of Restricted Token &
Job Object sandbox was, as far as I know, first used in MOICE (Microsoft
Office Isolated Conversion Environment). This was created by Microsoft's
Office Trustworthy Computing group to isolate the conversion of `.doc` to
`.docx`. David LeBlanc blogged about it in 2007, with his "Practical Windows
Sandboxing" series[0][1][2]. Of course a third party may have independently
discovered the same techniques but kept it to themselves.

The state of the art has improved since then but the general principles are
the same.

[0]: [https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc...](https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1)

[1]: [https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc...](https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-2)

[2]: [https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc...](https://docs.microsoft.com/en-
us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-3)

~~~
bits_of_bytes
I believe some chromium sandbox logic came from GreenBorder
([https://en.m.wikipedia.org/wiki/GreenBorder](https://en.m.wikipedia.org/wiki/GreenBorder))
but I don't know the timeline of that or how GreenBorder sandboxing was
implemented.

------
CJefferson
I wish so much there were good cross-operating system sandboxing techniques.
So mamy problems in things like video decoders (which are hard to write fast
and safe) would be cured if I could easily pop them in a box with an input and
output stream.

This type of stuff is of course in browsers, and they are doing great work in
this area, it is just a shame it is hard for the rest of us to use.

~~~
xiphias2
Webassembly looks like an upcoming standard for sandboxing efficient code on
the server side as well. As it's well supported and it doesn't have a big
startup runtime cost, it looks like it has a real chance of success right now
(after many failed ones in the last 25 years).

~~~
londons_explore
Webassembly has a substantial performance hit for code containing hand-written
vector loops using specialized instructions.

Things like video encoders and decoders are _much_ slower in webassembly.

~~~
xiphias2
SIMD support is being worked on as far as I know, and this is a problem where
there is room for a lot of improvement in the future. Generally interfacing
between programming languages and systems efficiently, without too much data
conversion/memory management is a harder problem than adding more low level
programming support.

~~~
snazz
Yes, it looks like WASM SIMD has already shipped in V8. There are some
impressive demos on this page:
[https://v8.dev/features/simd](https://v8.dev/features/simd)

~~~
londons_explore
It's kinda lame that none of those demos even run at 60fps, let alone 120fps
on mobile for a real smooth experience, with lots of performance headroom for
more than a single feature at once...

------
amluto
This is one reason I much prefer Linux’s seccomp over Microsoft’s sandbox.
Microsoft’s depends on everything having just the right access control so you
can’t escape. Linux’s blocks the dangerous primitives entirely.

A seccomp-like mechanism on top of restricted tokens could be quite strong.
The GPU process could be denied the ability to query or modify processes
entirely. Similarly, it could be denied the ability to call
CreateProcessAsUser at all.

~~~
philsnow
I think an analogy is trying to get a complicated IAM permissions setup just
right, where you have some resource policies with NotPrincipal, some usage
policies with NotResource/NotAction, etc. It becomes really hard to think
about and you often rely on assumptions about the shape/structure of IAM
principals.

Or, you can slap a Service Control Policy on the whole account and then boom,
nobody can do Whichever Bad Thing that you're worried about Today.

The former approach requires me to reload the entire graph of dependencies and
assumptions into my head whenever I want to make a change or ask my mental
model of it a question. The latter approach allows nearly-reflexive answers.

------
namibj
This is very closely related to how seL4 [0] allows delegating (subsets of) a
processes own capabilities. The difference would be that this Windows kernel
code isn't formally verified to uphold it's security model to a level where
send-only capabilities are proven data-diodes (i.e., the sel4_Send() syscall
blocks (potentially indefinitely), and it's sel4_NBSend() silently drops the
message if the receiver isn't already waiting) a success/failure indication),
whereas seL4 comes with extensive proofs.

------
aledthemathguy
Excuse my ignorance but does this makes Chrome the safest browser on Windows?
Or do all Chromium-based browsers benefit from this sandboxed environment and
google's security measures?

Thx

~~~
ocdtrekkie
Edge would both have all the security work of Chrome (as it's a fairly close
fork) but all of the security improvements that Google refuses to add, such as
blocking third party tracking scripts and cookies. The latter part is where
you're most likely to find malware, so a browser that refuses to act on it is
not a secure browser. Firefox, Safari, Edge, and basically everyone but Chrome
have implemented significant blocking on third party scripting that Google
refuses to build into their browser.

Bear in mind, browser security comes from many levels. A sandbox escape first
requires that someone has gotten malicious code to execute in your browser.
And the first line of defense is blocking a lot of extraneous and harmful code
from running in the first place.

~~~
jedimastert
Can you talk abou wha kind of malware comes from JS scripts?

~~~
woodrowbarlow
here is a detailed look at one particular example:

[https://securelist.com/chrome-0-day-exploit-
cve-2019-13720-u...](https://securelist.com/chrome-0-day-exploit-
cve-2019-13720-used-in-operation-wizardopium/94866/)

------
bri3d
Using the cloned UI Access token to automate the Run dialog at the end of the
exploit chain is hilarious.

I really enjoyed reading this - thank you.

------
quezzle
Could someone tell me in Simple terms please?

~~~
KMag
My understanding:

There are these security token objects that are used to keep track of what a
process can and can't do. (Think of them as collections of capabilities.)

The design of the system is that you can create a less powerful child copy of
your security token (dropping capabilities), and assign this token to a child
process when you create that child. A process is free to change its security
token to be any child of its current token or any sibling of its current token
(plus a few other restrictions).

Someone screwed up a change to the Windows 10 kernel such that when the
browser creates a restricted child of its token, the less powerful token is
actually marked as a sibling of the browser's token, which is itself a sibling
of many other tokens in the system. This means that the token the browser uses
to create its child sandbox process has many unrestricted sibling tokens.

The rest of the exploit involves figuring out how to get a handle to a
security tokens that a few other processes make publicly available (sounds
very strange to me) and which aren't as restrictive as the security token used
to create the sandbox process.

If the sandbox's token were (correctly) a child of the main browser process's
token, then these other tokens found wouldn't be siblings of the sandbox's
token, and the sandbox process couldn't switch to using these security tokens.
However, because of the screwed up family tree of these tokens, the sandbox is
free to switch to these other security tokens.

~~~
gundmc
This was very clearly written, thank you.

------
bits_of_bytes
I've briefly professionally interacted with James and he's the real deal.
Super smart.

------
lewisj489
Good article but James just sounds salty throughout the post

~~~
tiraniddo
You can bet I'm salty. I do Windows research and I am a owner of the Chromium
Windows sandbox code so I have a vested interest in this.

The problem with dealing with Windows and by extension Microsoft is there's no
way of inspecting what they've changed from version to version other than by
RE or having test cases. However, we try and avoid writing unit tests for
behaviors Microsoft's responsible for, but of course in many cases MS don't
have those tests either so these things fall through the cracks.

~~~
amenod
> However, we try and avoid writing unit tests for behaviors Microsoft's
> responsible for,...

When you say "unit tests", this makes sense. But wouldn't it be wise to have
_integration_ tests in place that would guard against such regressions, either
in your code or Microsoft's?

~~~
tiraniddo
In Chromium we do have integration tests for the sandbox functionality as a
whole and unit testing but it doesn't cover things like this as we're testing
Chromium's ability to sandbox not whether the OS's primitives have broken. We
might notice if all of a sudden our sandbox stopped working, but for something
which only exhibits a problem when it's being actively circumvented we won't.

I can't speak to what MS do testing wise, considering the age of some of this
code it seems likely there's no test for this specific functionality otherwise
you'd assume it would have been noticed. Testing for security defects is
inherently difficult anyway, especially logical flaws where you don't get a
nice crash. This case is different but in general you usually need some
specific setup process to get the system into a vulnerable state which is hard
to achieve without knowing ahead of time the bug you were trying to detect.

------
mehrdadn
Does anyone else feel like if Windows was still a classic OS instead of "as a
service" then these types of changes would have a chance to get more scrutiny
during development and hopefully get caught?

~~~
SahAssar
Are you saying that these sort of changes were never part of a patch or
service-pack before Win10?

~~~
mehrdadn
Do you think it's sensible for me to make such a claim?

~~~
SahAssar
No, but that's what it sounded like you were doing.

