Was the Chrome Browser Sandbox Cracked?

Security researchers claim they have managed to bypass the sandbox protection and exploit a PC through the Google Chrome browser. Vupen Security revealed that it has done what hackers and researchers have failed to do for three consecutive Pwn2Own contests–even when Google put up a $20,000 reward for a working exploit. However, there is growing speculation that the exploit used by Vupen may not actually circumvent the Chrome sandbox after all.

Vupen Security has a video clip demonstrating the attack. It circumvents the Chrome sandbox, as well as the DEP and ASLR security features in Windows, and exploits zero-day vulnerabilities discovered by Vupen to execute silently with no indication to the user. Vupen says the attack works on all Windows PCs–both 32 and 64-bit.

Anup Ghosh, founder and chief scientist for Invincea, says that it should not come as any big surprise that the Chrome browser sandbox was cracked. “The Google Chrome Sandbox only encapsulates part of the Google Chrome browser, specifically the rendering engine. The exploit either found a flaw in this sandbox code or design, or the exploit used a flaw in software called from outside the sandbox, of which there is considerable attack surface area both within the browser and within the operating system libraries Chrome calls.”

However, a source within Google tells me that Vupen has not yet shared details of how the attack is executed, and there is speculation among security experts that Vupen may actually have exploited a bug in Flash, which is not entirely sandboxed in the Chrome browser. If that is the case, then strictly speaking Vupen has not cracked the Chrome sandbox.

But, if Vupen did manage to break out of the sandbox, the Chrome browser would not be the first sandbox protection to be bypassed. Other sandbox implementations such as the sandbox in Adobe Reader X have been circumvented as well. So, what does this mean for IT admins and consumers? Is sandbox protection useless?

Andrew Storms, director of security operations for nCircle, says “Sandboxes are a valuable security feature. Every layer of security has value, but every security provision will be cracked at some point. You have to remember that this is a duel of adversaries, and we are always working to be a few steps ahead of increasingly sophisticated attackers.”

Dave Marcus, director of security research and communications for McAfee Labs, explains, “Many sandboxes do eventually get circumvented and bypassed by certain techniques but they are still needed defenses against browser-based malware and exploits.”

Storms notes that the attackers have the advantage because they can use tools like fuzzers that automatically generate different attack strategies until a weakness is discovered. Using a fuzzer doesn’t cost the attacker anything, and is really just a matter of time before a viable attack is discovered.

The short answer to whether sandbox security is useless and if we should collectively throw in the towel is “no”. But, the crucial thing that IT admins and consumers alike need to remember is that there is no silver bullet security. Each security control or feature is just a piece of the puzzle–an extra layer of defense. In and of themselves, none of them is capable of preventing all attacks, but taken as a whole, they build a multi-faceted defense that takes a more skilled and dedicated attacker to bypass.