The increased use of mobile computing and availability of networked applications has resulted in demand for "sandboxes", which provide environments that impose irrevocable restrictions on resource usage [7]. There are several approaches for creating these environments, which include kernel modification and using operating system provided performance counters etc… Sandbox approach has become one of most efficient way of creating secure, private environments within shared environment. But, the major issue with this approach is that it adds addition overhead to the underlying system to create and manage the environment. It has wide range of applications in IT industry which include, cloud computing, grid computing, virtualization and software development. This paper discusses about different types of sandboxes, their implementation and various applications, uses in detail.
What is sandboxing?
In the context of security, sandboxing is a security mechanism for running programs in an isolated environment. It generally provides a tightly controlled set of resources to guest program, such as network access, usage of disk and memory. Certain activities such as reading from input devices, inspecting host system, etc.., are heavily restricted [1].
In software development, sandboxing isolates untested code or experimental code from production environment [2].
In cloud computing environment, sandboxes provides isolated production environments programs of each user in the cloud and at the same allowing all the users to share the resources in the cloud [3].
In grid computing environment where the resources are loosely coupled and geographically distributed, sandboxing provides security for the integration of applications, data and resources into the grid [4].
Some general problems addressed by sandboxing
Sandboxing has very wide range of application in providing security and integrity of the systems. Here are some of them
Provide security to operating system from malicious programs that tries to modify system files and user files
Allows the users to test an untrusted program by running it in sandboxed environment
Provides security in a shared environment from applications hogging the system by limiting their utilization
Provides security in a shared environment from unauthorized usage of resources by restricting the access
Provides security from attacks that exploits unpatched vulnerability of a system, by clearly defining the behavior of system.
Provide an isolated environment for a system where all the resources are shared. Ex: Cloud computing, Grid computing, Development Servers
Facilitates a way to authorize the usage of resources in cloud computing environment
Facilitates a way to specify the quality of service to user by allowing to impose restrictions on the usage of resource like network bandwidth
It provides virtualization solutions like VMware and Virtual Box where the virtualized hardware is exposed to the guest OS
Types of sandboxes
Sandboxes can be broadly classified basing on types of restrictions and privilege level with which it runs.
Types of Restrictions:
Imposing qualitative restrictions
This type of restrictions defines what resources can be utilized and what operation can be done on it by the application
Ex: Allowing write access to disc, restricting access to network
Imposing quantitative restrictions
This type of restrictions defines how much a given resource can be used by the application
Ex: Amount of disc space, CPU, network the program can use
Most of the implementations of the sandbox have a combination of both.
Sandbox privilege Levels
User Level
These sandboxes run as a user level process. These sandboxes impose restrictions by closely monitoring the running application like a debugger process. These types of sandboxes greatly affect the performance of the applications running in it, often used to impose quantitative restrictions.
Kernel Level
These sandboxes integrate well into host system, runs with much higher privileges than user level sandboxes. Performance of the running applications is not affected much but because of frequent updates to the kernel these sandboxes requires lot of maintenance, often used to impose qualitative restrictions.
Creating a sandboxed environment
The process of creating restricted environment for programs that are considered unsafe is not new [6]. As we see in many operating systems, different processes will have different privilege level and access restrictions. Let us consider a UNIX environment in following illustration. To create a safe execution environment using sandbox, it is very important that we define the behavior of the system as precisely as possible.
Key considerations:
Provide access only to the resources that legitimate application would require
Prevent the application from gathering information about the system
Prevent the application from accessing user files
All changes done by the application should be transient
Sandboxed application should not escape out of the sandbox, application should not have more privileges than sandbox
Steps to create sandboxed environment
Run the application with known legitimate input values and create access logs to specify its file and other resource access behavior. Tools like File Monitoring and Access Control (FMAC) are used to generate these log files [6]
Construct the Access Control List (ACL) for the application. During this process, application functionality must be thoroughly exercised
Gather all these files required for the execution of the application, all these files should be inside the sandbox. Ex: Program files, shared libraries, loadable modules, configuration files, operating system files etc...
Provide sanitized versions of the system files to the application. Ex: /etc/password, /etc/hosts. This prevents the application from accessing the system information [6]
Deny access to all the resources that are not required for this application
Ensure that sandboxed application runs with lesser privileges than sandbox, so that it won't escape from the sandbox [6]
Now run the application with untrusted input, to ensure it is denying access to unauthorized files.
Example: Sandboxing a browser in UNIX
Let us consider a simple example of running a browser in sandboxed environment in UNIX. As we are using a UNIX environment where devices are accessed the same way as files, our implementation is bit simpler.
First run the browser with a valid input to record the file access list and usage of resources. This would typically use its program files located at /bin/ , shared files in /etc/ , user settings files in /user/bob/ and it uses the resources like scratch disk space at /dev/ will be used. Using this information we prepare an ACL defining the legitimate behavior of the system using tools like FMAC.
Once system behavior is clearly defined, we prepare the host to allow the application to use only these resources and nothing else. To achieve this we run FMAC tool in active mode which exposes a virtual file system to the browser where it can see only the files specified in ACL. Any request to other files is denied. We also expose modified versions of the system files to prevent access to system information using FMAC.
Using ACL incurs additional cost on the system, execution overhead, memory requirement, configuration, definition of capabilities [6]. Choice should be made balancing between the cost and risk involved.
Implementation for various sandboxes
The implementation strategy, resource utilization of sandboxes greatly varies depending on the type of restrictions enforced. Let us look at implementation strategy for enforcing qualitative and quantitative restrictions.
4.1 Enforcing qualitative restrictions
The implementation described here is a case of kernel level sandboxing that enforces qualitative restrictions on resource usage of application. In this approach we create virtualization layer between application and host system there by exposing limited set of resources. We restrict access to all other resources which are not required for the expected behavior of sandboxed application. Using the kernel based implementation, enforcing quantitative restrictions adds lot of overhead to underlying host.
This process takes place in two phases, passive phase and active phase
Passive Phase
In this phase a monitoring program starts along with the application. While the application is running with genuine input to exercise its behavior, monitoring program creates access logs with list of files and resources used by this program [6]. For proper working of the application, complete behavior should be exercised including accessing help files, configuration settings etc...
After the application behavior is recorded, appropriate ACL is generated to use in active mode. Tools likes FMAC (UNIX) in passive mode is used as monitoring program.
Active Phase
In this phase the virtualization layer is created using ACLs generated in passive phase. Programs like FMAC (UNIX) when run in active mode exposes virtual environment with set of files and resources in ACL to the sandboxed application. Operating system kernel provides much functionality to set permission to files and resources. Ex: In UNIX we set access to 3 levels (Owner, Group and Everyone). Any request by the application to access resource or files not in ACL will be denied.
This type of sandbox is good at providing security from malicious programs. In most of the cases it provides better security than traditional anti-virus
Enforcing quantitative restrictions
The implementation described here is a case of user level sandboxing that enforces quantitative restrictions on resource usage of applications. In this approach we actively monitor applications interactions with the host system and controlling them to enforce the desired behavior [7]. We impose limitations on the usage of CPU, memory and network. Existing kernel based implementations provide qualitative restrictions (a resource can be accessed or not) but cannot handle quantitative restrictions (limiting CPU usage to less than 20%) [7].
To enforce this, we see the applications interactions with the host system as a sequence of requests in a given period of time. To constraint the usage of resource we either need to prevent access to the resource during the request or control the time span between the requests [7]. To do this we need a metric that tells the resource consumption of the application so far.
The major challenge here is to accurately estimate the metric for application progress and applying necessary restrictions with acceptable overhead. Accurate progress metric can be created using the operating system provided user level mechanisms such as fine-grained timers and monitoring infrastructures such as performance counters, debugger processes, priority based scheduling and page-based memory protection [7].
Code transformation techniques include modification of the application program using techniques such as software fault-isolation and API interception approaches [7]. These techniques uses OS provided mechanisms such as system-call interception by a debugger process or DLL import address table rewriting to execute some monitoring code every time the application interacts with host system [7]. This checking decides whether to allow, deny or delay request by the application.
When the application runs in sandbox, a monitoring program starts along with the application or it sticks to it at run time. This process frequently checks the resource usage of the application to compute application progress. This in turn is utilized to decide resource access.
Uses and Applications of sandboxing
Sandboxing has wide range of applications in mobile platforms, desktop environment, and clustered environments like cloud computing, grid computing. Following are some of the major applications of sandboxing.
Sandbox in Chromium Browser Security Architecture
Java Sandbox Model
Grid Computing
Cloud Computing Architecture
Software Development
Virtualization
Sandbox in Chromium Browser Security Architecture
Chromium (Chrome) browser security architecture has a sandbox implementation to provide security to the operating system from malicious scripts on the web.
Most of the modern web browsers have single module architecture that integrates the user and web into single protection domain. An attacker who exploits code execution vulnerability in such a browser can steal user's personal information or install malicious program.
Chrome has two modules in different protection domains: a browser kernel which interacts with operating system and a rendering engine, which runs with restricted privileges in a sandbox [8].
Single protection domain browser architecture has many drawbacks for websites with large amounts of client-side code. In this type of architecture, crash caused by one website will cause the entire browser to crash instead of just the web page which caused it. Chromium uses a modular architecture [8]. The browser kernel module acts on behalf of the "user", while the rendering engine module acts on behalf of the "web" [8].
These browser modules run in separate protection domains, one of which includes a sandbox that runs the rendering engine with fewer privileges. Even if an attacker can exploit an unpatched vulnerability in the rendering engine, obtaining the privileges of the entire rendering engine, the sandbox helps prevent the attacker from reading or writing the user's file system because the web principal does not have that privilege [8].
In this design, to provide compatibility with the existing sites and balance the performance and security, it allocates some components in between the kernel and rendering engine. The architecture allocates high-risk components, such as the HTML parser, the JavaScript virtual machine, and the Document Object Model (DOM), to its sandboxed rendering engine [8]. These components are the major sources of security issues in all the browsers.
Running these components in a sandbox helps reduce the severity of unpatched vulnerabilities in their implementation. The browser kernel takes care of managing persistent data, such as cookies, and for interacting with the operating system to capture user input, render page to the screen, and access the network.
The Sandbox
To help protect against an attacker who tries to exploit bugs in chrome's rendering engine, it runs each instance of rendering engine in a sandbox. This sandbox prevents the rendering engine's process from making modifications to the system or accessing the user information.
Objective
Ideally, the sandbox would force the rendering engine to use the browser kernel API to interact with the outside world [8]. Some parts of browser can be completely implemented within the browser such as DOM methods (some), which change within the rendering engine. Other DOM methods, such as XMLHttpRequest's send method, need to make persistent changes to other parts of browsers or host system. An honest rendering engine can use the browser kernel interface to implement these methods. The goal of the sandbox is to require even a compromised rendering engine to use the browser kernel interface to interact with the file system [8].
Implementation
At present, Chrome relies on Windows specific features to create sandbox for the rendering engine module. Instead of running with the user's Windows security token, the rendering engine runs with a restricted security token. Whenever the rendering engine attempts to access a securable object, the Windows Security Manager checks whether the rendering engine's security token for sufficient privileges to access the object [8]. The sandbox implementation of chrome restricts the rendering engine's token such that the token fails almost every such security check.
Before rendering content, the rendering engine alters the security token of its process by converting its security identifiers (SIDs) to DENY_ONLY, adding a restricted SID, and calling the AdjustTokenPrivileges function [8]. The rendering engine also runs on a separate desktop, mitigating the lax security checking of some Windows APIs, such as SetWindowsHookEx, and limiting the usefulness of some unsecured objects, such as HWND_BROADCAST, whose scope is limited to the current desktop [8]. Additionally, the rendering engine runs in a Windows Job Object, preventing the rendering engine's power to create new processes, read or write to the clipboard, or access USER handles.
Limitations
Although the sandbox restricts the power of a compromised browser to make changes to the operating system, the sandbox has some limitations.
FAT32 File System: It does not support access control lists. Without access control lists, the Windows security manager don't consider the process's security token when granting access to a file on FAT32 file system. The FAT32 file system is more used in portable storage devices like flash drives and rarely used on some hard drives. For example, if a user connects a USB flash drive that uses FAT32 file system, a compromised rendering engine can read and make changes to the file system.
Mis-configured Objects: If an object has a NULL discretionary access control list (DACL), the Windows security manager will grant access without considering the accessing security token [8]. Although NULL DACLs are uncommon, some third-party applications create objects with NULL DACLs [8]. But this is avoided on an NTFS file system, because the sandbox removes the right to "bypass traverse checking," forcing Windows to check that the rendering engine has access to parent directory of the target file.
Java Sandbox Model
Java language design has the capability to dynamically load and run the programs over the network [10]. A browser that can interpret Java byte code (such as Google Chrome or Firefox) can download and locally run programs (applets) that are embedded in a Web page. This process of downloading and executing is completely automatic and requires no user approval, and sometimes occurs without the user's awareness [10]. Java starts automatically when the web page has any applets embedded in it. Any applet started in this fashion is not required to advertise its presence. More and more Java applets appear on the Web every day. Because of the increasing use of applets web browsing is becoming unsecure and risky.
It is very unlikely that all users of browsers will consider the security implications of surfing a site before each Web page access. If the dynamic loading and running of program need to work, all the security issues in it should be addressed in the language of the content itself. So that, browser users will not need to concern about security.
Fig. Java Sandbox Model [21]
There are four basic categories of potential attacks Java applets could facilitate without a sandbox
Attacks that modify the system
Attacks that invade a user's privacy
Attacks that deny legitimate use of the machine by hogging resources
Attacks that antagonize a user
The Sandbox
The original Java security model implements a sandbox that imposes strict controls on what certain kinds of Java programs can and cannot do [21]. To the extent that the sandbox works, it allows a user to run un-trusted code safely [21]. Since the Java sandbox model has been widely distributed to millions of users with their Web browsers, it is safe to say that the Java sandbox is today's most widely used sandbox model.
Java sandbox imposes some restrictions on untrusted applets executing in the sandbox. Here are some of them:
Read files on the client file system
Write files to the client file system
Delete files on the client file system
Rename files on the client file system
Create a directory on the client file system
List the contents of a directory
Check to see whether a file exists
Obtain information about a file, including size, type, and modification timestamp
Create a network connection to any computer other than the host from which it originated.
Listen for or accept network connections on any port on the client system.
Create a top-level window without an untrusted window banner.
Obtain the user's user name or home directory name through any means
Define any system properties.
Three parts of Java Sandbox
Java security relies on a multi part defense. The default sandbox is made of three interrelated parts: the Verifier, the Class Loader, and the Security Manager. Each of these parts depends in some way on the others. For the security model to function properly, each part must do its job flawlessly, and the parts must fit together perfectly.
The Verifier: After compiling java code, it converts to platform-independent byte code. This verification scheme is meant to ensure that the byte code, which may or may not have been created by a Java compiler, plays by the rules. After all, byte code could well have been created by a "hostile compiler'' that assembled byte code meant to violate the rules of the Java Virtual Machine.
Fig: Java sandbox verifier module [22]
Verifying class files is one way in which Java automatically checks untrusted code before it is allowed to run. Once code has been verified, it can execute in uninterrupted fashion on a JVM (with much less need to make security-critical checks while the code runs). The Verifier is built in to the JVM and cannot be accessed by program or programmer.
The Class Loader
In JVM, program is loaded either from the disk/network by a Class Loader. Class loaders job is to decide when and how classes should be added to a running JVM. Part of their job is to make sure that important parts of the Java run time environment are not replaced by impostor code [23].
Fig: Java sandbox class loader module [23]
The Security Manager
The job of the Security Manager is to keep track of who is allowed to do which operations. A standard Security Manager will not allow most operations when they are requested by untrusted code, and will allow trusted code to do all operations.
Fig: Java sandbox security manager module [24]
The Security Manager is a single Java object that performs runtime checks on dangerous methods [24]. Code in the Java program consults the Security Manager every time a potentially dangerous operation is tried to perform. The Security Manager refuses that particular operation by generating an Exception. Decisions made by the Security Manager take into account the origin of the requesting class [24]. Built-in classes are usually given more privilege than classes downloaded from the network. The Security Manager makes the final decision as to whether a particular operation is permitted or rejected.
Grid Computing
Grid computing is combination of computer resources from multiple administrative domains to reach common objective [15]. In a grid the computers are very loosely coupled and geographically more dispersed when compared to conventional high performance computing systems. A single grid may be used for many different purposes or dedicated to a single application.
The size of a grid may vary greatly. Grids are a form of distributed computing whereby a powerful computer is built from many loosely coupled computers in a network acting together to perform very large tasks [15]. Grid computing in general is a special type of parallel computing that depends on computers connected to a network by a conventional network interface, such as Ethernet.
Fig. Grid Computing [16]
Grid computing requires the use of software that can divide and farm out pieces of a program as one large system image to several thousand computers [17]. The major issue with grid is that if a program on a node fails, other programs on other nodes may also fail. This can be avoided if that component has a failover component on another node, but problems can still arise if components rely on other programs to perform one or more grid computing tasks [17]. Large system images and associated hardware to operate and maintain them can be very expensive.
Cloud computing evolves from grid computing and provides on-demand resource provisioning [17]. Grid computing may or may not be in the cloud depending on what type of users are using it.
The application of sandboxing for security and integrity is quite similar for Grid / Cloud Computing. In the following section explains cloud computing and application of sandbox in it.
Cloud Computing Architecture
Cloud computing is an Internet based computing, whereby shared resources, software, and information are provided to computers and other devices on demand [11].
Overview
Cloud computing is using the information technology as a services that are encapsulated, have an API, and are available over the network. The services include both storage and computational resources. It creates an illusion that resources are infinite. The predominant model for cloud computing today is called infrastructure as a service, or IaaS [12].
Cloud computing combine virtualization, on-demand deployment, Internet delivery of services, and open source software. Cloud computing changed how we develop, deploy, scale, update, maintain, and pay for applications and the infrastructure on which they run.
Virtualization is a key feature of this model. Virtualization allows us to quickly and easily create copies of existing environments -sometimes involving multiple virtual machines - to support test, development, and staging activities [12]. The cost of generating these environments is less as they can coexist on the same servers as production environments as they consume fewer resources. Each virtual environment is an instance of a sandbox, which runs in isolation from other instances. The above mentioned features can be provided by enforcing qualitative and quantitative restrictions on the resources.
The Sandbox
The sandbox implementation in cloud computing servers enables us to address the following security issues:
Data Security Problem: The virtual server from the logical server group brings a lot of security problems. The traditional data center security measures on the edge of the
hardware platform, while cloud computing may be a server in a number of virtual servers, the virtual server may belong to different logical server group, virtual server, therefore there is the possibility of attacking each other ,which brings virtual servers a lot of security threats[12].
The existence of super user: For the enterprise providing cloud computing services, they (super users) can perform management and maintenance of data, this greatly simplifies the data management function, but it is a major threat to user privacy. Not only individual users but also the organizations have similar potential security threats, e.g. corporate users and trade secrets stored in the cloud computing platform may be stolen. Therefore the use of super user rights must be controlled in the cloud.
Additional Security Measures
In addition to virtualization through sandboxing, following are the security measures taken to for security of cloud.
Encrypt data at rest so that if any intruder is able to penetrate a cloud provider's security or if a configuration error makes that data accessible to unauthorized parties that the data cannot be interpreted [12].
Encrypt data in transit.
Require strong authentication between application components
Pay attention to cryptography and how algorithms are cracked and are replaced by new ones over time. For example, now that MD5 has been proven vulnerable to attack, use a stronger technique such as SHA-256 [12].
Manage who has access to the application and how:
Consider using strong, token-based authentication for administrator roles.
For customer log in/password access, consider who manages the authentication server and whether it is under the company or the cloud provider's control.
For anonymous access to storage, such as FTP, consider whether a customer need to register with the cloud provider for access or whether the cloud provider could unite with the company's authentication server.
Software Development
A common practice in software development is programmers to have their own sandboxes to work in. A sandbox is a technical environment whose scope is well defined and respected [18]. The primary advantage of sandboxes is that they reduce the risk of technical errors from affecting a larger group of people than is necessary at the time.
There are 4 different types of sandboxes in software development process
Fig: Different types of sandboxes in software development [18]
Development Sandbox
This is the working environment of individual developers, pair programmers, or individual feature teams. The purpose of this environment is for the developer/pair/team to work in isolation from the rest of their project team, enabling them to make and validate changes without having to worry about affecting the rest of their project team [18]. These environments may have their own databases to enable testing.
Project Integration Sandbox
Each project team will have its own integration environment. Developers will promote their changed code to this environment, test it, and commit it. The goal of this environment is to combine and validate the work of your entire project team so it can be tested before being promoted into your Test/QA sandbox.
Demo Sandbox
This sandbox is where you deploy working software which you can use to demo software.
Pre-production test/QA Sandbox
This sandbox is shared by several project teams and is often controlled by testing/QA group. This environment is referred to as a pre-production sandbox, a system testing area, or simply a staging area. Its purpose is to simulate actual production environment. This sandbox is crucial for complex environments where several applications access your database, although even if your database is only accessed by a stand-alone application you will still be need to test within this sandbox before deploying your application into production [18].
Production
This is the actual environment in which your system will run once it is deployed.
Virtualization
Virtualization is the key functionality provided by sandbox. This can be applied to many areas like mobile platforms, desktops, hardware etc.
Hardware Virtualization
It is process of hiding physical characteristics of a computing platform from the users and exposing another abstract computing platform [19].
Platform virtualization is done on a given hardware platform by host software (such as VMware), which creates a simulated computer environment, a virtual machine, for its guest software [18]. The guest software is not limited to user applications; many hosts allow the execution of complete operating systems. The guest software executes as if it were running directly on the physical hardware, without any knowledge of control program that created the virtual environment.
Access to physical system resources (such as the network access, display, keyboard, and disk storage) is generally managed at a more restrictive level than processor and memory [18]. Guests are often restricted from accessing specific devices, or may be limited to a subset of the device's native capabilities, depending on the hardware access policy implemented by the virtualization host.
The hardware access policy is usually a combination of qualitative and quantitative restrictions that could be enforced in a sandbox. VMware and Virtual box are the two leading hardware virtualization software available in the market.
Application Virtualization
Application virtualization is defined as the ability to deploy the software without modifying the local operating system, file system or registry. There are different software available in the market to enable application virtualization. Ex: Sandboxie etc...
Desktop Applications
This kind of virtualization software creates a virtual operating system environment to run, hiding all the system related information from the application. Untrusted program are run in this kind of environment to prevent corrupt to the host system. The security this kind of software provides is much better than traditional antivirus programs in some cases. Because anti-virus detection policy signature based, where in this it is behavior based.
Fig. Sandboxie software [25]
Mobile Applications
Even mobile operating systems like iOS and Android has their own sandbox implementations to protect one application from interaction or accessing the other application data.
Ex: Consider iOS4, it allows the read access to the entire iPhone file system for an application. Your Application can read that data -- but it shouldn't. Here comes the sandbox, though the OS allows it, reading other application data is violation of sandbox rule. Hence, application which performs such operation will be rejected by app store.
Storage Virtualization
It is the concept of separation of logical storage from physical storage, so that it may be accessed without regard to physical storage or heterogeneous structure [20]. This separation provides the flexibility in how they manage storage for end users. The virtualization software presents to the user a logical space for data storage and itself handles the process of mapping it to the actual physical location [20].
Fig. Storage Virtualization [26]
The virtualization software or device has the characteristics of sandbox and is responsible for maintaining a consistent view of all the mapping information for the virtualized storage. This mapping information is called meta-data and is stored as a mapping table.
Conclusion
The key feature of sandbox is its ability to create virtualization layer between the host and guest. This has enormous application in the IT industry and Software Development providing security and integrity. Its major application areas include hardware virtualization and software simulation (Ex: VMware, Sandboxie respectively).
The hardware virtualization capability have been adapted to Distributed computing environments like cloud / grid computing, which enable providing applications as a service on the web.
The software simulation capabilities have been used for providing security from malicious programs, and controlled resource sharing.
But all these implementation have a major drawback, that it adds additional overhead (CPU and memory) on the host system to create virtual environments.
