Sandbox (computer security)

Last updated April 18, 2024

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given their own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.^[1] A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

Implementations

A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (e.g. file descriptors, memory, file system space, etc.) that a process may use.^[3]

Examples of sandbox implementations include the following:

Linux application sandboxing, built on Seccomp, cgroups and Linux namespaces. Notably used by Systemd, Google Chrome, Firefox, Firejail.
Android was the first mainstream operating system to implement full application sandboxing, built by assigning each application its own Linux user ID.^[4]
Apple App Sandbox is required for apps distributed through Apple's Mac App Store and iOS/iPadOS App Store, and recommended for other signed apps.^[5]^[6]
Windows Vista and later editions include a "low" mode process running, known as "User Account Control" (UAC), which only allows writing in a specific directory and registry keys. Windows 10 Pro, from version 1903, provides a feature known as Windows Sandbox.^[7]
Google Sandboxed API.^[8]
Virtual machines emulate a complete host computer, on which a conventional operating system may boot and run as on actual hardware. The guest operating system runs sandboxed in the sense that it does not function natively on the host and can only access host resources through the emulator.
A jail: network-access restrictions, and a restricted file system namespace. Jails are most commonly used in virtual hosting.^[9]
Rule-based execution gives users full control over what processes are started, spawned (by other applications), or allowed to inject code into other applications and have access to the net, by having the system assign access levels for users or programs according to a set of determined rules.^[10] It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and Trojans have fewer opportunities for infecting a computer. The SELinux and Apparmor security frameworks are two such implementations for Linux.
Security researchers rely heavily on sandboxing technologies to analyse malware behavior. By creating an environment that mimics or replicates the targeted desktops, researchers can evaluate how malware infects and compromises a target host. Numerous malware analysis services are based on the sandboxing technology.^[11]
Google Native Client is a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user's operating system.^[12]
Capability systems can be thought of as a fine-grained sandboxing mechanism, in which programs are given opaque tokens when spawned and have the ability to do specific things based on what tokens they hold. Capability-based implementations can work at various levels, from kernel to user-space. An example of capability-based user-level sandboxing involves HTML rendering in a Web browser.
Secure Computing Mode (seccomp) strict mode, seccomp only allows the write(), read(), exit(), and sigreturn() system calls.
HTML5 has a "sandbox" attribute for use with iframes.^[13]
Java virtual machines include a sandbox to restrict the actions of untrusted code, such as a Java applet.
The .NET Common Language Runtime provides Code Access Security to enforce restrictions on untrusted code.
Software Fault Isolation (SFI),^[14] allows running untrusted native code by sandboxing all store, read and jump assembly instructions to isolated segments of memory.

Some of the use cases for sandboxes include the following:

Online judge systems to test programs in programming contests.
New-generation pastebins allowing users to execute pasted code snippets on the pastebin's server.

Related Research Articles

Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a web page, and the applet was then executed within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet could appear in a frame of the web page, a new application window, a program from Sun called appletviewer, or a stand-alone tool for testing applets.

Wine is a free and open-source compatibility layer to allow application software and computer games developed for Microsoft Windows to run on Unix-like operating systems. Developers can compile Windows applications against WineLib to help port them to Unix-like systems. Wine is predominantly written using black-box testing reverse-engineering, to avoid copyright issues. No code emulation or virtualization occurs. Wine is primarily developed for Linux and macOS.

In computing, cross-platform software is computer software that is designed to work in several computing platforms. Some cross-platform software requires a separate build for each platform, but some can be directly run on any platform without special preparation, being written in an interpreted language or compiled to portable bytecode for which the interpreters or run-time packages are common or standard components of all supported platforms.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

chroot is an operation on Unix and Unix-like operating systems that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Niels Provos and runs on various Unix-like operating systems.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

seccomp is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit , sigreturn , read and write to already-open file descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

Application virtualization is a software technology that encapsulates computer programs from the underlying operating system on which they are executed. A fully virtualized application is not installed in the traditional sense, although it is still executed as if it were. The application behaves at runtime like it is directly interfacing with the original operating system and all the resources managed by it, but can be isolated or sandboxed to varying degrees.

A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development, automation and revision control.

The following is a timeline of virtualization development. In computing, virtualization is the use of a computer to simulate another computer. Through virtualization, a host simulates a guest by exposing virtual hardware devices, which may be done through software or by allowing access to a physical device connected to the machine.

FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version of FreeBSD was released in 1993 developed from 386BSD and the current version runs on x86, ARM, PowerPC and RISC-V processors. The project is supported and promoted by the FreeBSD Foundation.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel and the systemd init system. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for cloud applications but was later ported to also work for Internet of Things devices and desktop applications.

<span class="mw-page-title-main">Genode</span> Free and open-source software operating system

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

Android devices have the ability to run virtual machines or emulate other operating systems. It does this either via desktop virtualization, platform virtualization, or emulation via compatibility layer.

References

↑ Goldberg, Ian; Wagner, David; Thomas, Randi & Brewer, Eric (1996). "A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)" (PDF). Proceedings of the Sixth USENIX UNIX Security Symposium. Retrieved 25 October 2011.
↑ Geier, Eric (2012-01-16). "How to Keep Your PC Safe With Sandboxing". TechHive. Archived from the original on 2014-07-12. Retrieved 2014-07-03.
↑ "Sandboxing Applications" (PDF). 2001. Retrieved 7 May 2013.
↑ "Application Sandbox - Android Open Source Project" . Retrieved 2021-04-02.
↑ "About App Sandbox". developer.apple.com. Retrieved 2020-12-09.
↑ "Security of runtime process in iOS and iPadOS". Apple Support. Retrieved 2021-04-04.
↑ "Windows Sandbox". 2018-12-18. Retrieved 2010-01-07.
↑ google/sandboxed-api, Google, 2020-12-08, retrieved 2020-12-09
↑ "Auto-Sandboxing secure system" . Retrieved 2015-01-30.
↑ "Computer System Security and Access Controls". 1991. Archived from the original on 28 May 2013. Retrieved 17 May 2013.
↑ "Native Client Sandbox – Untrusted x86 Native Code" (PDF). Retrieved 2015-01-03.
↑ Welcome to Native Client
↑ Internet Explorer Team Blog (14 July 2011). "Defense in Depth: Locking Down Mash-Ups with HTML5 Sandbox". IEBlog.
↑ Wahbe, Robert (1993). "Efficient Software-Based Fault Isolation" (PDF).

External links

Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs
Sandbox – The Chromium Projects
FreeBSD capsicum(4) man page – a lightweight OS capability and sandbox framework
OpenBSD pledge(2) man page – a way to restrict system operations
Sandbox testing importance Archived 2021-04-26 at the Wayback Machine {sandbox} Importance of sandbox in zero day flaw

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Goldberg, Ian; Wagner, David; Thomas, Randi & Brewer, Eric (1996). "A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)" (PDF). Proceedings of the Sixth USENIX UNIX Security Symposium. Retrieved 25 October 2011.

[2] Geier, Eric (2012-01-16). "How to Keep Your PC Safe With Sandboxing". TechHive. Archived from the original on 2014-07-12. Retrieved 2014-07-03.

[3] "Sandboxing Applications" (PDF). 2001. Retrieved 7 May 2013.

[4] "Application Sandbox - Android Open Source Project" . Retrieved 2021-04-02.

[5] "About App Sandbox". developer.apple.com. Retrieved 2020-12-09.

[6] "Security of runtime process in iOS and iPadOS". Apple Support. Retrieved 2021-04-04.

[7] "Windows Sandbox". 2018-12-18. Retrieved 2010-01-07.

[8] google/sandboxed-api, Google, 2020-12-08, retrieved 2020-12-09

[9] "Auto-Sandboxing secure system" . Retrieved 2015-01-30.

[10] "Computer System Security and Access Controls". 1991. Archived from the original on 28 May 2013. Retrieved 17 May 2013.

[11] "Native Client Sandbox – Untrusted x86 Native Code" (PDF). Retrieved 2015-01-03.

[12] Welcome to Native Client

[13] Internet Explorer Team Blog (14 July 2011). "Defense in Depth: Locking Down Mash-Ups with HTML5 Sandbox". IEBlog.

[14] Wahbe, Robert (1993). "Efficient Software-Based Fault Isolation" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

Sandbox (computer security)

Contents

Implementations

See also

Related Research Articles

References

External links