DIGGING DEEP INTO THE FLASH SANDBOXES
`
`
`Paul Sabanal
`IBM X-Force Advanced Research
`tsabanpm[at]ph.ibm.com, pv.sabanal[at]gmail.com
`@polsab
`
`Mark Vincent Yason
`IBM X-Force Advanced Research
`yasonmg[at]ph.ibm.com
`@MarkYason
`
`ABSTRACT
`Lately we have seen how sandboxing technology is positively altering the software security landscape. From the
`Chrome browser, to Adobe Reader, to Mac and iOS applications, sandboxing has become one of the main exploit
`mitigation technologies that software has come to rely on. As with all critical security technologies, they need to
`be understood and scrutinized, mainly to see how effective they are, or at the very least, to satisfy one's curiosity.
`The sandbox implementations for Adobe's Flash Player certainly piqued ours.
`
`Our talk will explore the internals of three sandbox implementations for Flash: Protected Mode Flash for Chrome,
`Protected Mode Flash for Firefox, and Pepper Flash. And of course, we will show that an exhaustive exploration of
`the Flash sandboxes will eventually yield gold as we discuss and demonstrate some Flash sandbox escape
`vulnerabilities we found along the way.
`
`We start with a look at the high level architecture of each sandbox implementation. Here we will define the role of
`each process and the connections between them. In the second part, we will dive deep into the internal sandbox
`mechanisms at work such as the sandbox restrictions, the different IPC protocols in use, the services exposed by
`higher-privileged processes, and more. In the third part of our talk we will take a look at each sandbox's security
`and talk about the current limitations and weaknesses of each implementation. We will then discuss possible
`avenues to achieve a sandbox bypass or escape. Throughout all this we will be pointing out the various differences
`between these implementations.
`
`
`
`IBM Security Systems | © 2012 IBM Corporation
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1018
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > CONTENTS
`
`|2
`
`
`
`1. CONTENTS
`Abstract ......................................................................................................................................................................... 1
`
`1. Contents ................................................................................................................................................................ 2
`
`2.
`
`3.
`
`4.
`
`Introduction ........................................................................................................................................................... 4
`
`The Targets ............................................................................................................................................................ 5
`
`Sandbox Architecture ............................................................................................................................................ 6
`
`4.1.
`
`4.2.
`
`4.3.
`
`Flash Player Protected Mode For Firefox ................................................................................................ 6
`
`Flash Player Protected Mode For Chrome ............................................................................................... 7
`
`Flash Player Protected Mode For Chrome Pepper .................................................................................. 9
`
`5.
`
`Sandbox Mechanisms .......................................................................................................................................... 10
`
`5.1.
`
`Sandbox Startup Sequence .................................................................................................................... 10
`
`5.1.1.
`
`Firefox Flash ...................................................................................................................................... 10
`
`5.1.2.
`
`Chrome Flash ..................................................................................................................................... 11
`
`5.1.3.
`
`Pepper flash ....................................................................................................................................... 12
`
`5.2.
`
`Sandbox Restrictions.............................................................................................................................. 12
`
`5.2.1. Restricted Tokens .............................................................................................................................. 13
`
`5.2.2.
`
`Integrity Levels .................................................................................................................................. 13
`
`5.2.3.
`
`Job Objects ........................................................................................................................................ 13
`
`5.2.4. Alternate Window Station and Alternate Desktop ............................................................................ 13
`
`5.2.5.
`
`Sandbox Restrictions Comparison Table ........................................................................................... 13
`
`5.3.
`
`Interception Manager ............................................................................................................................ 15
`
`5.3.1.
`
`Interception Types ............................................................................................................................. 17
`
`5.4.
`
`Inter-Process Communication ............................................................................................................... 18
`
`5.4.1.
`
`Sandbox IPC ....................................................................................................................................... 18
`
`5.4.2.
`
`Chromium IPC .................................................................................................................................... 25
`
`5.4.3.
`
`Simple IPC .......................................................................................................................................... 30
`
`5.5.
`
`Services .................................................................................................................................................. 32
`
`5.5.1.
`
`Chrome Sandbox Services ................................................................................................................. 32
`
`5.5.2.
`
`Chrome Plugin Services ..................................................................................................................... 35
`
`5.5.3.
`
`Chrome Flash Broker Services ........................................................................................................... 38
`
`5.5.4.
`
`Firefox Flash Plugin Container Services ............................................................................................. 40
`
`5.5.5.
`
`Firefox Flash Broker Services ............................................................................................................. 41
`
`5.6.
`
`Policy Engine .......................................................................................................................................... 44
`
`5.6.1. Adding policies .................................................................................................................................. 44
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES >
`
`|3
`
`
`
`5.6.2. Admin-configurable policies .............................................................................................................. 46
`
`5.7.
`
`Summary: Sandbox Mechanisms ........................................................................................................... 47
`
`5.7.1.
`
`Flash Player Protected Mode For Chrome (Chrome Flash) ............................................................... 47
`
`5.7.2.
`
`Flash Player Protected Mode For Chrome Pepper (Pepper Flash) .................................................... 48
`
`5.7.3.
`
`Flash Player Protected Mode For Firefox (Firefox Flash)................................................................... 49
`
`6.
`
`Sandbox Limitations ............................................................................................................................................ 51
`
`6.1.
`
`6.2.
`
`6.3.
`
`6.4.
`
`6.5.
`
`File System Read Access ........................................................................................................................ 51
`
`Registry Read Access.............................................................................................................................. 51
`
`Network Access...................................................................................................................................... 52
`
`Policy Allowed Write Access to Files/Folders ........................................................................................ 52
`
`Clipboard Read/Write Access ................................................................................................................ 52
`
`6.6. Write Access To FAT/FAT32 Partitions .................................................................................................. 53
`
`6.7.
`
`6.8.
`
`Sandbox Limitation Comparison Table .................................................................................................. 53
`
`Summary: Sandbox Limitations ............................................................................................................. 54
`
`7.
`
`Sandbox Escape ................................................................................................................................................... 56
`
`7.1.
`
`7.2.
`
`7.3.
`
`7.4.
`
`7.5.
`
`7.6.
`
`7.7.
`
`Local Elevation of Privilege (EoP) Vulnerabilities ................................................................................... 56
`
`Named Object Squatting Attacks ........................................................................................................... 56
`
`IPC Message Parser Vulnerabilities ........................................................................................................ 56
`
`Policy Vulnerabilities .............................................................................................................................. 57
`
`Policy Engine Vulnerabilities .................................................................................................................. 57
`
`Service Vulnerabilities............................................................................................................................ 58
`
`Summary: Sandbox Escape .................................................................................................................... 59
`
`8. Conclusion ........................................................................................................................................................... 60
`
`9. Acknowledgements ............................................................................................................................................. 61
`
`10.
`
`11.
`
`Bibliography ..................................................................................................................................................... 62
`
`Appendix A: Evicted DLLs and Plugins ............................................................................................................. 64
`
`11.1.
`
`Evicted DLLs In Firefox Flash .................................................................................................................. 64
`
`11.2.
`
`Evicted DLLs In Chrome Flash and Pepper Flash .................................................................................... 65
`
`11.3.
`
`Evicted Plugin DLLs In Chrome Flash...................................................................................................... 66
`
`
`
`
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > INTRODUCTION
`
`|4
`
`
`
`2. INTRODUCTION
`During Black Hat USA last year, we gave a talk about Adobe Reader X’s sandbox. In that talk we covered the
`sandbox implementation of one of the primary exploitation vectors used by malware. We also noted that ever
`since the Reader X sandbox’s introduction there has been a remarkable decrease in PDF exploits released in the
`wild, and thankfully, this remains true up to this time. This year, we focus our sights on another popular
`exploitation vector - Adobe’s Flash Player, and this time, we have three implementations of the sandbox to play
`with.
`
`In doing this research, we asked ourselves the same things we did last year. What are the security implications
`with this new technology and what other things can an attacker do in spite of the restrictions imposed by the
`sandbox? What can still be done within these limits that, from an attacker’s perspective, would still bring profit, or
`from a user’s perspective, should be watched out for? Since we are investigating three different Flash sandbox
`implementations, we also asked ourselves how these implementations differ from each other.
`
`To answer these questions, we dived deeply into the internals of the three Flash sandbox implementations. This
`paper documents our findings and discusses the internal mechanisms, limitations, and potential escape avenues
`for each sandbox implementation. We will also provide our thoughts and recommendations on the matter of
`sandbox security.
`
`
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > THE TARGETS
`
`|5
`
`
`
`3. THE TARGETS
`In this paper, we will discuss three different implementations of the Flash Player Sandbox. The targets are:
`
`1. Flash Player Protected Mode For Firefox
`2. Flash Player Protected Mode For Chrome
`3. Flash Player Protected Mode For Chrome Pepper
`
`Throughout this paper we will refer to them as Firefox Flash, Chrome Flash, and Pepper Flash, respectively.
`
`Firefox Flash, an NPAPI [1] plugin, was first released as a beta on February 2012, and was officially released in June
`2012. It is developed by Adobe in collaboration with Mozilla. It is based on the sandboxing code in Adobe Reader X,
`which we covered in our talk and paper [2] at Black Hat USA last year. Hence, there will be a lot of similarities
`between them. We will be using version 11.3.300.257 in this paper.
`
`Chrome Flash, also an NPAPI plugin, has been around since December 2010 and is a result of collaboration
`between Adobe and Google. It is the default Flash player in Chrome. We will be using the version bundled with
`Chrome 20.0.1132.47 in this paper.
`
`Pepper Flash is an implementation of Flash player using Google’s Pepper Plugin API (PPAPI) [3]. It can be enabled
`through Chrome > Settings > Privacy > Content Settings > Plugins. The version covered in this paper is bundled with
`Chrome 20.0.1132.47 and is an experimental version. At the time of writing, Chrome Beta 21 has been released
`which includes Pepper Flash as the default Flash Player.
`
`
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX ARCHITECTURE
`
`|6
`
`
`
`4. SANDBOX ARCHITECTURE
`This section discusses the general architecture of each of the sandbox implementations. More details will be
`provided in the subsequent sections.
`
`4.1. FLASH PLAYER PROTECTED MODE FOR FIREFOX
`
`
`
`
`The Flash Player Protected Mode for Firefox (Firefox Flash) sandbox configuration consists of the following
`components:
`
`
`
`
`
`
`
`Firefox Browser Process (firefox.exe) – The main Firefox browser process (firefox.exe). It launches
`plugin_container.exe when a web page with Flash content is opened.
`
`Plugin Container (plugin_container.exe) – facilitates communication between the Flash plugin process and
`the Firefox browser process. It is also responsible for launching the broker process.
`
`Flash Broker Process (FlashPlayerPlugin.exe) – spawned by plugin_container.exe. It is responsible for
`setting up the sandbox restriction and policies, and also for spawning the sandbox process. It also hosts an
`IPC service to communicate with the sandbox process.
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`Flash Player Protected Mode For Firefox
`(Firefox Flash)
`
`Firefox Browser Process
`(firefox.exe)
`
`Chromium IPC (via Mozilla’s IPDL)
`(Browser-Plugin Container Channel)
`
`Plugin Container
`(plugin-container.exe, NPSWF32.DLL)
`
`Chromium IPC
`(Permission Channel)
`
`Chromium IPC
`(NPAPI Channel)
`
`Flash Broker Process
`(FlashPlayerPlugin.exe)
`
`Sandbox IPC
`(Sandbox and Flash Services
`Channel)
`
`Flash Plugin Process
`(FlashPlayerPlugin.exe, NPSWF32.DLL)
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX ARCHITECTURE
`
`|7
`
`
`
`
`
`Flash Plugin Process (FlashPlayerPlugin.exe) – The sandboxed Flash plugin process. It is responsible for
`parsing and rendering Flash content.
`
`The Firefox Flash sandbox is enabled by default but it can be disabled using the privacy and security configuration
`file for Firefox Flash [4]. This file, mms.cfg, should be placed in the following folder:
`
` %WINDIR\System32\Macromed\Flash for 32-bit Windows or
`
` %WINDIR\SysWow64\Macromed\Flash for 64-bit Windows
`
`To disable the protected mode, set the ProtectedMode option in mms.cfg to 0:
`
`ProtectedMode = 0
`
`
`mms.cfg is also used to set up a policy file, which contains whitelist policies to bypass some of the default
`restrictions in the sandbox. To enable the whitelist policy file, the ProtectedModeBrokerWhitelistConfigFile option
`should be set to 1:
`
`
`ProtectedModeBrokerWhitelistConfigFile = 1
`
` A
`
`in
`placed
`be
`should
`ProtectedModeWhitelistConfig.txt
`name
`file
`the
`file with
`policy
`
`%WINDIR%\System32\Macromed\Flash for 32-bit Windows and %WINDIR%\SysWow64\Macromed\Flash for 64-
`bit Windows.
`
`4.2. FLASH PLAYER PROTECTED MODE FOR CHROME
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX ARCHITECTURE
`
`|8
`
`
`
`
`
`
`
`The Flash Player Protected Mode for Chrome (Chrome Flash) sandbox configuration consists of the following
`components:
`
`
`
`
`
`
`
`
`
`Chrome Browser Process (chrome.exe) – The main Chrome browser process. It launches the Flash broker
`process and the Flash plugin process when a web page with Flash content is opened. It also exposes some
`browser-related services that the Flash plugin process connects to.
`
`Chrome Renderer Process (chrome.exe) – The renderer process for the page the Flash content is in. It also
`exposes browser-related services that the Flash plugin process connects to.
`
`Flash Broker Process (rundll32.exe, gcswf32.dll!BrokerMain) – rundll32.exe is used to run gcswf32.dll’s
`BrokerMain entry point, which act as the broker process. It also hosts Flash specific services for the Flash
`plugin process.
`
`Flash Plugin Process (chrome.exe, gcswf32.dll) – The sandboxed Flash plugin process. It is responsible for
`parsing and rendering Flash content.
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`Flash Player Protected Mode For Chrome
`(Chrome Flash)
`
`Chrome Browser Process
`(chrome.exe)
`
`Chromium IPC
`(Browser-Renderer Channel)
`
`Chrome Renderer Process
`(chrome.exe)
`
`Sandbox IPC
`(Sandbox Services Channel)
`
`Flash Broker Process
`(rundll32.exe, gcswf32.dll!BrokerMain)
`
`Chromium IPC
`(Plugin Management
`Channel)
`
`Chromium IPC
`(NPAPI Channel)
`
`Simple IPC
`(Flash Services Channel)
`
`Flash Plugin Process
`(chrome.exe, gcswf32.dll)
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX ARCHITECTURE
`
`|9
`
`
`
`4.3. FLASH PLAYER PROTECTED MODE FOR CHROME PEPPER
`
`
`
`
`
`
`Flash Player Protected Mode for Chrome Pepper (Pepper Flash) sandbox configuration consists of the following
`components:
`
`
`
`
`
`
`
`Chrome Browser Process (chrome.exe) – The main Chrome browser process. It launches the Flash plugin
`process when a web page with Flash content is opened. It also exposes some browser-related services
`that the Flash plugin process connects to.
`
`Chrome Renderer Process (chrome.exe) – The renderer process for the page the Flash content is in. It also
`exposes browser-related and Pepper services that the Flash plugin process connects to.
`
`Flash Plugin Process (chrome.exe, pepflashplayer.dll) – The sandboxed Flash plugin process. It is
`responsible for parsing and rendering Flash content
`
`
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`Flash Player Protected Mode For Chrome Pepper
`(Pepper Flash)
`
`Chrome Browser Process
`(chrome.exe)
`
`Sandbox IPC
`(Sandbox Services Channel)
`
`Chromium IPC
`(Browser-Renderer Channel)
`
`Chrome Renderer Process
`(chrome.exe)
`
`Chromium IPC
`(Plugin Management
`Channel)
`
`Chromium IPC
`(PPAPI Channel)
`
`Pepper Flash Plugin Process
`(chrome.exe, pepflashplayer.dll)
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX MECHANISMS
`
`|10
`
`
`
`5. SANDBOX MECHANISMS
`After discussing the architecture of each Flash sandbox implementation, we will now dive deep into the internal
`mechanisms used by each Flash sandbox implementation. In this section, we will start with the discussion of the
`mechanisms used for sandboxing the Flash plugin process and then progressively move the discussion to the
`mechanisms used by the higher-privileged processes.
`
`5.1. SANDBOX STARTUP SEQUENCE
`In this section, we will discuss the steps each sandbox implementation takes when starting up.
`
`5.1.1. FIREFOX FLASH
`1. When a web page with Flash content is opened, plugin_container.exe is spawned.
`
`2. plugin_container.exe then spawns the broker process FlashPlayerPlugin_11_3_300_257.exe.
`
`
`
`
`
`c.
`
`3. The broker process sets up the sandbox restrictions for the sandbox process:
`a.
`Sets the job level to JOB_RESTRICTED, but with the following restrictions unset:
`• JOB_OBJECT_UILIMIT_READCLIPBOARD
`• JOB_OBJECT_UILIMIT_WRITECLIPBOARD
`• JOB_OBJECT_UILIMIT_GLOBALATOMS
`
`b. Sets the token level. It sets up two tokens, the initial token and the lockdown token. Both tokens
`will be active when the sandbox process is started. The sandbox process requires a more
`privileged token during startup, as it needs to access resources that are otherwise inaccessible
`due to the sandbox. The initial token allows the sandbox process to temporarily have an
`elevated privilege. It is only valid for the initial thread the process started with and will be
`discarded later. Other threads will only be using the less privileged lockdown token. The token
`levels assigned to each tokens are:
`• Initial
`token – USER_RESTRICTED_SAME_ACCESS
`USER_UNPROTECTED
`• Lockdown token – USER_LIMITED
`
`Refer to section 5.2.1 for more details about the token restrictions.
`
`Sets the integrity level. It will be set to INTEGRITY_LEVEL_LOW.
`
`d. Adds a DLL eviction policy, which lists DLLs that are suspected or kn own to cause a sandboxed
`process to crash. These DLLs will be unloaded by the sandbox. Refer to section 11.1 for the list
`of evicted DLLs in Flash Player Protected Mode for Firefox.
`
`for Vista or
`
`later, otherwise
`
`4. The broker process sets up the sandbox policies, which are rules that describe exceptions from the
`restrictions imposed by the sandbox policy.
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX MECHANISMS
`
`|11
`
`
`
`from a
`a. Sets up admin-configurable policies. The policy rules are read
`ProtectedModeWhiteList.txt
`located
`in %WINDIR%\System32\Macromed\Flash
`Windows, or %WINDIR%\SysWow64\Macromed\Flash for 64-bit Windows.
`
`b. Sets up hard-coded policies for file, named pipes, process, registry, sync objects, mutant, and
`section access.
`
`It will run the
`in a suspended state.
`5. The broker process spawns the sandbox process
`FlashPlayerPlugin_11_3_300_257.exe executable, the same as the broker, but with the “-
`type=renderer” parameter.
`
`file named
`for 32-bit
`
`
`
`
`
`6. Set up and initialize interceptions on the sandbox process. Refer to section 5.3 for more details
`about the interceptions.
`
`
`7. Resume execution of the sandbox process.
`
`5.1.2. CHROME FLASH
`1. When a web page with Flash content is opened, the Chrome browser process spawns rundll32.exe to
`launch the broker process via the gcswf32.dll!BrokerMain entrypoint.
`
`2. The Chrome browser process sets up the sandbox policies for the Flash sandbox process:
`a. Sets the job level to JOB_UNPROTECTED
`
`b. Sets the token level to the following:
`
` Initial token - USER_RESTRICTED_SAME_ACCESS
`
` Lockdown token - USER_INTERACTIVE
`
`3. Sets the integrity level to INTEGRITY_LEVEL_LOW
`
`4. Adds a DLL eviction policy, which lists DLLs that are suspected or known to cause a renderer process
`to crash. These DLLs will be unloaded by the sandbox. Refer to section 11.2 for the list of evicted
`DLLs in Chrome.
`
`
`
`
`
`
`
`
`
`5. Adds a plugin DLL eviction policy, which lists DLLs that are suspected or known to cause a plugin
`process to crash. These DLLs will be unloaded by the sandbox. Refer to section 11.3 for the list of
`evicted plugin DLLs in Chrome.
`
`6. The Chrome browser process spawns the sandboxed Flash plugin process, which is chrome.exe with a
`“type=plugin” parameter and with gcswf32.dll loaded. This process is initially launched in a suspended
`state.
`
`7. Set up and initialize interceptions on the sandbox process. Refer to section 5.3 for more details
`about the interceptions.
`
`8. Resume execution of the sandboxed Flash plugin process.
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX MECHANISMS
`
`|12
`
`
`
`5.1.3. PEPPER FLASH
`Pepper plugins run under Chrome’s renderer so the same restrictions apply with a minor difference.
`
`
`1. When a web page with Flash content is opened, the Chrome browser process sets up the sandbox policies
`for the Pepper Flash plugin process:
`a. Sets the job level to JOB_LOCKDOWN
`
`b. Sets the token level to the following:
`
`
`
`Initial token - USER_RESTRICTED_SAME_ACCESS for Vista or
`USER_UNPROTECTED
`
`later, otherwise
`
`
`
`Lockdown token - USER_LOCKDOWN
`
`c. Sets the integrity level to INTEGRITY_LEVEL_UNTRUSTED
`
`d. Sets alternate window station and desktop
`
`
`
`
`
`e. Adds a DLL eviction policy, which lists DLLs that are suspected or known to cause a
`renderer process to crash. These DLLs will be unloaded by the sandbox. Refer to section
`11.2 for the list of evicted DLLs in Chrome.
`
`f. Add policy for Pepper plugin. This simply adds full access to named pipes that match the
`following pattern "\\.\pipe\chrome.*”.
`
`2. The Chrome browser process spawns the sandboxed Pepper Flash plugin process, which is chrome.exe
`with a “type=ppapi” parameter and with pepflashplayer.dll loaded. This process is initially launched in a
`suspended state.
`
`
`3. Set up and initialize interceptions on the sandbox process. Refer to section 5.3 for more details
`about the interceptions.
`
`
`4. Resume execution of the sandbox process.
`
`5.2. SANDBOX RESTRICTIONS
`Sandbox restrictions are the mechanisms in place to run the sandboxed Flash plugin process in a confined
`environment. In case the sandboxed Flash plugin is compromised, sandbox restrictions will prevent malicious code
`from making persistent changes to the system, and depending on the sandbox restrictions and sandbox policies in
`place, will also prevent malicious code from accessing confidential information from the system.
`
`The sandbox restrictions in all Flash sandbox implementations are based on the Practical Windows Sandboxing
`recipe [5, 6, 7] which describes the use of the following Windows mechanisms for restricting the privileges and
`capabilities of a sandboxed process:
`
` Restricted Tokens
`Integrity Levels
`
`Job Objects
`
`
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX MECHANISMS
`
`|13
`
`
`
` Alternate Desktop and Alternate Window Station
`
`5.2.1. RESTRICTED TOKENS
`One of the fundamental ways to lower the privileges of a sandboxed process is by assigning it a restricted token
`[8]. In the case of Flash, the restricted token assigned to the sandboxed Flash plugin process is derived from the
`user’s token and has the following restrictions set:
`
` Deny-Only Security Identifiers (SIDs) - Only pre-selected SIDs are left enabled, all other SIDs are set to
`deny-only. This limits the number of securable resources the sandboxed Flash plugin can access and the
`type of access it can be granted.
` Restricting SIDs - Adding pre-selected SIDs as restricting SIDs. This ensures that the sandboxed Flash
`plugin can only access securable resources which are also accessible to the pre-selected restricting SIDs.
`Limited Privileges – Enabling only a very limited number of privileges so that the sandboxed Flash plugin
`process is limited to the types of system operations it can perform (e.g. shutting down the system and
`debugging programs).
`
`
`
`5.2.2. INTEGRITY LEVELS
`A Low or Untrusted integrity level [9] is also set in the token assigned to the sandboxed Flash plugin process so that
`write access to most securable resources will be denied since the majority of securable resources in a Windows
`system are assigned a Medium or a higher integrity level. This also mitigates shatter attacks [10] as lower-integrity
`processes are prevented from sending write-type messages to windows owned by higher-integrity processes.
`
`5.2.3. JOB OBJECTS
`Additional restrictions are also enforced to the sandboxed Flash plugin process by associating it with a job object
`[11]. Examples of capabilities that can be restricted via job objects are access to the clipboard, modification to
`system settings and preventing the spawning of additional processes.
`
`5.2.4. ALTERNATE WINDOW STATION AND ALTERNATE DESKTOP
`By assigning the sandboxed Flash plugin process a separate window station and a separate desktop, it is isolated
`from windows in other desktops, and the clipboard and global atom table in other window stations - all of which
`are vectors for sandbox escape and/or information disclosure. Note that this is only effective if the token assigned
`to the sandboxed process is set up so that the sandboxed process does not have access to other window stations
`and desktops.
`
`5.2.5. SANDBOX RESTRICTIONS COMPARISON TABLE
`The comparison table below shows the sandbox restrictions in place in Chrome Flash, Firefox Flash and Pepper
`Flash.
`
`Restriction
`Integrity Level
`
`Chrome Flash
`Low
`
`
`Restricted Token:
`Enabled SIDs
`(Deny-Only SIDs
`Exceptions)
`
`
`
` User’s SID
` Logon SID
` Everyone
` Users
`
`Firefox Flash
`Low
`
`
`
` User’s SID
` Logon SID
` Everyone
` Users
`
`Pepper Flash
`Untrusted
`
`
`
` Logon SID
`
`IBM Security Systems | ©2012 IBM Corporation
`
`

`
`DIGGING DEEP INTO THE FLASH SANDBOXES > SANDBOX MECHANISMS
`
`|14
`
`
`
` INTERACTIVE
` Authenticated Users
`
` Logon SID
` Everyone
` RESTRICTED
` Users
` User’s SID
`
` Bypass traverse
`checking
`
`
` Kill on job close
`
`Restricted Token:
`Restricting SIDs
`
`Restricted Token:
`Enabled Privileges
`
`
`Job Restrictions
`
`
`
`No
`
`
`Alternate Window
`Station and Alternate
`Desktop
`
`
`
`
` INTERACTIVE
`
` Logon SID
` Everyone
` RESTRICTED
` Users
`
`
`
`
` NULL SID
`
`
`
` Bypass traverse
`checking
`
`(None)
`
`
` Kill on job close
` Spawning additional
`processes
` Desktop creation and
`switching via
`CreateDesktop() and
`SwitchDesktop()
` Modifying display
`settings via
`ChangeDisplaySettings()
` Logging off, shutting
`down or restarting the
`system via
`ExitWindows() or
`ExitWindowsEx()
` Using USER handles
`owned by processes not
`associated with the job
` Changing system
`settings via
`SystemParametersInfo()
`
`
`
`
`No
`
`