Sandboxing: Isolating Applications, Browsers, and Malicious Software
What is Sandboxing?
Sandboxing is the practice of isolating an application, a web browser, or a piece of code inside a safe environment. The goal of sandboxing is typically to increase security. Organizations leverage sandboxing for a wide variety of purposes, including application sandboxing, web browser sandboxing, and security sandboxing.
An application sandbox lets you run untrusted software in a safe location and observe it to detect malicious components. A web browser sandbox lets you run browser applications in isolated environments, to block browser-based malware from spreading to the network. A security sandbox lets you observe and analyze threats in an isolated and safe environment.
Sandbox Use Cases
There are three main use cases for running software in a sandbox environment:
- Application sandbox—there are tools that allow users to run untrusted software in a sandbox, to prevent it from accessing personal data or damaging the device. The sandbox behaves like a complete computer system, so the software cannot detect that it is operating within an isolated virtual environment.
- Web browser sandbox—you can run a trusted web browser in a sandbox. If a malicious website or file exploits vulnerabilities in the web browser, the damage is limited to the sandbox. The detonation process can also help discover new vulnerabilities and remediate them in real user browsers.
- Security sandbox—information security experts use sandboxes to investigate and detect malicious code. For example, they can run a scanner that visits a list of suspected malicious sites and check which of them downloads or activates malicious files.
Application sandboxing isolates a specific application on an end user’s device. Most commonly, the goal is to protect system resources and other applications from malware and other threats that may affect the sandboxed application.
There are two technical approaches for application sandboxing:
- Wrapping applications with a security policy – adding a management layer on the user’s endpoint that applies controls to the application and limits its communication with other applications.
- Splitting the application into a container or virtual machine – this provides stronger isolation and improved security, by running the application in a completely separate environment from the rest of the endpoint.
All major operating system providers provide integrated application sandboxing capabilities. Here is how application sandboxing works in three common operating systems. Microsoft provides Windows Sandbox, which runs applications in a virtualized container, while Linux and Apple provide sandbox solutions that use the security policy approach.
Microsoft Windows: Windows Sandbox
Windows Sandbox is a sandbox environment that lets you run Windows applications in an isolated, lightweight desktop environment. It is based on Windows Containers and Hyper-V technologies. Other software on the host is not available to the sandbox environment, meaning that all supporting software must be installed again within the sandbox. The sandbox is non persistent – closing it deletes all software and files.
seccomp-BPF is an open source Linux sandbox platform. It works by assigning a filter to a process – this allows or disallows system calls by that process. The BPF interpreter inspects system calls using predefined rules, and can kill the process if rules are violated. This enables a configurable level of isolation for processes running an application.
seccomp-BPF is not a full sandbox environment, but can be used to create Linux sandbox environments.
Apple: The Apple Sandbox
The Apple Sandbox provides library functions that initialize and configure a sandbox. It uses a kernel extension based on the TrustedBSD API, which enforces sandbox policies.
Apple Sandbox provides the sandbox_init function, which accepts human-readable policies, passes them to the kernel, and creates a sandbox based on the rules defined in the policies.
Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. There are two main browser isolation techniques:
- Local browser isolation, which typically involves running the browser in a container or virtual machine.
- Remote browser isolation, which works by running a browser on an organization-hosted or cloud-based server, allowing users to browse the web in a remote virtual environment.
Local Browser Isolation: Virtual Browser
Virtual browsers run in an isolated environment, which act as a protective barrier between web-based threats and end-user machines connected to the corporate network. If the user visits a malicious site or downloads a malicious file, these threats cannot reach the endpoint.
Virtual browsers significantly improve security, and allow organizations to leverage old, unsupported versions of browsers, which may be required for legacy applications. Their main downside is that it is difficult to synchronize two browsers running in parallel, in terms of browsing history, passwords, and cookies.
Learn more in our detailed guide to virtual browsers.
Remote Browser Isolation (RBI)
Remote browser isolation can be hosted by an organization, or offered by third-party providers over the cloud. When users need to browse the Internet, the remote server starts a browser in a container.
There are two ways to stream web content from remote browsers to users: pixel pushing, which transmits a visual stream to the user’s device, and DOM reconstruction, which filters out harmful content and reconstructs the page on the user’s browser.
Like local isolation, remote isolation is costly, because it requires allocating resources to run large numbers of containerized browsers, or paying for those resources allocated by an external provider. In addition, pixel pushing introduces high latency which provides a poor user experience, while DOM reconstruction has higher performance, but can break web pages and may not be able to eliminate all security threats.
Learn more in our detailed guide to remote browser isolation.
Unlike application and browser sandboxing, which primarily serve end users, security sandboxes are used by security professionals. They can help security experts test and investigate suspected malicious software in a safe environment.
A security sandbox is a secure virtual environment that can accurately simulate the computing resources of the underlying system. The sandbox should be as similar as possible to the protected system. Today, sophisticated malware has sandbox evasion capabilities, so there is a need to “trick” the malware into thinking it is running in a real production environment.
The security sandboxing process works as follows:
- A file is detected as suspicious by other security systems, or manually selected for investigation by security teams
- The file is moved to the sandbox
- The file is “detonated”, in an attempt to see its impact in a controlled environment
- If the file is deemed to be malicious, it is quarantined. If not, it is allowed for use by organizational users.
Sandboxing is a highly effective security technique. It provides a controlled testing environment, and makes it possible to identify and protect against unknown and zero-day threats. However, the downsides are that full security sandboxing environments are costly, resource-intensive, and require special expertise to operate, straining under-staffed security teams.
Perception Point Advanced Browser Security
Perception Point Advanced Browser Security adds enterprise-grade security to native Chrome and Edge browsers. The managed solution fuses patented web isolation technology with multi-layer advanced threat detection engines which delivers the unprecedented ability to isolate, detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more.
Untrusted, risky websites and applications are automatically opened and used in the secured browser which is isolated from corporate data and applications. Access to sensitive corporate apps is secured via an isolated, trusted Chrome or Edge browser. This prevents data loss (DLP) from both managed and unmanaged endpoints.
The behavior of the secured browser is managed in the cloud, while all of the computing resources run locally on user endpoints. This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience in terms of speed, along with offline availability.
We add advanced security to native Chrome and Edge browsers to protect your organization against all malicious threats from the web and protect access to sensitive corporate apps.
TALK TO SALES