Yellow circle over process icons?

Post Reply
Ander
Posts: 3
Joined: Sat May 18, 2024 6:58 am

Yellow circle over process icons?

Post by Ander »

Hey guys,

I was wondering why some processes in SB+'s list have this yellow circle over them, with a down-pointing black arrow:

sandboxie_tasks_screenshot.jpg
sandboxie_tasks_screenshot.jpg (49.78 KiB) Viewed 950 times
In this screenshot, I'm running one instance of the Brave browser, which appears as 11 processes, 7 of which have the yellow circle. Does it mean anything important? I searched the documentation but couldn't find anything. Thanks!

User avatar
bastik-1001
Posts: 405
Joined: Sat Apr 22, 2023 8:30 am
Contact:

Re: Yellow circle over process icons?

Post by bastik-1001 »

It might not be of importance, it's just a visual hint of the token the processes are running with.

Here is a quote from the developer:
[...][typos fixed]
no extra icon normal token
yellow icon restricted token
orange icon appconainer token (only available on green boxes)
Firefox and Chrome run their workers with different levels of isolation not all get a restricted or app container token
(Source, where I wondered, why not all share that indication.)

The same applies to browsers that are based on Firefox or Chromium, and maybe other software.

You are right, that the documentation does not cover that. Unfortunately, this applies to a lot of things. There is very little that covers the new interface, to which there are still changes. Some new features are not explained, either.

Ander
Posts: 3
Joined: Sat May 18, 2024 6:58 am

Re: Yellow circle over process icons?

Post by Ander »

Thanks for your reply. What's a token?

Ander
Posts: 3
Joined: Sat May 18, 2024 6:58 am

Re: Yellow circle over process icons?

Post by Ander »

Oh well, I guess it's not that important, then... It just looked important. :)

User avatar
bastik-1001
Posts: 405
Joined: Sat Apr 22, 2023 8:30 am
Contact:

Re: Yellow circle over process icons?

Post by bastik-1001 »

Sandboxie's isolation is based on tokens. The isolation mechanism describes how it works and the token magic gives more details.

Windows reacts differently to different tokens, ranging from least privileged to the most privileged, where processes can do less or more, depending on in which category they fall. Some actions work with a restricted token, while for others Sandboxie has to proxy requests made with higher privileges to sandboxed applications, which would otherwise not work.

Edit: diversenok posted an overview over the architecture of Sandboxie
Sandboxie is an OS-level application sandbox. It heavily relies on Windows security model for restricting access to resources by running programs with a very restricted access token (untrusted integrity, removed privileges, all groups marked as deny-only). Since programs would not be able to run under such conditions, Sandboxie then hooks hundreds of functions in the sandboxed processes and redirects/lies about the operation results in an attempt to fix compatibility without compromising security. There are three components that participate here:

SbieDll - a DLL that installs user-mode hooks in sandboxed processes and forward requests to broker components (SbieSvc and SbieDrv).
SbieSvc - a service that runs unsandboxed and acts as s broker. It accepts requests from sandboxed processes for various operations, validates them against the security policy, and either blocks, redirects, or performs them.
SbieDrv - a driver that provides transparent filesystem and registry redirection, tracks process creation, etc.

Usually, relying on user-mode hooks is a bad idea for security, but here it works well because sandboxed processes effectively have two choices:

Comply with the hook and make it forward the request to the broker that validates the security policy and blocks dangerous operations.
Bypass the user-mode hook by directly asking the OS to perform the operation and get an immediate "access denied" due to a restricted token.

You can find many similarities between the architecture of Sandboxie and Chrome Renderer Sandbox since they both run untrusted code under very restricted security contexts and rely on conceptually similar brokering mechanisms. The primary difference is that Sandboxie is a general-purpose sandbox that can run any program, while Chrome Sandbox is not. On the downside, Sandboxie needs a driver and a service to work, so it potentially introduces a bigger attack surface. However, compared to other 3rd party application sandboxes (Avast, Comodo, 360 Security, Shade) that do not restrict process tokens and, thus, do not introduce a security boundary between sandboxed and unsandboxed processes, Sandboxie offers very formidable isolation.

Post Reply