Просмотр полной версии : Sandbox, Virtualization, and Lockdown Technology

Ultima Weapon
30.11.2007, 03:17
Sandbox, Virtualization, and Lockdown Technology If you think of a sandbox as a "virtual workspace" the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.

One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product that was used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.

In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system's hardware.

A company called SoftGrid has its SystemGuard™ - "because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them."

Windows Servers include this technology. From my WinServer2003 notes: "The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution."

Tiny firewall uses sandbox technology.

Another group of programs use the ‘sandbox’ idea to protect the system. Sandbox is usage of a virtual container in which untrusted programs can be safely run.

Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:

ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:
http://www.shadowstor.com/products/I...83&ProductID=4 (http://www.shadowstor.com/products/ItemPage.aspx?ItemID=83&ProductID=4)

RollBack Rx (http://www.horizondatasys.com/) claims to write-protect the HD and create 'Scratch Space'

These programs below uses virtualization. It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
Returnil (http://www.returnilvirtualsystem.com/index_files/rvspersonal.htm) uses a powerful virtualization technology that completely mirrors your actual computer setup and it can create a virtual storage disk within your PC where you can save documents, data, and files while using the System Protection feature.

BufferZone’s (http://www.trustware.com/index.html) revolutionary virtualization technology creates an isolated zone on your PC, which separates your operating system and confidential data from unknown programs, downloads and files. Unlike anti-virus and anti-spyware software, BufferZone Free requires no signature updates at all, while protecting your PC against spyware, adware and viruses - even new and yet unknown ones downloaded using your P2P, Web browser or instant messaging software.

The programs below uses lockdown. Lockdown, pertains to a state of containment or a restriction of progression. You could almost say that it freezes time.

Deep Freeze (http://www.faronics.com/html/DFStd.asp) - 'locks down' the system but doesn't use virtualization.Deep Freeze = locked volume content, changes revert on restart, can only change content in a thawed state. Once changed in a thawed state, that's the content moving forward. Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte.

First Defense ISR (http://www.raxco.com/products/FDISR/fdisr_features.cfm) = Take system snapshots (akin to snapshots on a VM) and boot to any of them. Any snapshot can be used as a live system. Can revert to any previous snapshot state. Think of it as akin to keeping an online jukebox of system drives and being able to choose anyone you want via a preboot menu. Downside is that the current program is being replaced by the only distributor of the product (Horizon Data Systems) with a version that allows retention of a single snapshot only. More mass market potential. Also, freeze option (similar to deep freeze) is gone on current HDS release. I think they stop selling the full FD-ISR Workstation at the end of this month

Both work. DeepFeeze is designed for a static system with forced restoration on any restart and takes minimal HDD space. FirstDefense-ISR is designed for immediate restoration of a dynamic system in which states are preserved across restarts, but can be bumped by a forced snapshot change or restoration. Snapshots take a bit of space (a few to maybe 10 GB depending on what your machine looks like and how you take a snapshot). Cost per seat is different as well.

These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.
Some people admit that they run such a program + firewall and little else.

This evening in the AntiMalware by Trustware thread (http://www.wilderssecurity.com/showpost.php?p=570651&postcount=27) Eyal Dotan, the author & CTO of AntiMalware, wrote:

...what AntiMalware's BufferZone does is virtualize
untrusted processes "Write" access to FileSystem & Registry

For those who have experienced problems and conflicts with various ‘sandbox,’ ‘lock-down’ or ‘virtualization’ programs, most people using them (ShadowUser and Deep Freeze especially) stress starting with a clean system. I would uninstall all AV/AT etc programs, then install SU, AM, Sandboxie or whatever - use that as the foundation - and then add other programs to see at what point you have conflicts.

07.12.2007, 15:57
Now when everybody understood each other, I will clean the thread from offtopic (in evening, so evrybody will be able to read a message adressed to him)

07.11.2008, 16:42

Disk Write Copy (http://www.diskwritecopy.com) of 1.x product line is the software for immediate system and files rollback based on shadow disks proprietary technology. It reliably protects hard disk from accidental and intended changes.

When system disk protection is active, Disk Write Copy allows to stop using antivirus and registry cleaning software by protecting the system and user personal files from potential harm. Thanks to automatic rollback, which doesn't require any additional actions by the user, the software greatly benefits over standard backup solutions. Rollback takes only a few seconds, not depending on protected disk size, and doesn't require additional disk space allocation.

When you boot your computer the next time you can be sure that:
- The computer is free from viruses, worms, trojans, spyware and any malicious code
- The operating system and all files are in exactly the same state as you saved them
- There is no usage history stored for the previous session
- All harmful activities performed by users (e.g. kids) during the previous session are eliminated
- Deleted or corrupted data on protected disk remains intact

Disk Write Copy of 1.x product line fully supports Vista OS, including 64-bit edition.