Sandboxes exist because sand is fun to play with, but we don’t want it being tracked all over the schoolyard and into the house. If you’ve ever spent any time on a beach, you know how pervasive sand is and how hard it can be to get rid of. Before you know it, there’s sand in the hallways, sand in the laundry, and sand in the shower.
In the computer world, much the same problem exists with programs. Programs running on your computer share the resources of that computer. All your programs use the same static storage such as disk drives, the same memory, and the same central processing unit (CPU). When common resources like this are shared, you can end up with a sand problem. A program ends up all over your computer because it writes data to all parts of your disks, accesses memory from all areas of your memory and sends requests to the CPU along with every other program. We keep sand in a sandbox for the same reason we sandbox computer programs: to contain the sand—-or program—-to a manageable scope.
Basic computer design facilitates this resource sharing. By allowing programs to share resources, the computer can seemingly multi-task and appear to be doing a lot of things at once. This is exactly the type of behaviour we’ve come to demand from our computers, phones, tablets, and watches over the years, but these capabilities can cause undesirable side effects. Programs can behave badly and crash, or cause other programs to crash; they can have a reliance on some other application on the computer that conflicts with the needs of another programs; and, increasingly, programs are malicious and try to access out-of-bounds areas to do bad things.
The world wide web (www) came into existence in 1989, and the first really popular browser, Mosaic, propelled the internet into popular culture. The web was designed to share documents; it was never designed to support what we have now: an internet-based delivery system where software runs in the cloud. This chasm between design and actual use has created innumerable opportunities for bad guys to use web browsers as a delivery mechanism for their malware.
The line where a physical desktop computer ends and the internet begins is very blurred. Most of the programs we run today are partially or completely dependent on a live internet connection to function. With this constant internet connectivity humming away in the background, it becomes obvious that a very attractive attack vector is the programs we use to access the internet. At the top of that list is the venerable web browser. In fact, in 2016 the internet security company Sucuri logged over half a billion (that’s billion with a B) malicious requests aimed at websites and browsers in a single 30-day period.
Because browsers are so prolific and always on, they’re worthy of special attention. Many of today’s browsers are designed to run in their own sandboxes automatically without any set up from the user.
Google Chrome has been sandboxed since the beginning.
Mozilla Firefox took longer to implement sandboxing but is almost 100% there now.
Internet Explorer introduced some level of sandboxing in 2006 with IE 7, and Microsoft Edge sandboxes all processes now.
Apple’s Safari browser runs websites in separate processes as well.
If you’re running an exotic browser, or want an even greater separation between your OS and your browser, you may want to take a look at the manual sandboxing options listed in the next section.
While browsers are a very important weakness in any operating system, by no means are they the only weakness. Any application has the potential to be malicious and therefore the security posture of any computer can be strengthened by the use of sandboxing. Manual sandboxing is the process of purposely configuring your system to sandbox an application that otherwise might have full access to your system.
Desktop virtualization has come a long way in recent years and it is now fairly easy to install and use virtual machines. A virtual machine is as it sounds: a “machine” that is not real. It is really just a piece of software. The most common use of a virtual machine is to install a copy of your operating system into it and run that virtual machine on your desktop as if it was another physical machine. This type of separation provides a great deal of security because programs can only access resources inside the virtual machine. If a piece of malware were to take hold and infect your system, it would only be able to infect the virtual machine, which limits the amount of damage it can do. It’s even possible to run alternative operating systems within a virtual machine such as running a Linux distribution in a virtual machine on a Windows PC.
There are many virtualization applications, each aimed at a specific type of use case. The most popular and mature desktop virtualization applications that normal users can typically handle are VirtualBox and Parallels.
Background: A virtualization consists of two main parts. The term host refers to the actual physical computer that runs the virtualization software. The term guest refers to the operating system running within the virtualization application.
VirtualBox is owned by Oracle and has clients for every major operating system. After installing VirtualBox, you can create a virtual machine by using the New button. You’ll need to provide the operating system installation media because VirtualBox does not come with that. Linux distributions are easily found on the internet – a good list is the website distrowatch and for proprietary operating systems like Windows you will need to have your installation CD handy.
Parallels is very similar to VirtualBox with the notable exception that it only runs on macOS and is specifically built to run Windows in the virtual machine. If you’re looking for that combination —- running Windows on your macOS desktop —- then Parallels may be the best solution for you. Parallels is not free, however there is a 30-day free trial.
Sandboxie’s motto is Trust No Program. It runs solely on Windows and claims to separate running programs from the underlying operating system. The Sandboxie control panel is used to nominate specific programs to run in a sandbox. The most common programs that present the largest threats, such as browsers and email programs, are listed as configuration options by default, and other applications can be added as needed.
The data inside Sandboxie is destroyed when a sandbox is closed, but it is possible to configure Sandboxie to leave important data unaltered. Folders containing emails and web browser bookmarks are examples of data that can survive a sandbox deletion.
Sandboxie is designed for home users and that is reflected in its inexpensive pricing.
QubesOS (pronounces “Cubes”) deserves a special mention for virtualization. Qubes uses the Xen hypervisor instead of VirtualBox. It launches several guest operating systems and each one is separate from the other. This allows the sandboxing of individual applications, each within its own virtual machine, rather then just sandboxing the entire guest operating system. QubesOS’ distinctive difference is that Xen is its own operating system; no “host” operating system runs underneath it. I’ve written more about Qubes and other anonymity-focused Linux distributions here.
Taking the time to sandbox your system can provide a solid defence against many types of malware and help with software development. There is no substitute for a healthy dose of paranoia when using the internet, but isolating your more vulnerable applications can help.
In the early days of computing, the CPU handed out resources on a first-come-first-served basis. This worked well when our computers were not doing much, but these days much more complex methods of resource allocation are used. CPUs fiercely defend the boundaries of the resources they’ve allocated and, if a program attempts to access a resource that has not been specifically designated to it, the program or other programs can crash.
Running a program in a sandbox allows the system to pre-allocate resources such as memory and disk space in advance of the program requesting anything. This ensures that those resources are ready for the program whenever it needs it, and also ensures that no other programs can use those resources.
Every program has numerous versions of itself. Very few programs are perfect in every way upon their initial launch, which is why we’re constantly subjected to the never-ending upgrade cycle. Our devices are forever telling us that updates need to be applied or new versions of our programs are available. It’s important to allow these updates to take place as soon as possible because many of these updates are related to security or performance issues. Putting off upgrades usually renders your device less secure and running in a state that is less than ideal.
Underneath the main applications that we use and interact with every day are a set of helper programs. These programs exist to help the main application run properly. We humans are seldom aware of these programs, but the main program could not function without them. These helper programs are called dependencies in developer parlance. Just like any other program, these dependencies constantly update and change, which is where things can get tricky.
If a main program makes use of a particular function that the dependency supplies, but the dependency is upgraded and suddenly does not have that function any more, then the main application will collapse. The main application doesn’t get the expected result from that dependency. In many cases, the dependency error is so unexpected that the main application will just crash unceremoniously. The main application developer probably isn’t warned in advance about changes to the dependency, so it can be difficult to account for such a situation and handle it gracefully.
Most programmers do their best to ensure backwards compatibility, which means that even if a newer version of their application doesn’t have a function it had in the past, it will still handle requests for that function gracefully so that other applications depending on it will not crash. However, some very notable exceptions such as Java and Python are known for being very difficult to work with during an upgrade. In the Linux world, the well-known phrase “dependency hell” refers to the problems inherent with big system updates. In some cases, dependency programs have their own dependencies, and it’s not unheard of to end up in an upgrade situation where it’s not possible to satisfy all the dependencies. For example, if my Puppy Vet Tracker program needs version 2.0 of some dependent program, but my Daily Star Wars Quote program needs version 1.0 of the same dependent program, then it’s not possible to satisfy that requirement for both programs.
Developers frequently run into this type of issue, and sandboxing is one way to address it. Creating a sandbox and installing my Puppy Vet Tracker into it would allow the dependent program to be upgraded to version 2.0. The main computer system would remain with version 1 of the dependent program, and therefore I can still get my daily Star Wars quote. Win-win.
Consider a situation in which an application shares your computer with all the other running programs. Some of the programs running on your computer may contain sensitive information. Perhaps you have legal documents, budget spreadsheets, or a password manager open, and those applications are storing some data in memory. Malicious programs exist that probe around the areas of the computer assigned to other programs to see what they can find. In recent years, resource allocation has become better so it is harder for a program to access data that is not in areas specifically assigned to it, but hacking techniques such as trying to read beyond the memory assigned to the program can work.
The trick to successful exfiltration of data (the removal of data from your system) has always relied on fooling the computer user into installing malware. This is usually done with social engineering or phishing tactics and can result in wholesale compromise of a system where every file can be stolen.
Sandboxing programs can provide a very strong defence against malicious programs. When a program is sandboxed properly, it can only access the memory and disk space assigned to it. Therefore, opening sensitive documents in a sandbox will usually prevent the malicious program’s ability to access them because the document isn’t in in the same memory space as the malicious program. Having said that, there is a very concerted effort by hackers to penetrate in, and out, of sandboxes. This is called escaping the virtual environment and is considered to be such a serious type of attack that Microsoft recently paid a $105,000 bounty to a white-hat hacking team that demonstrated it was possible using the Edge Browser.