Sandboxing: Isolating Applications, Browsers, and Malicious Software

What is Sandboxing?

Sandboxing is the practice of isolating an application, a web browser, or a piece of code inside a safe environment. The goal of sandboxing is typically to increase security. Organizations leverage sandboxing for a wide variety of purposes, including application sandboxing, web browser sandboxing, and security sandboxing.

An application sandbox lets you run untrusted software in a safe location and observe it to detect malicious components. A web browser sandbox lets you run browser applications in isolated environments, to block browser-based malware from spreading to the network. A security sandbox lets you observe and analyze threats in an isolated and safe environment.

Sandbox Use Cases

There are three main use cases for running software in a sandbox environment:

Application sandbox—there are tools that allow users to run untrusted software in a sandbox, to prevent it from accessing personal data or damaging the device. The sandbox behaves like a complete computer system, so the software cannot detect that it is operating within an isolated virtual environment.

  • Web browser sandbox—you can run a trusted web browser in a sandbox. If a malicious website or file exploits vulnerabilities in the web browser, the damage is limited to the sandbox. The detonation process can also help discover new vulnerabilities and remediate them in real user browsers.
  • Security sandbox—information security experts use sandboxes to investigate and detect malicious code. For example, they can run a scanner that visits a list of suspected malicious sites and check which of them downloads or activates malicious files.

Application Sandboxing

Application sandboxing isolates a specific application on an end user’s device. Most commonly, the goal is to protect system resources and other applications from malware and other threats that may affect the sandboxed application.

There are two technical approaches for application sandboxing:

  • Wrapping applications with a security policy – adding a management layer on the user’s endpoint that applies controls to the application and limits its communication with other applications.
  • Splitting the application into a container or virtual machine – this provides stronger isolation and improved security, by running the application in a completely separate environment from the rest of the endpoint.

All major operating system providers provide integrated application sandboxing capabilities. Here is how application sandboxing works in three common operating systems. Microsoft provides Windows Sandbox, which runs applications in a virtualized container, while Linux and Apple provide sandbox solutions that use the security policy approach.

Microsoft Windows: Windows Sandbox

Windows Sandbox is a sandbox environment that lets you run Windows applications in an isolated, lightweight desktop environment. It is based on Windows Containers and Hyper-V technologies. Other software on the host is not available to the sandbox environment, meaning that all supporting software must be installed again within the sandbox. The sandbox is non persistant – closing it deletes all software and files.

Related content: read our guide to Windows sandbox

Linux: seccomp-BPF

seccomp-BPF is an open source Linux sandbox platform. It works by assigning a filter to a process – this allows or disallows system calls by that process. The BPF interpreter inspects system calls using predefined rules, and can kill the process if rules are violated. This enables a configurable level of isolation for processes running an application.

seccomp-BPF is not a full sandbox environment, but can be used to create Linux sandbox environments.

Apple: The Apple Sandbox

The Apple Sandbox provides library functions that initialize and configure a sandbox. It uses a kernel extension based on the TrustedBSD API, which enforces sandbox policies.

Apple Sandbox provides the sandbox_init function, which accepts human-readable policies, passes them to the kernel, and creates a sandbox based on the rules defined in the policies.

Learn more in our detailed guide to app sandboxing.

Browser Sandboxing

Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. There are two main browser isolation techniques:

  • Local browser isolation, which typically involves running the browser in a container or virtual machine.
  • Remote browser isolation, which works by running a browser on an organization-hosted or cloud-based server, allowing users to browse the web in a remote virtual environment.

Local Browser Isolation: Virtual Browser

Virtual browsers run in an isolated environment, which act as a protective barrier between web-based threats and end-user machines connected to the corporate network. If the user visits a malicious site or downloads a malicious file, these threats cannot reach the endpoint.

Virtual browsers significantly improve security, and allow organizations to leverage old, unsupported versions of browsers, which may be required for legacy applications. Their main downside is that it is difficult to synchronize two browsers running in parallel, in terms of browsing history, passwords, and cookies..

Learn more in our detailed guide to virtual browsers

Remote Browser Isolation (RBI)

Remote browser isolation can be hosted by an organization, or offered by third-party providers over the cloud. When users need to browse the Internet, the remote server starts a browser in a container.

There are two ways to stream web content from remote browsers to users: pixel pushing, which transmits a visual stream to the user’s device, and DOM reconstruction, which filters out harmful content and reconstructs the page on the user’s browser.

Like local isolation, remote isolation is costly, because it requires allocating resources to run large numbers of containerized browsers, or paying for those resources allocated by an external provider. In addition, pixel pushing introduces high latency which provides a poor user experience, while DOM reconstruction has higher performance, but can break web pages and may not be able to eliminate all security threats.

Learn more in our detailed guide to remote browser isolation

Security Sandbox

Unlike application and browser sandboxing, which primarily serve end users, security sandboxes are used by security professionals. They can help security experts test and investigate suspected malicious software in a safe environment.

A security sandbox is a secure virtual environment that can accurately simulate the computing resources of the underlying system. The sandbox should be as similar as possible to the protected system. Today, sophisticated malware has sandbox evasion capabilities, so there is a need to “trick” the malware into thinking it is running in a real production environment.

The security sandboxing process works as follows:

  1. A file is detected as suspicious by other security systems, or manually selected for investigation by security teams
  2. The file is moved to the sandbox
  3. The file is “detonated”, in an attempt to see its impact in a controlled environment
  4. If the file is deemed to be malicious, it is quarantined. If not, it is allowed for use by organizational users.

Sandboxing is a highly effective security technique. It provides a controlled testing environment, and makes it possible to identify and protect against unknown and zero-day threats. However, the downsides are that full security sandboxing environments are costly, resource-intensive, and require special expertise to operate, straining under-staffed security teams.

Learn more in our detailed guide to sandboxing security (coming soon)

Hysolate: A fully managed and secured Sandbox solution

Hysolate is a full OS isolation solution for Windows10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate can be used as a sandbox, where developers can download open source-code repositories, access training videos over YouTube, as well as for productivity and communication tools like Zoom and Slack. Developers can have full access to all the websites and applications they need to do their jobs, but these activities are contained within a corporate-managed sandbox.

Hysolate has several advantages over traditional sandbox solutions. It sits on the user endpoint so provides a better UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the sandbox environment for, and can easily be wiped if threats are detected. Hysolate is easy to deploy, and can be scaled to your entire team, not just the technical members. Hysolate sandboxes applications, websites, documents and peripherals, gives you better security, and manageability, including the ability to choose to keep apps persistent within the sandbox.

Try out Hysolate Free today- a free Windows sandbox on steroids.