LUA + SRP

Couldn’t help but smiling in appreciation and comfort at this post:

This guy basically wrote exactly what I would have written.

I’m just curious - who here actually uses LUA and/or SRP etc?

I don’t use SRP unless when I use Sbie you consider using sandboxie with restrictions? ;D

I personally prefer HIPS.

You guys should read about SuRun. By the way, I’m personally familiar with Windows XP only, although I read and hear people using LUA + SRP + SuRun in Vista and 7 also.

SuRun makes running in LUA much easier on Windows XP, with regards to programs which require administrator privileges.

Also, most things don’t require an administrator account to exculsively run. Trust me, I’m an “above average” user and I’ve been happily running in LUA for several months. Even my virtual machine program (VirtualBox) runs perfectly in the LUA.

EDIT: by the way, 2nd post here might be worth a read and some contemplation Kyle:
http://www.sandboxie.com/phpbb/viewtopic.php?t=6917

I use LUA and SRP on two PCs with WinXP Pro. However, SRP can be circumvented.
See Mark's Blog | Microsoft Learn
Therefore, I also use Defense+.

Now, I’m trying to figure out a security strategy for Win7 x64…

If no unauthorized programs can be run under SRP, how does gpdisable run?

If SRP is not set to disable DLLs it could run as a DLL and defence+ might not spot this if run by a “safe” application.

It could run as a macro in another application. Defence+ might not catch this if part of a “safe” application.

Regarding SRP i am inclined to believe wj32. He is a serious programmer and was not seen in a lofty phrases :-\

No, SRP is extremely powerful. The key thing is that if it can’t execute, it can’t infect! And SRP is brilliant at preventing all types of execution!

And regardless, wj32 was talking more about bypasses in the context of an attacker having direct physical access to your system. If this is the case, the attacker can basically do whatever he likes anyway, including physically destroy your computer haha.

LUA + SRP alone already provides 99.999999% of protection against real-world malware that you may encounter in your life time. Add in Sandboxie to the setup and you are pretty much “100%”.

For those who are moving or have moved to Windows 7, I’d recommend using AppLocker. Its mechanism of protection is similar to SRP, but the key difference is that its protection works at the kernel level. Therefore, wj32’s attempts at creating POCs even for an attacker that has direct physical access to your computer will fail miserably.

EDIT: please read this post and be enlightened (SRP can be configured further to be tighter than ever!):
https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/windows-7-applocker-and-related-stuff-t54449.0.html

How do you know. I have not noticed a word in his post(s) about physical access to system :o

LUA + SRP alone already provides 99.999999% of protection against real-world malware that you may encounter in your life time. Add in Sandboxie to the setup and you are pretty much "100%".
Where are numbers from? Seems like you spin them out of thin air. Where are FACTS? Or at least references/links to some "case studies".
Therefore, wj32's attempts at creating POCs even for an attacker that has direct physical access to your computer will fail miserably.
"Miserably"? Not just fail, but "fail miserably", of course ;D

It’s just based on my reading of exploits of this kind - they often need to be very specifically targeted and always require direct physical access (meaning they need to run additional programs etc with your system manually). I don’t think there’s ever been an example of real-world malware which can bypass LUA + SRP remotely.

I was just trying to make a point. You don’t need to take my “numbers” literally, and you certainly don’t need to sound so antagonistic haha. Where are his facts too? And yours? I asked him to forward me an example of his POC to see if it could bypass Sandboxie + LUA + SRP + Hardware DEP and he just dodged it by mostly claiming there’s no point in discussing these types of things with non-programmers. And remember, you can configure your SRP to be even tighter so that programs that can run script executables (cmd.exe, wsrcipt.exe, cscript.exe) are blocked easily:
http://www.sandboxie.com/phpbb/viewtopic.php?p=49981#49981

Did you even read that thread? Besides, I was just trying to make a point. Have you actually tried setting up Sandboxie + LUA + SRP + Hardware DEP and tested it against real-world malware? I have, and nothing has bypassed it. Heck, nothing has bypassed just Sandboxie alone or LUA + SRP alone in my testings.

EDIT: by the way, since you asked, have a good read of these posts:

Coloured by me.

“Cardsharpers are beaten with candlesticks” (c)

Yes, I usually get this sort of reply eventually haha. I suspect you are just arguing and making antagonising statements for the sake of it. I’ve given a lot of examples and back-up in my statements. You have certainly not done the same so far.

Indeed. For me it is mostly a question of Belief. [speaking aside] Alas, wj32 did not upload a relevant test tool :-\ …but he mentioned the way to bypass SRP:

Besides, I was just trying to make a point. Have you actually tried setting up Sandboxie + LUA + SRP + Hardware DEP and tested it against real-world malware? I have, and nothing has bypassed it. Heck, nothing has bypassed just Sandboxie alone or LUA + SRP alone in my testings.
Sandboxie and Hardware DEP are irrelevant in this thread. As for testing, it does not prove anything. You bodily said in the past about "PoC" which could bypass SRP:

“Dismissing that as just a POC is just ridiculous. Have you got any proof that this technique can’t be used easily by malware?” (c) wj32

No, I don’t have any proof that this technique can’t be used easily by malware, but conversely, neither does wj32 that it can. Regardless, the points I have been trying to make are found in these posts:

The point is that there has never been evidence of remote code attacks that can bypass just LUA + SRP. Isn’t that what computer security is about anyway? Reducing the risk of getting attacked by real-world malware. Right? And since LUA + SRP has never been bypassed by real-world malware (or there are no examples of it, meaning they are exceedingly rare), SRP is indeed a very powerful tool to have in your security setup. And why not make use of it? It’s free and comes already built-in with your OS. It doesn’t take up any resources, and doesn’t cause conflicts.

Sure, if you’re paranoid, don’t just rely on SRP - add a program like Sandboxie. And that’s how Sandboxie (and Hardware DEP) are relevant in this thread. Security isn’t just a setup. It is also an approach.

Also, emphasising the importance of having a good security approach, have a think about the following:

  1. With just LUA + SRP, Didier Stevens’ POC’s (and dare I say, wj32’s) can theoretically be used by malware (even though there are no examples of real-world malware, period) to bypass it and cause problems to a computer system.
  2. If you are so paranoid (like me haha) as to want to provide extra protection for something that has never been seen in the real-world, follow the next point:
  3. Add in a containment level of protection, as suggested in this post:
    defensewall or Sandboxie versus LUA + SRP | Wilders Security Forums
  4. I personally use a well configured Sandboxie with the correct approach. What is this approach? Read on:
  5. Sandbox (contain) all malware threat-gates, including your web browser, chat messenger programs, USB and CD/DVD drives, etc etc. With Sandboxie, I also configure start/run/internet access restrictions. For example, IE 8 is forced to run in a sandbox where only iexplore.exe can start/run and access the internet.
  6. But then you point out that if you recover files on to your REAL system, it won’t be covered by Sandboxie! Well, at this point, LUA + SRP + Hardware DEP is of course still protecting you. But how to use the containment mechanism of protection at this stage?
  7. Simple - always open any newly introduced file with a sandboxed explorer.exe (easily done, and place the shortcut of this sandboxed explorer.exe on your QuickLaunch bar or similar for easy access).
  8. When in even greater doubt and if your paranoia levels have escalated to an extreme level (like me haha), also enable your system virtualiser (I use Shadow Defender) before downloading and recovering files on to your REAL system. This could additively help to prevent any harm from exploits like these: Quickpost: /JBIG2Decode Trigger Trio | Didier Stevens
  9. Of course, the correct approach if you’re really in doubt about whether a file is safe (particularly a file that is clearly an executable), is to always execute it in a full blown Virtual Machine (I use VirtualBox).
  10. But then I hear you paranoid ones getting concerned of theoretical scenarios like malware escaping the Virtual Machine environment?
  11. Well, the solution is to simply run your Virtual Machine sandboxed (I use Sandboxie for this when I am testing malware), and/or enable your system virtualiser (I use Shadow Defender) before testing the malware in your Virtual Machine. In this way, the malware will need to potentially bypass your Virtual Machine (I’ve never heard of any real-world malware that can do this, particularly if you run LUA + SRP) as well as Sandboxie and Shadow Defender.

Not sure how much these resources fit the ongoing discussion but can be considered relaled to some aspects mentioned throughout this topic:

Aside the technical details I guess most would agree that the bulk of malware/exploits/scams often focus on widespread OSses/features/applications/vulnerabilities/habits since (aside social engineering/targeted attacks) even cybercriminals could be assumed to take [abbr=Return On Investment]ROI[/abbr] in account (Hopefully they care more about money than to make a point about security practices :o)

I've given a lot of examples and back-up in my statements.
Where? Only Your opinions, links to not related threads, links to posts which message either "malware wich targets SRP is/could be very rare" or "real world SRP exploit is yet to be shown". These do not confirm/disprove anything.

Fair enough.

Thanks for the links - I’ve personally read them before, but it will be useful for others who are interested in this subject.

However, my view on bypassing LUA + SRP remains the same. In the above link on bypassing LUA + SRP, it requires a specific program to be executed, which is easily denied even with default SRP.

Yes, there’s nothing proving or dis-proving anything really, as there’s just no formal literature out there. However, what we know is that there is a lot of malware out there that have infected millions of people…and none reported or analysed have involved bypassing LUA + SRP. That sounds fairly convincing to me.

Indeed. Also please note that the above Sandboxie bypass has long since been patched, and needed very specific criteria (for example, if your spool service was not running or disabled, the bypass wouldn’t work).

However, to my knowledge, Sandboxie has never been bypassed when start/run restrictions are also configured. That’s how powerful this application can be.

And on a general note, the average reader may be getting frightened reading about these bypasses and exploits. The fact is that these are all generally very rare, and even more rare in the real-world scenario. Furthermore, LUA, SRP, DEP are not magic tools at all - they are simply built-in functions of your OS that you can/should take advantage of.

I did notice that Tzuk confirmed that the approach could have been used for other services whereas spooler service was one of them.

As much it might appear a very specific criteria that technique was probably meant to obtain NT AUTHORITY\SYSTEM privileges (privilege escalation).

It was also mentioned that malware did not deploy its payload if run in a Virtual machine though VM detection was something probably meant to make difficult for AV vendors to analyze it.

Though blocking the local execution of any executable carrying a payload will prevent what (such payload) was meant to achieve a DEP-aware remote exploits might not necessarily need to launch any executables and thus avoid SRP altogether.

Of course using intermediate executables could be considered to be a widespread pattern for malware authors.

Indeed keeping a computer turned off provides unfalterable protection as well but users might prefer some middle grounds:

For example they could disable SRP and use a sandbox to launch the executables (if their system support SRP and it is set to allow execution only from %windir% and %programfiles%).

Or choose to execute something outside a VM after a while perhaps convinced that such application would be safe (of course they should delete it if they noticie it to be malicious while running in the VM).

Of course no user would take any effort for something they will consider a rare event but it was a real world-scenario (probably not specifically meant for SandboxIE, even though a fix was issued).

Whereas source code to bypass DEP and SRP is available and even patches lead to the development of real worlds exploits (Exploit Wednesday), there is no doubt there are no magical tools out there.

Being UAC, ASLR and DEP enabled on many PCs malware and explots wll obviously take that in account even though nowadays rogue antiviruses or exploits for already patched vulnerabilities still prosper by leveraging on widespread bad habits:

Indeed users along with appropriate tools can still make a difference even without 99.999999% perfection.

Sandboxie it is of course a tool appreciated by many and perhaps you could consider to share you experience with it by also posting the full SBIE config/s you use.

Sure, but the point I was making was that it required quite a specific scenario. Also, you need to ask how the file or executable code gets on to your system in the first place. Of course nothing will protect you if you download and execute all files willy nilly with administrator rights and outside any virtual environment.

That’s exactly right. This technique has been around for several months now. Regardless, the correct security approach would be to only trust files (to the extent of running it on your REAL system) from a reputable source. Just like you wouldn’t buy (clean) bottled water off a beggar in the street - instead, you’d buy it from a reputable source like a supermaket. If there is any doubt, you can always test this water out on a different person and never actually have to drink it to see its effects. The same goes for testing potentially malicious software in a Virtual Machine.

Sure, and Didier Stevens has produced many POCs that can bypass SRP without using any direct executable code, but it often requires scripting executables for it to work, which are easily disabled with SRP. Furthermore, you need to ask yourself just how this executable code is going to get on to your system in the first place. Basically, every exploit of this sort that I have read are based on opening files that are of an Excel, Word or PDF format. So they all require the user to actually open the file. And again, you need to have a good security approach to prevent any harm from this. For example, always open any newly introduced file in a sandboxed explorer.exe.

I don’t see the point of mentioning someone who achieves 100% protection by never turning their computer on. As I have already mentioned, computer security is all about reducing the risk of getting infected. And you can reduce this risk to near 0% with very few third party solutions and by just utilising the built-in security of your Windows OS.

And again, nothing can save you if you are willing to risk running executable files from non-reputable sources on your REAL system. Of course, having a good imaging back-up program is the only solution at this stage - I forgot to mention it! I personally use Drive Snapshot. Amazing software I might add.

Sure, and how many bypasses have there been for Sandboxie in the last few years? You could count them on one hand. And every software has been bypassed before, including CIS. This is why I don’t just rely on LUA + SRP + Hardware DEP - I use Sandboxie also. I’ve never heard of malware bypassing all of a properly configured Sandboxie + LUA + SRP + Hardware DEP.

Again, there has never been documented real-world malware that can bypass LUA + SRP remotely (eg. drive-by infections by visiting a web-site). All we see are POCs which all at least require the user to manually open an infected file. Easily contained with an application like Sandboxie or Shadow Defender.

Sure, but very few take into account SRP or AppLocker (which is a major part of my security setup). By the way, I don’t think I’ve heard of any malware that can bypass AppLocker yet, but I’m sure I will soon enough haha.

Yes indeed. In fact, some of the most knowledgeable computer experts out there don’t run any real-time security programs at all - they simply just use their common sense and experience as well as a decent browser (like Opera).

Yes, I am in the process of writing up a security setup article to explain my signature. I might create a new thread for it, as it will be a very long post haha.