Better Security through Sandboxing

by [Published on 2 June 2010 / Last Updated on 2 June 2010]

Taking a look at popular sandboxing methods and discussing just what sandboxing does and does not accomplish, security-wise.

Introduction

Sandboxing refers to creating an isolated environment for running applications that could present a security risk. Some Internet apps are now built with their own sandboxes, but there are several ways you can create a sandboxed environment for any application. In this article, we will look at popular sandboxing methods and discuss just what sandboxing does - and does not accomplish, security-wise.

History of Sandboxing

A child’s sandbox is a container designed to keep the sand within a confined area, as sand that is not confined can create a big mess. In the computer security world, a sandbox acts as a virtual container where untrusted programs can run without making a big mess by exposing the primary operating system and other applications to risk. The concept of a protected environment has been around for a long time, although it has gone by other names. The Hydra operating system, designed in the 1970s as part of a project at Carnegie-Mellon University, was built on the idea that all procedures are protected and carry their own execution domains.

Sun also created subsets of resources that they called dynamic system domains, and later introduced Solaris Containers, which were execution environments that existed within one instance of Solaris. This morphed into “zones” in Solaris 10, which is also called a “trusted container.”

FreeBSD uses a mechanism they call jails, which are independent environments implemented via operating-system level virtualization, wherein each jail is a virtual environment with its own files, processes and user accounts and bound to a different IP address, and each jail is completely sealed off from the others.

Since that time, sandboxing has gone from an obscure protective mechanism to a broadly applied set of methods for isolating anything from certain system calls to entire applications to complete operating system environments. The increased popularity and ease of use of virtualization technologies has made sandboxing much easier. An early use of virtual machines was to create testbed environments that were separate from the production environment, on which you could deploy new OS or application software and discover whether it “plays nice” with your existing programs – without the risk of interfering with the users on your production network.

Examples of Sandboxing

Applications can be written so that some or all processes run in a sandbox. Google has widely touted the fact that the Chrome web browser uses sandboxing, but most people don’t realize that it actually relies upon the built-in Windows security model, utilizing the Windows access token, which Chrome modifies to remove all privileges and disable all groups. It’s also important to note that this is dependent on the NTFS file system and doesn’t work on systems with partitions formatted in any type of FAT. The sandbox also cannot protect against objects that are misconfigured by application vendors. You can read more about Google’s sandboxing here.

There are proprietary software programs for creating sandboxed environments. One example of these is Sandboxie, created by Ronen Tzur. It runs on Windows 2000, XP, Vista and Windows 7 and is intended for running the web browser, email client, IM client, P2P software, online games and other programs that are vulnerable to attack or malware, to keep them isolated from the Windows OS. You can create multiple sandboxes (in the paid version) and force certain programs to always run in a sandbox. One difference between Sandboxie and some other isolation products is that it sandboxes individual components such as files, registry keys, and driver objects, rather than sandboxing the disk as a whole. Because of this, Sandboxie cannot sandbox system drivers. You can find out more about Sandboxie here.

Another sandboxing solution is BufferZone from Trustware. It creates a “virtual zone” on the hard drive (c:\\Virtual by default) where modifications performed by Internet programs, downloads, browsing activity, etc. are run. You can find out more about it here.

In 2009, Microsoft released an open source virtualization technology for web developers called Web Sandbox, which was a JavaScript virtual machine designed to prevent third party scripts from impacting other code on a web page. Each virtual machine has its own scope and provides full isolation of namespaces. The environment is modeled on top of traditional HTML documents and untrusted code executes in a virtual machine instead of directly in the web browser. You can find out more about Web Sandbox on the LiveLabs.com web site.

Sandboxing with OS Virtualization Software

It is obvious from the brief overviews of popular sandboxing programs that most are based on some type of virtualization. Why not use popular virtualization software such as Virtual PC, VMware or Hyper-V to create isolated environments? Why do none of those virtualization solutions tout sandboxing as a main use for their products? In fact, you can create a sandbox with popular VM software products and some people and companies are using virtualization for that purpose. However, there are some caveats to be aware of.

Desktop Integration

In the past, it was more difficult for end users to use VMs because of the complexity – they had to launch a virtualization program and boot up a particular virtual machine before they could use the applications installed in it. Now, with desktop integration such as you get with Windows Virtual PC and XP Mode or with VMware Workstation’s Unity feature, the apps in the VM appear on Start menu of the host operating system and are accessed the same way as a local application, so the fact that they’re running in a VM is transparent to the users.

Microsoft designed XP Mode as a compatibility solution, to allow users to run older applications that need to run on Windows XP from their Windows 7 desktops, and it is a free add-on for Windows 7 Professional, Enterprise and Ultimate editions. But even if your users don’t have any older applications that require XP Mode, you can use it to create a sandboxed environment. For example, when users visit web sites that expose them to malware or other security risks, they could do it using the web browser that’s installed in the XP VM. You could even configure the web browsers on the host Windows 7 machines so that they’re restricted to visiting only safe sites, but allow more leeway with the virtualized browser. Then if a user does visit a malicious site, it won’t pose a threat to the Windows 7 operating system. You can download XP Mode here.

If your users are still using XP or Vista as their primary operating systems, you can’t install XP Mode. You could use Microsoft Virtual PC 2007 to create a sandboxed environment, but then you’re back to the original problem of not having the virtualized applications integrated into the host operating system. However, you can VMware Workstation with its Unity desktop integration feature to accomplish the same thing. However, unlike XP Mode on Windows 7 Pro and above, VMware Workstation isn’t free; the current version (v7) costs $189.00.

In the enterprise environment, Microsoft Enterprise Desktop Virtualization (MED-V) can be used for the dual purposes of providing application compatibility and providing an environment for running potentially risky applications without directly endangering the host operating system. MED-V provides more centralized control over the virtual environments that are deployed to users’ desktops. Learn more about MED-V here.

Risks of Using OS Virtualization for Sandboxing

The problem with using OS virtualization software to create a sandbox is that some malware can be detected when it is running on a virtual system. Those who write malicious code develop virtual machine detection technologies that look for VME artifacts in memory, the file system, the registry or running processes, or look for VME-specific virtual hardware and processor instructions. For example, the fact that the OS is running VMtools is a tip-off that it’s a virtual machine. You might also recall security researcher Joanna Rutkowska’s “Red Pill” tool, introduced back in 2004, that detected VM usage. Other such tools have been distributed on the Internet.

In some cases, detection of a virtual environment just causes the malware to shut down its malicious functionality, so that it can not be property analyzed in the virtual environment. Of course, if you are using the VM for sandboxing, this is a good thing, as it means the malware more or less disables itself and therefore may not cause damage to the virtual OS.

Some attackers, however, use the virtual machine detection to then launch attacks that exploit security holes in the VM software, focusing on “virtual machine escape,” whereby the malware

For these reasons, you should never rely on the VM’s isolation abilities as the sole protection. The OS in the VM needs to be kept patched with security updates and needs to run antivirus and antimalware software just like the host OS. For best protection of your production network, connect the VM to a different network. It’s also a good idea to periodically replace the VM image with a new one.

Summary

Sandboxing is a tried and true technique for running risky applications or visiting potentially dangerous web sites. There are a number of ways to create a sandboxed environment – but first, be sure you are aware of all the factors and any risks associated with a particular method of sandboxing. Security should always be multi-layered, so you should not rely on the sandboxed environment, by itself, to provide complete protection.

Featured Links