12

To run untrusted code at home I use a VMWare virtual machine. I want to find an alternate lightweight sandbox API for running untrusted applications, without the overhead of installing VMWare, or any other kind of end-user virtualization tool like that. (Edit: I don't want it to host an OS - I want it to run untrusted apps).

Ideally the sandbox would be (or could be made) transparent so the app running in the sandbox doesn't display any extra chrome or features. (Don't they do this in Parallels on the Mac)

The Windows .NET developer side of me wishes for an API so instead of booting up a special GUI, I can script scenarios for it.

It would be like how the Google Chrome web browser contains its own technology to sandbox scripts running from the Internet to protect the system. Google doesn't need to distribute VMWare with their browser and yet they achieve sandbox security for apps.

Edit:

Looking for something lightweight like Google Chrome contains with features like greatly restricted file/network/UI access, low privileges, etc. Not looking for running/hosting its own OS.

John K
  • 28,441
  • 31
  • 139
  • 229
  • .... what kind of sandboxing are you looking for here? Totally separate, running on its own OS, etc. etc.? Or, greatly restricted file/network/UI access? There are lots of way to take this question, and the answers vary wildly. – Kevin Montrose Jan 06 '10 at 23:47
  • @Kevin: Good question, thanks, I clarified with an edit. – John K Jan 07 '10 at 00:03
  • You could try writing a front-end to the Google Chrome sandbox. http://dev.chromium.org/developers/design-documents/sandbox – hwiechers Oct 04 '12 at 04:57
  • Maybe there's a way UAC Virtualization could be "misused" to do that? See [this article](http://www.windowsecurity.com/articles-tutorials/windows_os_security/Protecting-System-Files-UAC-Virtualization-Part1.html) (and [part 2](http://www.windowsecurity.com/articles-tutorials/windows_os_security/Protecting-System-Files-UAC-Virtualization-Part2.html)). – sschuberth Nov 27 '13 at 15:24

7 Answers7

6

Google's Chrome is using 4 windows mechanisms to achieve this:

A restricted token
The Windows job object
The Windows desktop object
Windows Vista only: The integrity levels

Have a look at: https://sites.google.com/a/chromium.org/dev/developers/design-documents/sandbox

They have a detailed description of what they're doing.

Otto
  • 430
  • 6
  • 10
5

No, there is not.

I mean, you can use a different Windows account (with whatever permissions you consider appropriate), but then you need to be comfortable that the untrusted app can't break out of that. But you do have that same problem with VMWare (it has had bugs in the past that let you break out). Best thing to do is run in a Virtual Machine.

Noon Silk
  • 54,084
  • 6
  • 88
  • 105
  • 3
    silky is 100% right. I'm also not sure it's *possible* to build a "lightweight programmable sandbox API" - every existing implementation of a sandboxe I'm aware of is a very complicated beast (and that includes AppArmor and SeLinux). IMHO if you're being paranoid, a VM is the way to go - as silky said there ARE VM bypass issues but using a VM is safer than not using a VM. – Larry Osterman Jan 07 '10 at 00:56
  • Wow, doesn't get much better than confirmation from someone such as yourself :) – Noon Silk Jan 07 '10 at 01:08
  • @silky: Agreed - that's part of what makes SO awesome. The experts and commoners (referring to myself :) mingle on programming. – John K Jan 07 '10 at 02:20
  • BTW normally I'd just recommend running as a standard user but I've seen evidence that malware authors are adopting their maleware to run as standard users - they can't install a rootkit on your computer (which makes it easier to remove the malware) but they can still do bad things with your computer or your data. – Larry Osterman Jan 07 '10 at 07:27
4

You may also be interested in Google's Native Client (also known as NaCl). This is a project that aims to be able to run (verifiable) x86 code inside a sandbox.

Greg Hewgill
  • 951,095
  • 183
  • 1,149
  • 1,285
  • It seems to be available only via a browser plugin to run x86 on the web. Very interesting nonetheless. – John K Jan 07 '10 at 02:16
2

I have not implemented this..but my $.02.

You can consider implementing a Windows station. A windows station is basically a security boundary to contain desktops and processes Only one Windows Station is permitted for Console Logon (Winsta0) http://msdn.microsoft.com/en-us/library/windows/desktop/ms682573(v=vs.85).aspx

You can achieve, process, Windows Object, and ACL Isolation on a per station basis. Some API functions used in Windows Station are listed here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687107(v=vs.85).aspx

An Overview of Sessions,Desktops and Windows Stations. http://blogs.technet.com/b/askperf/archive/2007/07/24/sessions-desktops-and-windows-stations.aspx

There is a CodeProject example here with source: http://www.codeproject.com/Articles/21352/Virtual-Desktop-A-Simple-Desktop-Management-Tool

I would recommend using API Monitor to debug Win32 API Calls http://www.rohitab.com/apimonitor

hth

Sunny Chakraborty
  • 395
  • 2
  • 7
1

You can use Invincea FreeSpace or the free Sandboxie. Not sure if any of them are scriptable or not.

These are called Containment applications, i.e., sandboxes. You can read about it here: https://www.fas.org/irp/congress/1997_hr/h970211gm.htm

Didier A.
  • 4,609
  • 2
  • 43
  • 45
0

In a "sandboxing" question of mine I was pointed to Sandboxie. I does not solve my problem at all but maybe it is interesting for you?

I don't know if it has an API but a quick google indicates that it is at least somehow automatable via command line.

m3tikn0b
  • 1,298
  • 8
  • 16
-1

Unfortunately, for Windows hosts your options are extremely limited. However, on Linux hosts, options such as mbox and capsicum are available which do what what you describe - i.e. lightweight, application level sandboxing.

J. Taylor
  • 4,567
  • 3
  • 35
  • 55