What is the Sandbox and How Do I Get in it?

29 11 2011

Sandboxes are becoming a widely used security mechanism by application and operating system developers to provide a more secure user experience. The term sandbox gets thrown around quite a bit in the security world, but what exactly is a sandbox? What functions does it perform? And does it make us more secure?

A sandbox is a security mechanism that is used to enforce additional segregation of applications. The idea behind a sandbox is that it will restrict an application’s interactions with your operating system and other processes.[1] Therefore, if an exploit is triggered in the sandbox, in theory, it should not affect the parent operating system. In essence, a sandbox is a virtual environment in which an untrusted or potentially vulnerable application can run without affecting the parent operating system or applications. Every major software company including Google, Apple, Microsoft and nearly every major antivirus vendor use sandboxes as a security mechanism. In theory, the use of sandboxes to secure an application or operating system is sound, however reliance on a single security mechanism will always put the end-user at risk.

In recent news, CoreLabs Research identified a “potential security vulnerability” in the sandboxing method utilized in the Max OS X operating system.[2] The vulnerability jeopardizes the fundamental purpose of sandboxes in security, separation. CoreLabs’ proof-of-concept identified that applications downloaded through the Apple App Store could be gain elevated privileges, despite being restricted to a sandbox. The mechanism by which an attacker could gain escalated privileges on an OS X machine requires a fairly unsophisticated mechanism of, well, asking for elevated privileges through an external program. This would also provide the ability for an application without network permissions to gain network access through the parent operating system. Apple had previously stated that all applications in the App Store were required to implement sandboxing by March of next year. Apple reiterated this requirement in response to the identified vulnerability. This is probably a step in the right direction, but does not seem to target the fundamental vulnerability. Apple must first identify a mechanism to effectively separate their App Store applications from the underlying OS X operating system. Their sandboxing requirement does not address this vulnerability as noted by CoreLabs.[3]  Wil Shipley, a Mac OS X developer, noted that sandboxing on the OS X desktop platform presents additional challenges than on their mobile iOS operating system noting that “if there’s a hole anywhere in it [desktop sandbox] that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch.”[4]

While the Apple sandbox issue is certainly newsworthy, and further highlights that Macs are as vulnerable as PCs to many classes of attacks used by malware authors, similar vulnerabilities have been identified in Google’s Chrome web browser[5], Microsoft’s Internet Explorer[6] and Mozilla’s Firefox[7] through incorrectly implementing sandboxes. Doug Dineley explains one of the fundamental problems with relying a sandbox for application or browser security in a recent InfoWorld article. Dineley notes that a core vulnerability with a sandbox lies in when it needs to call an external program, such as Adobe Flash. In order to call that application, the sandbox must interact with the parent operating system, which is an area where attackers can exploit the sandbox and access information on the local computer outside of the sandbox’s virtual environment.[8]

This demonstrates that sandbox vulnerabilities are not unique to one application or one implementation method. The use of a sandbox is a sound security practice as it minimizes the resources accessed by an application, however it should be clear that it may still rely on some operating system interaction to complete the overall task. While using a sandbox as a security mechanism is a sound practice, it should not be relied upon as the sole solution to segregating malicious software from the parent operating system or parent application. While sandboxes can be helpful in providing a more secure user experience, it is still the responsibility of the end-user to ensure they are visiting trusted sites. End-users should take steps to minimize their use of external scripting languages, such as JavaScript, which is a common mechanism for browser sandbox subversion. In addition, software developers should make use of the sandbox to more effectively protect the end-users through minimizing their calls to external programs, their reliance on external scripting languages and more effectively safeguarding users through effective sandbox implementation.

[1] Goldberg, Ian, David Wagner, Randi Thomas and Eric Brewer. “A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)”. USENIX. July 1996. Sixth USENIX UNIX Security Symposium. Nov 13 2011 <http://www.usenix.org/publications/library/proceedings/sec96/full_papers/goldberg/goldberg.pdf&gt;

[2] Foresman, Chris. “Mac OS X has its own sandbox security hole.” Ars Technica. Nov 2011. Web. Nov 13 2011 <http://arstechnica.com/apple/news/2011/11/researchers-discover-mac-os-x-has-its-own-sandbox-security-hole.ars&gt;

[3] Ducklin, Paul. “Apple’s OS X sandbox has a gaping hole – or not.” Naked Security. Nov 2011. SophosLabs. Nov 14 2011 <http://nakedsecurity.sophos.com/2011/11/14/apples-os-x-sandbox-has-a-gaping-hole-or-not/&gt;

[4] Foresman, Chris. “Mac OS X has its own sandbox security hole.” Ars Technica. Nov 2011. Web. Nov 13 2011 <http://arstechnica.com/apple/news/2011/11/researchers-discover-mac-os-x-has-its-own-sandbox-security-hole.ars&gt;

[5] Schwartz, Matthew J., “Hackers Subvert Google Chrome Sandbox.” Information Week. May 2011. Web. Nov 13 2011 < http://www.informationweek.com/news/security/vulnerabilities/229403162&gt;

[6] “Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-031).” Microsoft Security TechCenter. Web. Nov 14 2011 < http://technet.microsoft.com/en-us/security/bulletin/fq99-031&gt;

[7] “Critical Vulnerability in Firefox 3.5 and Firefox 3.6.” Mozilla Security Blog. Oct 2010. Web. Nov 13 2011 < http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/&gt;

[8] Kaneshige, Tom. “Does sandbox security really protect your desktop?” InfoWorld. Jun 2008. Web. Nov 14 2011 < http://www.infoworld.com/d/security-central/does-sandbox-security-really-protect-your-desktop-105?page=0,1&gt;