What is the sandbox?

The sandbox is a C++ library that allows the creation of sandboxed processes — processes that execute within a very restrictive environment. The only resources sandboxed processes can freely use are CPU cycles and memory. For example, sandboxes processes cannot write to disk or display their own windows. What exactly they can do is controlled by an explicit policy. Chromium renderers are sandboxed processes.

What does and doesn’t it protect against?

The sandbox limits the severity of bugs in code running inside the sandbox. Such bugs cannot install persistent malware in the user‘s account (because writing to the filesystem is banned). Such bugs also cannot read and steal arbitrary files from the user’s machine.

(In Chromium, the renderer processes are sandboxed and have this protection. After the NPAPI removal, all remaining plugins are also sandboxed. Also note that Chromium renderer processes are isolated from the system, but not yet from the web. Therefore, domain-based data isolation is not yet provided.).

The sandbox cannot provide any protection against bugs in system components such as the kernel it is running on.

Is the sandbox like what you get with the Java VM?

Yeah, kind of… except that to take advantage of the Java sandbox, you must rewrite your code to use Java. With our sandbox you can add sandboxing to your existing C/C++ applications. Because the code is not executed inside a virtual machine, you get native speed and direct access to the Windows API.

Do I need to install a driver or kernel module? Does the user need to be Administrator?
No and no. The sandbox is a pure user-mode library, and any user can run sandboxed processes.

How can you do this for C++ code if there is no virtual machine?

We leverage the Windows security model. In Windows, code cannot perform any form of I/O (be it disk, keyboard, or screen) without making a system call. In most system calls, Windows performs some sort of security check. The sandbox sets things up so that these security checks fail for the kinds of actions that you don’t want the sandboxed process to perform. In Chromium, the sandbox is such that all access checks should fail.

So how can a sandboxed process such as a renderer accomplish anything?
Certain communication channels are explicitly open for the sandboxed processes; the processes can write and read from these channels. A more privileged process can use these channels to do certain actions on behalf of the sandboxed process. In Chromium, the privileged process is usually the browser process.

Doesn’t Vista have similar functionality?

Yes. It’s called integrity levels (ILs). The sandbox detects Vista and uses integrity levels, as well. The main difference is that the sandbox also works well under Windows XP. The only application that we are aware of that uses ILs is Internet Explorer 7. In other words, leveraging the new Vista security features is one of the things that the sandbox library does for you.

This is very neat. Can I use the sandbox in my own programs?
Yes. The sandbox does not have any hard dependencies on the Chromium browser and was designed to be used with other Internet-facing applications. The main hurdle is that you have to split your application into at least two interacting processes. One of the processes is privileged and does I/O and interacts with the user; the other is not privileged at all and does untrusted data processing.

Isn’t that a lot of work?

Possibly. But it‘s worth the trouble, especially if your application processes arbitrary untrusted data. Any buffer overflow or format decoding flaw that your code might have won’t automatically result in malicious code compromising the whole computer. The sandbox is not a security silver bullet, but it is a strong last defense against nasty exploits.

Should I be aware of any gotchas?

Well, the main thing to keep in mind is that you should only sandbox code that you fully control or that you fully understand. Sandboxing third-party code can be very difficult. For example, you might not be aware of third-party code’s need to create temporary files or display warning dialogs; these operations will not succeed unless you explicitly allow them. Furthermore, third-party components could get updated on the end-user machine with new behaviors that you did not anticipate.

How about COM, Winsock, or DirectX — can I use them?

For the most part, no. We recommend against using them before lock-down. Once a sandboxed process is locked down, use of Winsock, COM, or DirectX will either malfunction or outright fail.

What do you mean by before lock-down? Is the sandboxed process not locked down from the start?

No, the sandboxed process does not start fully secured. The sandbox takes effect once the process makes a call to the sandbox method LowerToken(). This allows for a period during process startup when the sandboxed process can freely get hold of critical resources, load libraries, or read configuration files. The process should call LowerToken() as soon as feasible and certainly before it starts interacting with untrusted data.

Note: Any OS handle that is left open after calling LowerToken() can be abused by malware if your process gets infected. That’s why we discourage calling COM or other heavyweight APIs; they leave some open handles around for efficiency in later calls.

So what APIs can you call?

There is no master list of safe APIs. In general, structure your code such that the sandboxed code reads and writes from pipes or shared memory and just does operations over this data. In the case of Chromium, the entire WebKit code runs this way, and the output is mostly a rendered bitmap of the web pages. You can use Chromium as inspiration for your own memory- or pipe-based IPC.

But can’t malware just infect the process at the other end of the pipe or shared memory?

Yes, it might, if there‘s a bug there. The key point is that it’s easier to write and analyze a correct IPC mechanism than, say, a web browser engine. Strive to make the IPC code as simple as possible, and have it reviewed by others.

Sandbox FAQ相关推荐

1. Ubuntu恶意文件分析环境搭建--安装Cuckoo Sandbox记录

   目录 0x01 基础信息 0x02 主机host操作 1.需要安装的依赖: 2.安装tcpdump并确认安装无误: 3.安装pydeep: 4.安装mongodb: 5.安装Volatility: 6 ...

2. 【多图超详细】从零开始安装配置Cuckoo sandbox并提交样本进行分析

   [多图超详细]从零开始安装配置Cuckoo sandbox并提交样本进行分析 文章目录 [多图超详细]从零开始安装配置Cuckoo sandbox并提交样本进行分析 1. 功能介绍 1.1主要功能 1 ...

3. The Sandbox 与 TOWER 团队共同发起塔防游戏创作大赛

   The Sandbox 与 TOWER 团队达成合作,发起一个全新的塔防游戏大赛! <疯狂塔防物语 (Crazy Defense Heroes)>是 TOWER 经营的一款授权产品,是由 ...

4. 入门指南目录页 -PaddlePaddle 飞桨 入门指南 FAQ合集-深度学习问题

   入门指南目录页 -PaddlePaddle 飞桨 入门指南 FAQ合集 GT_Zhang关注 0.1012019.08.01 18:43:34字数 1,874阅读 795 Hi,欢迎各位来自Paddl ...

5. llvm常见问题 (FAQ)

   llvm常见问题 (FAQ) License 可以修改 LLVM 源代码并重新分发修改后的源代码吗? 可以修改 LLVM 源代码并重新分发基于二进制文件或其它工具,而无需重新分发源代码吗? 源代码 L ...

6. 跨站脚本攻击(XSS)FAQ

   原作者charlee.原始链接http://tech.idv2.com/2006/08/30/xss-faq/以及本声明. 该文章简单地介绍了XSS的基础知识及其危害和预防方法.Web开发人员的必读. ...

7. Mininet FAQ

   2019独角兽企业重金招聘Python工程师标准>>> FAQ lantz edited this page on 20 Oct · 324 revisions Pages 65 M ...

8. srs audio sandbox 注册机_Windows10自带 Sandbox软件测试必备技巧

   Windows 10沙盒,微软赐名:"Windows Sandbox". Windows 10的沙盒功能是为安全运行应用程序而设计的,安装Windows沙盒后,它将为用户建立一个隔 ...

9. 使用Harry过程中FAQ(问题解答)

   使用Harry过程中FAQ(问题解答) Harry-Vue 启动报错信息 Cannot find module错误信息 Harry-Vue 的路由在nginx中刷新出现404 一.Harry-Vue ...

最新文章

1. 大势所趋，应用如何适配Android P HEIF图片格式
2. PHP的void mixed
3. 在windows 2003系统安装oracle11G出现的问题
4. MySQL8.0与MySQL5.7 OLTP 性能测试对比
5. 算法高级（10）-如何实现浏览器的前进、后退功能
6. 通过css裁切图片为菱形图片
7. 《第一行代码》学习笔记11－活动Activity（9）
8. day12-html(css)
9. atitit.html编辑器的设计要点与框架选型 attilax总结
10. 离散傅里叶变换（DFT）/快速傅里叶变换（FFT）matlab
11. C++大纲显示：vs将if、for等语句块折叠
12. 什么是计算机？计算机的硬件系统组成有哪些？
13. 四六级分数根据比例给分
14. async的waterfall
15. 从1.0到4.0，酒类新零售还能跑出几个1919和酒仙网？
16. 联想G40进入BIOS
17. （励志）（转载） 在华为的十年
18. Windows上利用Python自动切换代理IP的终极方案！
19. 美团/饿了么外卖CPS联盟返利公众号小程序核心源码代码
20. 操作系统 - Linux - Ubuntu

热门文章

1. 电化学工作站的原理与应用
2. spoj#GCJ1C09C - Bribe the Prisoners
3. BlackNurse新型DoS攻击 15M流量就可以打瘫思科防火墙 思科做出了回应
4. 《Ghost Win7 SP1 电脑商装机版 V3.0》64位（电脑疯子作品）
5. 上网宝显示未连接网络连接服务器,华为随行wifi上网宝上不了网,怎么处理?
6. IBM小型机AIX操作系统总结15–性能参数
7. xm-select 下拉框分组单选事件
8. 备份----磁盘阵列
9. 什么是Bom？有哪些常用的Bom属性？
10. 无铅选择：锡/银/铜/铋系统