Comodo Sandbox VS Spectre

How well does the Sandbox (default Fully Virtualized level) does against Malware that abuses the Spectre flaw on Intel processors? Assuming I have the Sandbox set to Fully Virtualized and using a vulnerable processor.

Also, how does the Sandbox at Cruelsister settings (Fully Virtualized + restrictions set on RESTRICTED level) does against it?

Thanks in advance.

spectre meltdown are more like hardware issue nothing to do with cis or something else but cis can block unknown/suspicious/malicious apps that use these flaws from being run just change cs settings run unrecognized>restricted to blocked and deny elevation request
or
you can use paranoid mode of hips but ı wont recommend that

To my knowledge…

As CPU Side Channel attacks are now a known thing, this means that new exploits like Spectre etc can be developed and will likely be an ongoing thing with patches being released to try and mitigate attacks.

As CIS likely uses the Windows API, File Permissions etc to be able to provide the functionality for HIPS/Auto-Containment then these simply won’t work in the first place if Windows it not fully patched to mitigate these types of attacks.

Therefore any Auto-Containment rule you set could in theory be bypassed by a CPU Side Channel attack if your OS is not fully patched, or if the exploit is not yet known about.

However, if you change the rule to Block unknown applications instead of Containing unknown applications then you are preventing the malicious code from running in the first place, thus potentially blocking the attack, if the attack originates from launching a file.

However, as code can still be ran in Trusted applications such as Web Browsers, the Block rule only can protect against the attack being initiated directly from a file, and not within existing running processes.

HIPS will also potentially fail to prevent this type of malicious code from being able to access data outside of it’s process as it again relies on Windows to provide the functionality for HIPS to work.

Summary:

  • Keep your OS fully patched - even better also update your BIOS firmware if available
  • Run Virtually may not block it if Windows is already vulnerable to that type of attack
  • Block is better than Run Virtually for this type of attack
  • If you want the best protection buy a new CPU and again make sure the BIOS Firmware is up to date

ReeceN has already named the most important facts. I would like to add a few more things.

There are two opposing views on the Spectre and Meltdown vulnerabilities: “Half as bad” or “Endless disaster.” There are good arguments for both views. Essentially, however, the assessment depends on whether you use a PC or a notebook as a personal work or game device or whether you operate a cloud computing center. Over the course of 2019, it has been confirmed that Spectre and Meltdown only increase the risk of malware attacks for very few “normal” PC users. Firstly, the attack options were severely limited by the mentioned updates, secondly, the attacks are very complicated, third, they must be tailored for each processor and fourthly lurk on most Windows PCs much easier-to-use vulnerabilities. It is not surprising that no practical attacks via Spectre or Meltdown have been observed in the wild.

Reports on browser scripts, are no longer correct, because browser manufacturers have reduced the timer resolution for scripts so that meltdown attacks do not work. So websites do not provide the necessary support - the code of a JavaScript running on a web page is not a path into your system. A major problem for cloud data center operators is the Spectre Next Generation (Spectre NG) L1 Terminal Fault (L1TF) gap. Because on such cloud servers numerous VMs run simultaneously on the same processor. A cloud user could run a malicious VM stealing data from other running VMs via L1TF.

The new processors expected by AMD and Intel in 2019 are not fundamentally free of Spectre gaps, but are no longer vulnerable to Meltdown and L1TF. As described by ReeceN, regular operating system and bios updates provide the best protection against the remaining and novel risks of Spectre-Meltdown attacks.

Whether CIS-HIPS recognizes the writing of areas in the memory, which are actually only released for reading, would be very interesting to learn.

Summary: Spectre and Meltdown are a problem for hosters, not for corporate networks or home users. :P0l

Thank you guys. I guess this is not much of a problem for a home PC then, since Mozilla and Chrome already implemented mitigation against Spectre abuse through Javascripts. I also run Comodo at Anti-Exe/Lockdown config, was just wondering how the Sandbox would do against Spectre abusing Malware.

My system is fully patched against Meltdown but not against Spectre, will have to upgrade to Windows 10 to get the new microcode for this CPU because ASUS haven’t released BIOS updates for this board since 2015.

A very supportive approach :-TU :wink:

Concerning a successful infection despite running in the sandbox, I would like to add that the Spectre-Meltdown attacks involve a targeted bypassing of sandboxes, which is possible due to the implemented functions.

Attackers bypass security mechanisms such as sandboxing or the separation between program code and user-supplied code (such as interpreter vs. script). During the processor’s out-of-order execution, the content of a memory cell is preliminarily read out of its own address space, which the calling process would normally be unable to access. The “preliminary readout” leaves an externally noticeable trace in the cache, even after the result of the speculative execution has been discarded. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.

If such a file is already in a sandbox and it does not manage to gain access to areas outside and it can only read or write to virtual memory, nothing should happen. As the HIPS is well known to monitor access to memory and also the memory access between different processes, a detection of this abnormal behavior would therefore also be quite possible. Finally, I can not completely say whether it will be possible to get around or leave the Comodo Containment technology. But even if this were possible, there would be much to do and also to know for a successful attack and first of all you would need to find or exploit a previously unpatched hardware-related vulnerability. As some intelligence services had to realize, it is extremely difficult to bypass ALL CIS protection components and this should give us hope in every situation. :azn:

Indeed, who needs AV-Comparatives when we got such a statement from NSA and also Cruelsister who is a former black hat proved unable to Bypass Comodo. I am glad I am one among the ‘paranoid ■■■■■■■■’. Now we just need a similar statement from Russian and Chinese secret services. ;D ;D ;D