Let’s Play in Sandboxes!

Sandbox

Children like to play in a sandbox. Computer users should also play in sandboxes… to increase their security! A sandbox is a mechanism (a software) used to execute untrusted applications. A sandbox can be seen as a light-virtualization system. True virtualization (performed with products like VMware, VirtualBox or Virtual PC) is a different way to work: You run several instances of one or more operating system on the same hardware platform. With a sandox, you just protect some resources (memory, devices or file systems) from being used by the untrusted program.

Why use a sandox?
All untrusted or dangerous applications should be run in a sandbox! Personally, I run the following applications “sandboxed”:

  • Web browsers (Firefox as Internet Explorer)
  • Instant Messenging client
  • Untrusted applications

How does it work?
Have a look at the following schema:

Sandbox Schema

When running “sandboxed”, the application does not have a direct write access to the computer resources (Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports). Read operations are simple: data are fetched directly from the OS. Write operations are intercepted and data are stored in the container only. Finally, for updates, first a copy of the data is fetched from the OS and updated in the container.

Other restrictions can be applied:

  • Restrict Internet access.
  • File access granularity (direct access, full access, blocked or read-only) per files or directories.
  • Access to the registry (direct, blocked, read-only).
  • IPC
  • Other windows.
  • Low level (ex: to load kernel modules).

The sandbox can be configured to automatically start specific application “sandboxed” like a web browser. All process started by a sandboxed applications will remain in the same sandbox. For other applications, you can use a shell integration and a new option will be available from Explorer:
Run Sandboxed

It’s really easy to test applications. Once installed, you don’t need to un-install it, just delete the sandbox content and your system will remain clean (like the snapshot feature of VMware). There are also mechanisms to retrieve files from a sandbox (example: when you downloaded a file from the Internet). Recovery can be automatic or manual (based on directories). You can also browse the content of a sandbox.

Tip: there is no limitation of sandboxes, create one per “application group” (ex: browsers, internet, suspicious, …). It’s impressive to see the amount of files a Windows application can create!

The Sandbox I use is Sandboxie.

2 comments

  1. Trusting sandboxie sounds good, however, how can you trust sandboxie itself, as it is not open source?

    selc

  2. Great summary of sandboxing. I’m a huge fan of sandboxie and use it all the time too.
    -Christian

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.