keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.41k stars 1.48k forks source link

Add win32 sandboxing #9628

Open hj-collab opened 1 year ago

hj-collab commented 1 year ago

Hi,

Windows have introduced sandboxing for classic win32 applications. It will drastically improve the security of Windows users and prevent any vulnerability in KeePassXC harming the system as the process will be isolated.

Build instructions given here. https://github.com/microsoft/win32-app-isolation

droidmonkey commented 1 year ago

This may not be possible for us without breaking core features like autotype and browser integration. It is also in public preview.

The other thing that caught my eye is that this doesn't protect the app, per say, this is about protecting the system. If you are worried about keepassxc infiltrating your system then why are you using us?

hj-collab commented 1 year ago

@droidmonkey Hi Jonathon, Thank you for your prompt reply. I hope you can take a closer look once it is out of public preview.

It's not about you / your team / KeePassXC infiltrating the system. It's to prevent a malicious app / code from exploiting KeePassXC to gain control of the system. All sandboxes work this way only.

Normal KeePassXC app runs with admin privileges and therefore any malicious app can try to exploit the admin privileges of your app.

Portable version which does not run with admin privileges can be still exploited to gain control of the file system of the OS.

Sandboxed app will access the KeePass Database via file picker or a whitelisted folder for KeePass which can be the folder where you store the DB.

KeePassXC is one of the most trusted app on my devices. Your certificate is whitelisted via WDAC. So it will be great if the app can be sandboxed to prevent any malicious app from exploiting it directly or via any bundled libraries.

I wonder if the flatpak / snap version works without any trouble for browser integration and autotype? I believe there must be different levels of sandboxing applicable for the win32 sandboxing which KeePassXC might use to retain these features.

droidmonkey commented 1 year ago

I read the entire documentation including the blog post detailing how it works. I am not convinced, and Microsoft did not state, that this actually protects the app itself from attacks.

It's to prevent a malicious app / code from exploiting KeePassXC to gain control of the system. All sandboxes work this way only.

Not true. Sandboxes typically restrict the app from accessing OS (kernel) api's such as file opening and clipboard. There is nothing that I read that makes this application isolation which means it is running in a totally different context then the current user. In fact this win32 isolation makes the app a lower security threshold than the user space which means user land apps can take control of it. You might be thinking of Windows Sandbox (which this is not): https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview

Normal KeePassXC app runs with admin privileges and therefore any malicious app can try to exploit the admin privileges of your app.

No it doesn't. It runs at the level of permissions of your user account like every other app you are using. Now if you are logged in as an administrator then yes, of course, the app would be running with admin privileges.

droidmonkey commented 1 year ago

I wonder if the flatpak / snap version works without any trouble for browser integration and autotype? I believe there must be different levels of sandboxing applicable for the win32 sandboxing which KeePassXC might use to retain these features.

This solution is actually very similar to snap and flatpak solutions. It is much more about limiting the app itself from accessing system resources then protecting/isolating the application runtime itself. Flatpak and Snap require a significant number of holes to be punched through the 'sandbox' in order for us to function properly. You should really just look at those options as packaged deployment solutions with a little bit of sandboxing.

droidmonkey commented 1 year ago

I tried to build an isolated package twice and it won't open after making all the edits necessary by the instructions:

image

This still needs to mature.

hj-collab commented 1 year ago

@droidmonkey Thanks for the feedback and testing it out Jonathon. It will be better if you can open an issue at the MS repo. So they can track and fix the bug.