Sandbox (computer security)
Encyclopedia
- This article is about the computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
mechanism. For the Wikipedia feature, where newcomers can experiment with editing or established editors can experiment with new features, see Wikipedia:Sandbox.
- For the software testing practice, see sandbox (software development)Sandbox (software development)A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control...
.
In computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.
The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space
Scratch space
Scratch space is space on the hard disk drive that is dedicated for only temporary storage. It cannot be used to permanently backup files. Scratch disks can be set to erase all data at regular intervals so that the disk space is left free for future use...
on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
.
Examples
Some examples of sandboxes are:- AppletAppletIn computing, an applet is any small application that performs one specific task that runs within the scope of a larger program, often as a plug-in. An applet typically also refers to Java applets, i.e., programs written in the Java programming language that are included in a web page...
s are self-contained programs that run in a virtual machineVirtual machineA virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
or scripting languageScripting languageA scripting language, script language, or extension language is a programming language that allows control of one or more applications. "Scripts" are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the...
interpreterInterpreter (computing)In computer science, an interpreter normally means a computer program that executes, i.e. performs, instructions written in a programming language...
that does the sandboxing. In application streamingApplication StreamingComputer application streaming is a form of on-demand software distribution.The basic concept of application streaming has its foundation in the way modern computer programming languages and operating systems produce and run application code. Only specific parts of a computer program need to be...
schemes, the applet is downloaded onto a remote client and may begin executing before it arrives in its entirety. Applets are common in web browserWeb browserA web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s, which use the mechanism to safely execute untrusted code embedded in web pages. Three common applet implementations—Adobe FlashAdobe FlashAdobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
, Java appletJava appletA Java applet is an applet delivered to users in the form of Java bytecode. Java applets can run in a Web browser using a Java Virtual Machine , or in Sun's AppletViewer, a stand-alone tool for testing applets...
s and Silverlight—provide (at minimum) a rectangular window with which to interact with the user and some persistent storage (at the user's permission). - A jail is a set of resource limits imposed on programs by the operating system kernel. It can include I/O bandwidth caps, disk quotas, network access restrictions and a restricted filesystem namespace. Jails are most commonly used in virtual hostingVirtual hostingVirtual hosting is a method for hosting multiple domain names on a server using a single IP address. This allows one server to share its resources, such as memory and processor cycles, in order to use its resources more efficiently....
.
- Rule-based Execution gives users full control over what processes are started, spawned (by other applications), or allowed to inject code into other apps and have access to the net. It also can control file/registry security (What programs can read and write to the file system/registry) As such, viruses and trojans will have a less likely chance of infecting your PC. The SELinux and ApparmorAppArmorAppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...
security frameworks are two such implementations for LinuxLinux kernelThe Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
. - Virtual machineVirtual machineA virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s emulateEmulatorIn computing, an emulator is hardware or software or both that duplicates the functions of a first computer system in a different second computer system, so that the behavior of the second system closely resembles the behavior of the first system...
a complete host computer, on which a conventional operating system may boot and run as on actual hardware. The guest operating system is sandboxed in the sense that it does not run natively on the host and can only access host resources through the emulator. - Sandboxing on native hosts: Security researchers rely heavily on sandboxing technologies to analyse malware behaviour. By creating an environment that mimics or replicates the targeted desktops, researchers can evaluate how malware infects and compromises a target host.
- CapabilityCapability-based securityCapability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
systems can be thought of as a fine-grained sandboxing mechanism, in which programs are given opaque tokens when spawned and have the ability to do specific things based on what tokens they hold. Capability based implementations can work at various levels, from kernel to user-space. An example of capability-based user-level sandboxing would be HTML rendering in Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
. - Online judgeOnline judgeAn online judge is an online system to test programs in programming contests. They are also used to practice for such contests. Many of these systems organize their own contests....
systems to test programs in programming contests. - New generation pastebins allowing users to execute pasted code snippets.
- Linux' Secure Computing Mode (seccomp)Seccompseccomp is a simple sandboxing mechanism for the Linux kernel.It allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit, sigreturn, read and write to already-open file descriptors...
is a sandbox built in the Linux kernel. When activated seccomp only allows the write, read, exit and sigreturn system calls. - HTML5 has a 'sandbox' attribute for use with iframes
See also
- Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
tabs and processes are all sandboxed. - ChrootChrootA chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
- Kaspersky Internet SecurityKaspersky Internet SecurityKaspersky Internet Security or KIS is an Internet security suite developed by Kaspersky Lab compatible with Microsoft Windows. KIS supports the detection and remidition of malware, as well as e-mail spam, phishing attempts, and data leaks....
- Sandbox (software development)Sandbox (software development)A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control...
- Sandbox effectSandbox EffectThe Sandbox is a name given to an observation about the way Google ranks web pages in its index...
(search engines) - Avast Pro (security software with sandbox feature)
- Comodo Internet SecurityComodo Internet SecurityComodo Internet Security , developed by Comodo Group, is an Internet security suite available for Microsoft Windows. It offers anti-malware protection, a personal firewall, a sandbox and a Host-based Intrusion Prevention System called Defense+.-Editions:Comodo Internet Security is available in...
(security software with sandbox feature) - SandboxieSandboxieSandboxie is a proprietary sandbox-based isolation program developed by Ronen Tzur, for 32- and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped...
(sandbox security software) - iCore Virtual AccountsICore Virtual AccountsiCore Virtual Accounts is free download OS level virtualization for Microsoft Windows XP.-Program:The program is an isolated virtual machine that runs on top of the existing hardware and operating system...
(sandbox security software) - Returnil Virtual SystemReturnil Virtual SystemReturnil Virtual System is a sandbox application for Microsoft Windows. Its goal is to prevent malware and potentially unwanted programs from permanently infecting or modifying a system.-How it works:...
(sandbox security software) - Avast Antivirus has the feature of a sandbox
- iOSIOSiOS is an operating system for iPad, iPhone, iPod Touch, and Apple TV.IOS may also refer to:-Companies and organisations:* Illinois Ornithological Society, American state-based bird club...
applications from the App Store are sandboxed. - Mac OS X LionMac OS X LionMac OS X Lion is the eighth and current major release of Mac OS X, Apple's desktop and server operating system for Macintosh computers....
has sandboxing abilities for applications - The Mac App StoreMac App StoreThe Mac App Store is a digital distribution platform for Mac OS X applications developed by Apple Inc.. The platform was announced on October 20, 2010 at Apple's "Back to the Mac" event. Apple began accepting app submissions from registered developers on November 3, 2010 in preparation for its launch...
will require all applications to be sandboxed by March 1st, 2012