Google Chrome could be getting a security boost when it more formally adopts Pepper Flash sandbox technology, according to two researchers who say Pepper offers the best protection against attacks.
Attackers now need additional sandbox escape vulnerability to fully compromise a system.
Mark Vincent Yason,
security researcher, IBM's X-Force Advanced Research Team
Security researchers Paul Sabanal and Mark Vincent Yason of IBM's X-Force Advanced Research Team, told attendees at the 2012 Black Hat Briefings last week that Chrome's Pepper Flash implementation offers a much more restrictive environment when compared to Google's native Flash plug-in for Chrome or Protected Mode Flash for Firefox, which is based on the sandboxing code in Adobe Reader X.
Google announced plans earlier this year to begin phasing out its native Protected Mode Flash for Chrome, a Flash player plug-in it developed with Adobe. Pepper Flash offers an alternative to the plug-in and supports a more secure Pepper Plugin API (PPAPI). The researchers said Pepper Flash will likely be the default player in Chrome 21.
In their paper, Digging Deep into the Flash Sandboxes (.pdf), the two researchers conclude Pepper Flash offers the most security, but needs work on stability issues before it can be fully supported in Chrome.
"It is still not stable enough for day-to-day use," the researchers said in their report. "Fortunately, even the less-restrictive Firefox Flash and Chrome Flash still offer substantial cost of exploitation. In fact, we haven’t encountered any public exploits that fully exploit a Flash vulnerability through Firefox and Chrome since these sandbox implementations were released."
At Black Hat, the two researchers gave a detailed description of the way all three sandboxing technologies work. The analysis shows that while sandboxes add another layer of defense to browser components, attackers could find a way to force some data leakage or bypass the restrictions altogether. Adobe credited the researchers in March for discovering two vulnerabilities in Flash Player – memory corruption errors that could allow attackers to cause a denial of service (DoS) and ultimately find a way to escape the sandbox implementation.
"What can malicious code do when it is running in a sandbox? Not much, but enough," Sabanal said.
More from Black Hat 2012
See more of SearchSecurity.com's special coverage of Black Hat 2012.
The researchers said Firefox Flash contains default policy rules that grant the sandbox process write access to certain folders and files. It also allows read access to all files that are accessible from the user's account. An attacker could potentially read the registry, they said. Meanwhile, Chrome Flash allows read access to all files that are accessible from the user's account, and allows read access to the major registry hives, they said.
"Both Firefox Flash and Chrome Flash do not restrict network access," Sabanal said. "This could allow transfer of stolen information to a remote attacker."
The two researchers demonstrated a sandbox escape, exploiting local elevation-of-privilege vulnerabilities in Chrome Flash that were discovered earlier this year. Using two computers— the machine that serves the exploit and the victim's machine – the researchers opened two calculators. The calculators, one with a medium integrity level and one with a low integrity level, were spawned by a mutually exploited sandbox Flash plug-in process, the researchers said.
The researchers said other methods could be used to escape the sandbox implementations. Researchers have used named object squatting attacks and IPC message parser vulnerabilities for targeting weaknesses in a higher privileged application.
"Attackers now need an additional sandbox escape vulnerability to fully compromise a system," Yason said. "It's made it more expensive for the attacker."
Adobe has been working diligently to add a sandbox around its Adobe Reader and Acrobat software, which has been a favorite target of attackers. The new defensive layer makes it difficult for automated toolkits – the most prevalent kind of attacks – to successfully exploit the software and then break out and infect a victim's machine. Other browsers and plug-ins use sandboxing to build in similar protections. Chris Rohlf, an independent researcher with Leaf Security Research, presented ways to bypass Google Chrome's native client sandboxing technology. Other researchers have demonstrated ways to bypass sandboxing implementations, but most experts agree the additional layer makes it more difficult for cybercriminals to successfully carry out attacks.