Req: Security feature, Terminate process if CPU/GPU Use above Threshhold over Timeframe

[rugabunda]

A security feature to terminate or pause a process if it rises above a set CPU/GPU usage threshold over a set timeframe can prevent escalation and lateral movement of zero-day cryptomining malware, malware that targets jit-compilers, buffer overflows, side channel attacks, password hash attacks, bit flipping rowhammer style attacks, and other cpu intensive exploits. Pausing can also give researchers an opportunity to discover what kind of malware is affecting their process.

This can also help prevent high power-bills and a slowed computer

[Rngexile]

At first thought, very nice idea imho, and could even be a dedicated security application for all the system, not only for Sandboxie-plus. I wonder if there are already behaviour security applications already using that idea.

Practically, how would you see the configuration of this security feature in the context of Sandboxie ?

What would be your recommandantions for power users and researchers ? How to configure interesting and meaningful tresholds for usual applications (browsers, email clients, office suit, online game ?, image/video/audio players&editors, any application with internet access ?, any application that have to use external/not personal files, ...) weighted according to hardware capabilities ? (let's say the malware can execute itself in the context of the box, for whatever reason)

[rugabunda]

could even be a dedicated security application for all the system, not only for Sandboxie-plus. I wonder if there are already behaviour security applications already using that idea.

My thoughts exactly. Having a dedicated app would be useful for software not currently running within sandboxie. Its just a simple learning model of watching your application's average cpu/gpu usage and anything anomalous over a general timeframe you blacklist and through trial and error you find what is usable; Dedicated learning model that monitors this and automatically notes anything anomalous, especially with AI would be useful for detecting many zero day side channel attacks, or bugs. This would be great as a dedicated malware sandbox to help ensure malware cannot escape to higher level privileges through hardware exploits, hash cracking, crypto mining, and side channel attacks on chipsets, memory, and other hardware. Web browsers would benefit the most.

[DavidXanatos]

As you write right this would better be a standalone tool for all processes in the system.

[rugabunda]

As you write right this would better be a standalone tool for all processes in the system.

Sandboxie would be better off with it than without it.

[DavidXanatos]

As you write right this would better be a standalone tool for all processes in the system.

Sandboxie would be better off with it than without it.

And why not add an own secure tor browser and media player if we are at it ;)

Tools should have a defined scope and for other functionality new tools should be developed.

[diversenok]

I like your suggestion, but I think you have a slightly wrong perspective on it.

Most zero-days happen in an instance; you won't detect them by merely measuring the CPU load. I don't think it can help even against ransomware — encrypting files is usually an I/O-bound rather than a CPU-bound operation. It should prevent fuzzing, but I won't rely on it as a security measure.

What we can do is implement a per-sandbox CPU throttling. Sandboxie has a unique opportunity for reliably suspending a group of processes. Usually, you would use NtSuspendProcess, but it has inherent race conditions — two threads resuming each other in a tight loop can easily overpower it. Sandboxie, however, puts all processes in a job. Hence, it can freeze the entire sandbox quickly and reliably using the JobObjectFreezeInformation info class.

[NewKidOnTheBlock]

What if I want to run a well-multithreaded game that actually makes good use of all the CPU cores and GPU shaders it can muster?

Also: You can easily tell if Sandboxie is active or not. If it keeps on running and running despite the fact that you already terminated the sandboxed program is a dead giveaway.

[rugabunda]

As you write right this would better be a standalone tool for all processes in the system.

Sandboxie would be better off with it than without it.

And why not add an own secure tor browser and media player if we are at it ;)

Tools should have a defined scope and for other functionality new tools should be developed.

I would suggest encrypted sandboxes instead, but that would be logical.

[rugabunda]

Most zero-days happen in an instance; you won't detect them by merely measuring the CPU load. It should prevent fuzzing, but I won't rely on it as a security measure.

"Most" does not mean "all." This could certainly help to prevent cryptominers, rowhammer style attacks and similar cpu intensive exploits. The great thing about this is it has the potential to prevent exploits in a unique way that, being zero day, or perhaps old sophisticated attacks, nothing else can.

Its a perfect fit for sandboxie, sandboxing cpu usage % within a set parameter. Also this can help to reduce cpu/gpu and power usage.

What if I want to run a well-multithreaded game that actually makes good use of all the CPU cores and GPU shaders it can muster?

Then why bother using this for a game? Best implementation would be to have a per-sandbox feature. It would be difficult to implement in a game without learning models. I imagine in the future high tech security systems will use AI to create learning models (kind of like a whitelist learning mode) that would monitor for usual activity and report anomalies and phenomenon with cpu/gpu usage of various process, and many other sensors and performance monitors into actionable data, that learns from false positives. For the foreseeable future I imagine such features will probably be perused by military and intelligence because unfortunately that's where all the money is. Perhaps the program will write itself after reading this. Not being a coder, I'll probably have to wait until AI gains this level of sophistication.

[Rngexile]

Without playing with codes of ProcessHacker/TaskExplorer/sandboxie to supervise cpu/gpu/io use and have proper terminate/suspend/freez process, a simple user could try Process Lasso (watchdog advanced rules) for cpu/memory (not gpu) monitoring usage and terminate processes on triggers (or try to suspend process on triggers with pssuspend from sysinternals). PL has logging capabilities to analyse process behavior before configure the triggers and actions. PL is not a security application and could no work well with sandboxie.

[rugabunda]

As you write right this would better be a standalone tool for all processes in the system.

Sandboxie would be better off with it than without it.

a simple user could try Process Lasso (watchdog advanced rules)

I have tested process Lasso for this very purpose and I did not see any feature that allowed this, but I'm not sure I checked out the advanced watchdog rules, I will look further into that, thanks Rgnexile.