1 00:00:00,800 --> 00:00:04,651 Sandbox is an application isolation for Mac OSX. 2 00:00:04,880 --> 00:00:10,354 Apple has included a sandbox facility, originally code named seatbelt, 3 00:00:10,434 --> 00:00:15,600 with the release of Max OSX 10.5 Leopard in 2006. 4 00:00:15,955 --> 00:00:19,280 This facility includes the command sandbox, sandboxd, 5 00:00:19,333 --> 00:00:23,680 sandbox_init, and sandbox-exec. 6 00:00:24,177 --> 00:00:27,619 The sandbox is implemented as a policy module 7 00:00:27,620 --> 00:00:31,533 for the TrustedBSD mandatory access control framework 8 00:00:31,666 --> 00:00:34,688 that I previously mentioned for use with BSD. 9 00:00:34,757 --> 00:00:38,625 As we know, Apple OSX is a BSD derivative, 10 00:00:38,700 --> 00:00:42,325 which is why you can use this TrustedBSD framework. 11 00:00:45,325 --> 00:00:49,925 You have to write a configuration file for each application 12 00:00:50,220 --> 00:00:51,780 that you want to sandbox. 13 00:00:52,080 --> 00:00:55,084 It’s not a point and click solution unfortunately. 14 00:00:55,085 --> 00:00:57,248 You have to read through the documentation. 15 00:00:57,344 --> 00:00:58,800 You have to know what you're doing. 16 00:00:58,912 --> 00:01:02,889 Here is the man page for sandbox-exec, 17 00:01:02,890 --> 00:01:05,408 which is a main tool that you use in order to 18 00:01:05,409 --> 00:01:09,266 use the sandboxing functionality within OSX. 19 00:01:10,166 --> 00:01:12,533 Also, Apple has a guide here, which you can 20 00:01:12,534 --> 00:01:14,933 read on how to use the sandbox. 21 00:01:16,333 --> 00:01:17,848 But I’m going to give you some quick pointers 22 00:01:17,849 --> 00:01:20,462 now to get you started with, but you absolutely 23 00:01:20,710 --> 00:01:24,106 have to read the documentation because it’s very specific 24 00:01:24,115 --> 00:01:26,008 to the applications that you use. 25 00:01:27,260 --> 00:01:29,333 So I mentioned that each application needs to have 26 00:01:29,334 --> 00:01:34,426 a configuration file or a profile file that says what that 27 00:01:34,480 --> 00:01:37,744 particular application or process is allowed to do. 28 00:01:37,808 --> 00:01:41,312 In order to create those, you need to have root privileges. 29 00:01:41,520 --> 00:01:42,784 So let’s change to root. 30 00:01:49,056 --> 00:01:50,112 So now we’re root. 31 00:01:50,512 --> 00:01:55,520 Let me show you an example config file that I’ve created for Firefox. 32 00:02:04,640 --> 00:02:08,896 This one is based on information I found at these two URLs, 33 00:02:09,120 --> 00:02:10,120 which you can see here. 34 00:02:10,208 --> 00:02:11,608 Could maybe check those out as well. 35 00:02:11,776 --> 00:02:13,296 If we go down here, you can get an idea 36 00:02:13,297 --> 00:02:15,584 of the sort of settings that you need to make. 37 00:02:20,488 --> 00:02:22,932 It looks complex, but it’s not too complex. 38 00:02:22,933 --> 00:02:25,449 So what you can see here is for Firefox, 39 00:02:25,450 --> 00:02:28,699 these are the read and write locations that the process 40 00:02:28,700 --> 00:02:32,425 is allowed to read and write to, and that’s based on 41 00:02:32,700 --> 00:02:36,225 this allow file-write and then these reads. 42 00:02:37,100 --> 00:02:42,225 If we go further down, you can see similar sorts of statements. 43 00:02:42,400 --> 00:02:45,475 So this is what Firefox is able to read, 44 00:02:45,575 --> 00:02:49,100 or the locations it’s able to read, and files. 45 00:02:52,775 --> 00:02:57,975 Here we’re inputting extra rules from the BSD.sb file, 46 00:02:58,075 --> 00:03:00,600 which is essentially a file that looks like this 47 00:03:00,675 --> 00:03:03,675 that has some specific BSD rules in it. 48 00:03:07,350 --> 00:03:09,749 And we can also lockdown whether or not 49 00:03:09,750 --> 00:03:12,775 Firefox can create any new processes. 50 00:03:12,825 --> 00:03:17,675 So this is not allowed to create any new processes, only new threads. 51 00:03:18,650 --> 00:03:22,350 And here we’re giving it network access so you can disallow 52 00:03:22,393 --> 00:03:25,520 certain applications from having network access. 53 00:03:25,686 --> 00:03:26,923 So that gives you an idea. 54 00:03:27,458 --> 00:03:30,296 But if you really want to use this, then you need to read 55 00:03:30,297 --> 00:03:33,552 the documentation and figure out how to use it. 56 00:03:33,664 --> 00:03:36,016 But of course I would recommend you do the browser 57 00:03:36,173 --> 00:03:38,012 and the email client, and of course anything 58 00:03:38,013 --> 00:03:41,180 that interacts with the internet or untrusted sources. 59 00:03:41,953 --> 00:03:44,239 So that was an example of a profile. So how do we 60 00:03:44,240 --> 00:03:48,186 actually run Firefox using that profile? 61 00:03:48,280 --> 00:03:50,480 So we have to type in a command, but we need to 62 00:03:50,550 --> 00:03:54,350 exit out of root into extended non-admin user. 63 00:04:05,700 --> 00:04:09,184 So that’s saying sandbox, using this configuration, 64 00:04:09,288 --> 00:04:13,940 and then I need to enter the name and path of the application 65 00:04:14,260 --> 00:04:17,040 that I want to sandbox with those rules. 66 00:04:23,560 --> 00:04:25,760 So that’s the command there for Firefox. 67 00:04:28,720 --> 00:04:31,706 And there we have an instance of Firefox protected 68 00:04:31,848 --> 00:04:34,840 by the sandbox, and allowed and not allowed 69 00:04:34,946 --> 00:04:37,653 based on those rules and that configuration file. 70 00:04:38,786 --> 00:04:41,933 This is some example profiles here that you might find useful. 71 00:04:44,106 --> 00:04:47,560 There are also examples of configurations provided by Apple, 72 00:04:47,693 --> 00:04:49,626 which you can see here. 73 00:05:06,013 --> 00:05:08,613 So that’s what one of them looks like after ftp-proxy. 74 00:05:22,960 --> 00:05:25,000 So you see here these files might give you 75 00:05:25,485 --> 00:05:27,892 a better idea of how you might configure this. 76 00:05:27,893 --> 00:05:30,128 So you can see here, is an example, this is allowing 77 00:05:30,656 --> 00:05:34,464 UDP port 123 and not allowing anything else. 78 00:05:35,440 --> 00:05:36,864 So, it gives you a good idea. 79 00:05:37,088 --> 00:05:39,920 You also get errors as well, trace results showing you 80 00:05:40,736 --> 00:05:43,328 when you have problems with a file when you’ve sandboxed it, 81 00:05:43,472 --> 00:05:46,688 and that can help you decide on what you want and don’t want. 82 00:05:48,096 --> 00:05:50,542 There’s a Firefox profile here that you might 83 00:05:50,543 --> 00:05:52,816 find useful if you want to use Firefox. 84 00:05:58,944 --> 00:06:02,416 This is Buckle Up which is a tool to help you create the profiles. 85 00:06:04,304 --> 00:06:06,976 A quick start guide here which you might find useful. 86 00:06:08,864 --> 00:06:13,136 And this is a report by a security researcher on the Apple sandbox. 87 00:06:13,280 --> 00:06:16,288 It’s worth a read if you really want to dig deeper into it. 88 00:06:18,288 --> 00:06:21,465 Other than the built-in sandbox, there isn’t really that much, 89 00:06:21,466 --> 00:06:23,600 at the time I’m aware of anyway for Mac. 90 00:06:23,720 --> 00:06:26,259 There is SuperDuper. This has some 91 00:06:26,260 --> 00:06:28,589 limited sandboxing functionalities 92 00:06:28,590 --> 00:06:30,420 so I thought it was worth a mention. 93 00:06:30,620 --> 00:06:32,760 So that’s it on Mac sandboxes.