Saturday, February 23, 2008

what is a sandbox?

in the anti-malware sense a sandbox is a (generally) simulated computer environment in which untrusted software (ie. potential malware) can be run while still keeping the trusted host environment isolated from it...

a sandbox can be implemented in more than one way, the most well known is probably the virtual machine... a virtual machine based sandbox is one where the computer hardware itself is simulated and an OS and other software run on top of that simulated hardware...

another type of sandbox is one that simulates access to resources (such as files or the registry) of an existing system by trapping attempts by programs running in the sandbox to access those resources and redirecting those access attempts to copies residing within the sandbox environment... this uses less resources than a traditional virtual machine and can be used in a more transparent way by end users because it doesn't set up a completely separate system which may or may not be similar to the host system they're likely familiar with (nor do they have to try to wrap their heads around the idea of a computer within a computer)...

a third (but much more primitive) technique which could arguably be considered a kind of sandbox is the use of different drive images to separate the main computing environment from other environments used for running untrusted code... this has the problem that the environment for trusted programs and the one for untrusted programs can't be in operation on the same computer at the same time, which makes it a little inconvenient if you only have one physical system...

ultimately these technologies are all meant to try to replace the original practice of using a physically separate computer dedicated to testing... a second physical computer for untrusted programs is probably the least convenient way to isolate a trusted environment from untrusted code but it is also probably the most secure...

back to index

7 comments:

Ilya Rabinovich said...

Hi Kurt!

I see nothing about policy-based sandboxing here. Policy-based sandboxes do not redirects file and registry modification attempts, but rather automatically block or allow them according their inner policy ruleset.

kurt wismer said...

the reason you see nothing about it is because i don't think it belongs in a discussion about sandboxes....

a sandbox in it's purest form is an environment in which untrusted/untested/unknown code can run unchecked and still do no harm to the trusted host environment...

it's about separating such code from the host environment, not blocking predefined or user-defined behaviours in the trusted host environment...

blocking behaviours is more properly the domain of behaviour blockers...

Ilya Rabinovich said...

Hi Kurt!

OK, I understand your position...

Tritty said...

Hi Kurt,
where can i learn more about this sandbox technology

kurt wismer said...

@tritty: sandboxing isn't so much a single technology as much as it is a general classification of techniques that present an isolated, low-value environment to potential attacks rather than the system we want to protect. it's sort of like a decoy in that respect.

there are a number of different ways it can be accomplished, as i described in the post. for the most widely used methods (right now) you'll want to research "application virtualization" or "virtual machines". those are two different techniques for implementing a sandbox.

Anonymous said...

so a sandbox is a malware which ca be a fake source that can copy our detail to the others , it can be a phishing method that can trap user information .

kurt wismer said...

@anonymous
i'm not sure how you got the impression that a sandbox is malware. that's the complete opposite of what i meant. sandboxes are something you can use to protect yourself from malware, rather than being malware themselves.