Application Sandboxes: A pen-tester’s perspective

I’m excited to announce a new research report from Bromium Labs, written by myself and Rafal Wojtczuk. It ended up being far more comprehensive than we initially thought, so we decided to call it ”Application Sandboxes: A Pen Tester’s Perspective”. In this report we perform security evaluation of publicly available application sandboxes viz: Google Chrome, Adobe Reader, Sandboxie, BufferZone Pro and Dell Protected Workspace.

To create some context, we are all aware of the deficiencies of traditional endpoint security technologies. There are a lot of vendors coming up with ideas and solutions to combat the malware challenge. What is the core issue? It’s simple – the attack surface, which is predominantly the Operating System (and installed apps) for any user. In this paper, we evaluate one of the the newer approaches – sandboxing and verify how well it stands up against real world threats.

The report is about pen-testing and we used and wrote several exploits in our research. However, we did not use any unknown zero days or even try to find vulnerabilities in any of the above mentioned products. That was not needed as the opportunities for attackers are huge already.

Hence, we just stuck to the basics and used exploits (some of which are not public) for known vulns to explore the architectural flaws of sandboxing technology – as you will see after reading the report, sandbox bypasses are unnervingly straightforward using vulnerabilities in the underlying OS.

Not to forget, if we ever encounter a vulnerability in any product, we are committed to responsible disclosure as we’ve always done in the past.

Below is a quick summary of the analysis:

The report is available here.

Will there be evaluation of more sandbox programs like the one in CIS or perhaps Shadow Defender?