Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardened sandboxes (with encrypted sandbox content and credentials) will most likely fail to operate after setting a (very long) password, and will cause Sandboxie-Plus to crash in a small case #3639

Closed
RimacC2-EV opened this issue Feb 24, 2024 · 6 comments
Closed

Security hardened sandboxes (with encrypted sandbox content and credentials) will most likely fail to operate after setting a (very long) password, and will cause Sandboxie-Plus to crash in a small case #3639

RimacC2-EV opened this issue Feb 24, 2024 · 6 comments
Labels
Black box Encrypted sandboxes Confirmation pending Further confirmation is requested fixed in next build Fixed in the next Sandboxie version

Comments

@RimacC2-EV
Copy link
Contributor

RimacC2-EV commented Feb 24, 2024
edited

Describe what you noticed and did

1,Create a security hardened sandbox
2,Tick the Encrypt sandbox content and set credentials option
3,Set a (very long) password
4,Try to run something, and then you may come across the Create a new sandbox disk image menu again.
5,After re-entering the (previous) (very long) password, the sandbox does not work

How often did you encounter it so far?

Whenever I do the above action

Expected behavior

Security hardened sandboxes works properly.

Affected program

Everything (Sandboxie-Plus itself)

Download link

Not available.

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

Yes, it did. I'm going to share the .dmp file(s) in a later comment.

Crash dump

https://f.ws59.cn/f/dh2lf8ka29l (Valid for 24 hours, if expired, please comment below)

What version of Sandboxie are you running now?

Sandboxie-Plus 1.13.0 64-bit

Is it a new installation of Sandboxie?

I just updated Sandboxie from a previous version (I remember which one it is).

Is it a regression from previous versions?

Maybe 1.12.7

In which sandbox type you have this problem?

In a security hardened sandbox (orange sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows Home China 21H2 64-bit

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Microsoft Defender Antivirus,360 Total Security

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

Sorry, I can't open the website.

Sandboxie.ini configuration

#
# Sandboxie configuration file
#

[GlobalSettings]
DefaultBox=DefaultBox
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
Template=Edge_Fix
Template=OfficeClickToRun
Template=OfficeLicensing
Template=QQ
Template=WindowsLive
Template=WindowsRasMan
NetworkEnableWFP=y

[UserSettings_02DE00F4]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
BoxGrouping=:DefaultBox,New_Box_1,New_Box

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10

[New_Box_1]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#027df7,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseSecurityMode=y
UseFileImage=y
ConfidentialBox=y
UseFileDeleteV2=y
UseRegDeleteV2=y
AutoRecover=y
AllowNetworkAccess=!<InternetAccess>,n
DropAdminRights=y
FakeAdminRights=y

[New_Box]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#027df7,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseSecurityMode=y
UseFileImage=y
ConfidentialBox=y
UseFileDeleteV2=y
UseRegDeleteV2=y
AutoRecover=y
AllowNetworkAccess=!<InternetAccess>,n
DropAdminRights=y
FakeAdminRights=y
@RimacC2-EV RimacC2-EV added the Confirmation pending Further confirmation is requested label Feb 24, 2024
@bastik-1001
Copy link
Contributor

(This should not happen.) Just for reference, how many characters were required for you to notice this? So if someone is going to test it, he'd know how long the password needs to be. How long is long?

@RimacC2-EV
Copy link
Contributor Author

(This should not happen.) Just for reference, how many characters were required for you to notice this? So if someone is going to test it, he'd know how long the password needs to be. How long is long?

In this case, I used 256 uppercase and lowercase letters, English symbols (e.g.; ',./[])

@DavidXanatos
Copy link
Member

I see I'll add the upper length limit in the next build its 128 chars IIRC

@RimacC2-EV
Copy link
Contributor Author

I have an idea if I can raise this limit (e.g. to 256 or more or even infinity), and if not, why?

@bastik-1001
Copy link
Contributor

What part imposes the limit of 128 characters?

DavidXanatos added a commit that referenced this issue Feb 24, 2024
@DavidXanatos
1.13.1 #3639
994f530
@DavidXanatos DavidXanatos added the fixed in next build Fixed in the next Sandboxie version label Feb 24, 2024
@DavidXanatos
Copy link
Member

DavidXanatos commented Feb 24, 2024
edited

What part imposes the limit of 128 characters?

The DiskCryptor code used for encryption uses this limit this could be changed to an other value, resulting only in a slightly higher memory usage.

But 128 chars should be plenty long anyways, this length permits approximately 384 bits of entropy with a passphrase composed of actual English words, increases to 512 bits with the application of L337 speak modifications, and exceeds 768 bits when composed of entirely random printable ASCII characters.

Given that the encryption uses AES256 there is no benefit of having a passphrase with more entropy than that.

Also remember that even 128 bit is not bruteforceable, even at the Landauer limit and assuming that to test one key only one bit needs to be flipped (which is not the case it needs many many thousands of bit flips to test any given key), the energy requirement would be 10^18 Joule to put this into perspective the entire output of the sun is 3.8*10^26 Joule/Second.

For 256 bit the energy requirement is 3.310^56 Joule to put this into perspective,
the estimated total energy output of the observable universe is about 10^70 Joule/Second
the estimated total energy output of the Laniakea super cluster with about 100,000 galaxy's of which ours is one of, is around 3.810^42 Joule/Second .
So using the total energy output of all suns in our super cluster one would need about 2 million years to count through every possible value in a 256 bit key.

Long story short I think 128 chars is more then enough and we don't need to change this.

@isaak654 isaak654 added the Black box Encrypted sandboxes label Feb 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Black box Encrypted sandboxes Confirmation pending Further confirmation is requested fixed in next build Fixed in the next Sandboxie version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bastik-1001 @DavidXanatos @isaak654 @RimacC2-EV