What does Sandboxie-Plus to protect users on a technical level?

[bastik-1001]

What kind of defenses are in place to make the software secure?

Like protection against exploits, buffer-overflows, code injections. Input validation.

[DavidXanatos]

Sandboxie does not make 3rd party software secure, it just locks it into a sandbox out of which they can't permanently modify the host system.

So if there is a buffer-overflow in some software it will still be there and if it could be exploited it still will be exploitable, but when it gets exploited the adversary wont be able to compromise the host OS.

For example two applications inside the same sandbox can inject code into each other but they can't inject code into any process running outside their particular sandbox.

[bastik-1001]

Sorry, I was not clear enough, I meant what does Sandboxie-Plus do to protect itself from something trying to escape the sandbox.

Not running malware intentionally, but when a process gets exploited and then the malicious code would try to get out of any sandbox it is in.

[DavidXanatos]

You mean how is the sandbox isolation implemented on a technical level?

Processes started under sandboxie's supervision are created with a very restricted user token, such that they basically don't have the right to access almost anything. In this state they would be pretty much useless and would crash right away. In a next step sandboxie tries to repair that by hooking most ntdll.dll syscalls and replacing them with a redirection to the own SbieDrv driver. The driver than evaluates the calls and enforces the sandboxing rules i.e. no write access outside the sandbox and no read access to closed resources. When a malicious application would unhook ntdll.d. i.e. try to use direct syscalls to the windows kernel, the kernel would see the restricted user token and operations would fail with an access denied. Not all functionality can be restored this way so sandboxie also hooks a myriad of other functions in standard windows dll's providing workarounds, and redirects through the helper service SbieSvc, although sometimes it also just opts for disabling some functionality outright.

The file system and registry virtualization is implemented on the user level in SbieDll it is responsible for combining the data from the real system with the once from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed it results in a access denied error.

[achillez]

Thanks for the info! A somewhat related question, is Sandboxie audited or reviewed in some manner to ensure some 3rd party library hack (i.e., like SolarWinds) doesn't infect the binary? I don't use it for mission critical security but curious if this security vector is a concern.

I've used sandboxie for years and really like it. Excellent work here @DavidXanatos

[typpos]

I added David's description to the documentation. Home > Technical Aspects > IsolationMechanism. Should become visible once/if David accepts the pull request. https://davidxanatos.github.io/sandboxie-docs/

There is also some additional info about isolation here: https://DavidXanatos.github.io/sandboxie-docs/Content/SandboxHierarchy.html

[bastik-1001]

This is basically what I tried to ask for, I am happy with that information.