Want to learn about Sandboxing

Question

I want to learn more about sandboxing. Not just about it. I want to learn such that I will be able to write a simple sandbox.

Surprisingly, there isn't any information available anywhere. Even the Wikipedia article is not good.

Can any one please suggest me good material. I know that its very advanced level concept. So, what are the prerequisites for learning & mastering it.

http://stackoverflow.com/questions/1590337/using-the-google-chrome-sandbox — claws, Jan 07 '10 at 07:58
The members of http://sandboxing.org may have some good advice for you. — , Jan 07 '10 at 15:50
Read http://syprog.blogspot.in/2012/03/faking-kernel32dll-amateur-sandbox.html and http://www.fr33project.org/papers/p65_0x0a_phook%20-%20The%20PEB%20Hooker_by_Shearer%20and%20Dreg.txt — claws, Mar 10 '12 at 00:00

score 7 · Answer 1 · answered Jan 03 '10 at 12:33

7

read about API hooking, for example sandboxie hooks Windows kernel to filter all api calls to filesystem and redirects it results to sandbox, you could hook APIs and filter it, pass only valid parameters, return errors for invalid calls

for API hooking you will find plenty materials on the net, try on codeproject.com

answered Jan 03 '10 at 12:33

Bartosz Wójcik

1,079
2
13
31

1

+1 for sandboxie, I love that program... At least, I did, before I got Win64 :( – BlueRaja - Danny Pflughoeft Jan 10 '10 at 18:27

score 4 · Answer 2 · edited Jan 08 '10 at 03:15

4

Google's Chromium uses sandboxing and has several documents about it:

edited Jan 08 '10 at 03:15

Chip Uni

7,454
1
22
29

answered Jan 07 '10 at 15:56

el.pescado - нет войне

18,889
4
46
89

score 3 · Answer 3 · answered Jan 03 '10 at 21:46

3

You might also look at jails in FreeBSD. These are the FreeBSD equivalent of sandboxes.

The source code for jail is available (though you'll have to understand the rest of the FreeBSD code as well.)

answered Jan 03 '10 at 21:46

Chip Uni

7,454
1
22
29

I was going to suggest the same thing.. – Earlz Jan 12 '10 at 22:33

score 3 · Answer 4 · answered Jan 08 '10 at 03:19

3

A simple sandbox would simply be an environment in which you let 'something' execute, but restrict what it can do.

Typically, this "something" is an already-existing language, like Java, or JavaScript, or C#, or native code. Java has 'sandboxing' apis for applets and so on, and .NET has various 'trust' levels, JavaScript has the bounds placed on it by the interpreters (browsers).

So it's a little weird to "write" your own sandbox unless you also have a language you want to sandbox.

Do you have such a language? What do you want to learn about, specifically?

answered Jan 08 '10 at 03:19

Noon Silk

54,084
6
88
105

ooooh.. Then I'm not at all referring to language sandbox which lay restrictions on what users can write. I'm referring to sandbox that is in chrome, which restricts the access to system resources. Like a antivirus sandbox which lets the application to run but intercepts every malicious attempt and informs the user. – claws Jan 08 '10 at 04:58
2

claws: That's the same thing; the antivirus just tries to look at what function calls the native app is making, and tries to decide whether or not it is "legitimate". You know what you may find fun; Aspect Orientated Programming. C# as 'PostSharp', Java has a framework as well. It lets you hook all sorts of function calls and then do various things at those points. It may let you explore the idea (but it's not a real "sandbox"). If you want to learn about the security-concept (i.e. exactly how it's done) look into the .NET Trust Levels (but be prepared to get very bored :P). Hope this helps. – Noon Silk Jan 08 '10 at 05:13

score 2 · Answer 5 · answered Jan 08 '10 at 09:58

This is very dependent on what do you want to sandbox. If it is a full-blown system with multiple interfaces/languages available, you really do not want to re-invent the wheel, but run a virtual machine in VirtualBox, QEmu or some other alternative

In any case, a sandbox IS, at least on some level a virtualization of the system you are 'supposed to be' running...

If you need to sandbox applications for a single (interpreted) language, modifying the interpreter sound like a sensible approach.

`sandboxie` is the software that exactly describes what I had in my mind. — claws, Jan 11 '10 at 08:42

score 1 · Answer 6 · answered Jan 03 '10 at 12:16

The answer will likely be language specific. Unfortunately most languages don't have built-in sandboxing capabilities. But functional languages tend to be powerful enough that one can be built from scratch without extending the language.

In Tcl the basic mechanism is to create slave interpreters:

interp create -safe sandbox
interp eval sandbox $set_up_code
set result [interp eval sandbox $unsafe_code]

score 1 · Answer 7 · answered Apr 11 '11 at 11:23

I wrote an overview of the ways of sandboxing within Linux the other day, which links to a lot of references for the different techniques. Similar methods are applicable in other operating systems. I hope it is helpful - I couldn't find much comprehensively documented either.

Want to learn about Sandboxing

7 Answers7