Understanding OS Security: Threats and Security Controls

What is OS Security?

The term operating system (OS) security refers to practices and measures that can ensure the confidentiality, integrity, and availability (CIA) of operating systems.

The goal of OS security is to protect the OS from various threats, including malicious software such as worms, trojans and other viruses, misconfigurations, and remote intrusions.

OS security typically involves the implementation of control techniques that can protect your assets from unauthorized modification and deletion or theft.

The most common techniques used to protect operating systems include the use of antivirus software and other endpoint protection measures, regular OS patch updates, a firewall for monitoring network traffic, and enforcement of secure access through least privileges and user controls.

This is part of our series of articles about sandboxing.

What are Common OS Security Threats?

Here are a few of the most common threat vectors that can affect an operating system.

Malware

Malware is short for malicious software, which encompasses a range of attack vectors such as viruses, worms, trojans, and rootkits. Malware is injected into a system without the owner’s consent, or by masquerading as legitimate software, with the objective of stealing, destroying or corrupting data, or compromising the device.

Malware can also replicate, allowing it to spread further in a corporate network and beyond. Malware attacks often go undetected by the target user, allowing for the quiet extraction of sensitive data. In other cases attackers silently “herd” compromised devices into botnets and use them for criminal activities such as distributed denial of services (DDoS) attacks.

Denial of Service Attacks

A Denial of Service (DoS) attack is intended to clog a system with fake requests so it becomes overloaded, and eventually stops serving legitimate requests. Some DoS attacks, in addition to overwhelming a system’s resources, can cause damage to the underlying infrastructure.

Modern DoS attacks are waged by a distributed network of thousands or millions of bots (automated agents)—this is known as distributed denial of service (DDoS), and can be extremely difficult to mitigate due to its huge scale.

An example of a DoS attack is the repeated use of system requests in a tight loop, or a “syn flood” in which the attacker sends a large number of network requests, requiring the server to acknowledge each one, and exhausting its resources.

Network Intrusion

Network intrusion occurs when an individual gains access to a system for improper use. There are several types of network intrusion depending on the type of intruder:

Careless insiders—authorized users who neglect to follow security policies or best practices, causing exposure of sensitive assets.
Malicious insiders—authorized users who misuse their privileges for malicious indigence.
Masqueraders—external individuals who pose as legitimate users, exploiting the account or credentials of an authorized user to gain access to the system.
Clandestine users—attackers who penetrate the system by gaining supervisory control and going around access controls.

Buffer Overflow

The main function of a buffer is to temporarily store data. Each buffer has a capacity of data it can hold. During a buffer overflow attack, the buffer or other temporary data stores are overflowing with data. When the buffer overflows, the program attempting to write the data may overwrite other memory locations containing important information.

Threat actors look for buffer overflow vulnerabilities, which they can exploit to inject scripts that help them hijack the system or crash it.

How Can You Ensure Operating System Security?

Here are a few ways you can improve operating system security in your organization.

Authentication Measures

Authentication involves matching an identified user with the programs or data they are allowed to access. All operating systems have controls that can be used to verify that users who run a particular program are authorized to do so.

You can use the following techniques to authenticate users at the operating system level:

- Security keys: keys are provided by a key generator, usually in the form of a physical dongle. The user must insert the key into a slot in the machine to log in.
- Username-password combinations: The user enters a username that is registered with the OS, along with a matching password.
- Biometric signatures: The user scans a physical attribute, such as a fingerprint or retina, to identify themselves.

Multi-factor authentication: Modern authentication systems use multiple methods to identify a user, combining something the user knows (credentials), something they own (such as a mobile device), and/or a physical characteristic (biometrics).

Using One-Time Passwords

One-time passwords offer an additional layer of security when combined with standard authentication measures. Users must enter a unique password generated each time they log in to the system. A one-time password cannot be reused.

Examples of one-time passwords include:

Network passwords: An application sends a one-time password to the users via a registered email address or mobile phone number. The user must enter this password to log in to the computer.
Random numbers: The user receives a card with listing numbers that correspond to matching letters. The OS requires the user to enter the numbers that match a set of randomly generated letters.
Secret keys: The user receives a device that generates secret keys. The user then enters the secret key into the OS system, which identifies the user credentials associated with the key.

Virtualization

Virtualization enables you to abstract software from hardware, effectively separating the two. The main advantage of virtualization is that it introduces a high level of efficiency and flexibility, while providing greater security coverage. There are many types of virtualization, including desktop, application, network, server, network, storage, and OS virtualization.

Operating system virtualization is a form of sandboxing. Learn more in our guide to sandboxing security.

What is OS virtualization?

OS virtualization enables you to multiple isolated user environments using the same OS kernel. The technology that creates and enables this type of isolation is called a “hypervisor”, which serves as a layer located between the device and the virtualized resources.

The hypervisor manages the virtual machines (VM) running on the device (typically 2-3 Vms). Each VM is used for each user or each security zone. There are several types of VMs that can run alongside each other. Here are the three main categories:

Fully locked-down VM

Should be used to provide access to sensitive data and corporate systems, such as IT environments, payment systems, and sensitive customer data.

Unlocked, open VM

Should be used to provide unrestricted access to non-corporate resources. For example, full web browsing sessions, installation of applications, and use of external devices.

Semi-locked-down VM

Should be used to provide access to standard corporate applications and resources, such as office documents, company email, and internal services.

Advantages of OS virtualization

Each type of VM is limited to the actions allowed by design. Any further action is restricted. This keeps the environment secure. The hypervisor runs below the OS of the device and splits the device into multiple VMs running locally with their own OS—effectively isolating users.

Because the users are isolated, the devices remain secure. This ensures that employees and third parties can gain access to company resources without endangering company resources.

Another major advantage of OS virtualization is that none of the virtualized environments can directly access the network. Instead, connectivity is enabled via an invisible, virtualized network layer that implements network segmentation directly on the endpoint device.

Testing and Validating Operating System Security

Securing an operating system or any software is an ongoing process that requires constant testing. Depending on the risk and priority of a system, security posture tests may take place on a monthly, weekly or daily basis. Here are a few testing methods you can use.

Vulnerability Assessment

Vulnerability assessment involves testing for weaknesses that may be lying undetected in an operating system. Identifying vulnerabilities allows you to identify possible vectors for an attack so you can better understand the risk to your system.

As part of a continuous process, vulnerability assessment attempts to stay on top of newly exposed vulnerabilities by locating, classifying and prioritizing them according to severity and impact. This process usually combines manual tasks with automated tools.

The following are some of the typical methods used for OS vulnerability assessment:

Scanning for known vulnerabilities
Scanning the software and applications on an operating system
Scanning for malware
Scanning for missing patches and updates
Patch testing
Port scanning

Penetration Testing

Penetration testing, or pentesting, is a security assessment strategy that uses vulnerability assessment to identify how an attacker may successfully exploit vulnerabilities in the system. The penetration testing method involves simulating an exploit to evaluate system security.

Penetration testing helps discover vulnerabilities beyond the obvious, and seeks to identify the methods an attacker may use to exploit them. Security teams can leverage the insights provided by pentesting to put in place effective security measures.

There are three types of penetration testing, each of which provides different types of insights into operating system security and potential for exploitation:

White Box: The penetration tester has full technical knowledge of the system being tested.
Grey Box: The pentester has limited technical knowledge of the system being tested.
Black Box: The pentester doesn’t have any prior technical knowledge of the system being tested.

Improving Operating System Security with Hysolate

Hysolate is a full OS isolation solution for Windows10 or Windows 11, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate sits on the user endpoint so provides a good UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the isolated OS environment for, and it can easily be wiped if threats are detected. Hysolate is easy to deploy, and can be scaled to your entire team, not just the technical members. Hysolate isolates applications, websites, documents and peripherals, giving you improved security and manageability.

Try out Hysolate Free today- a free Windows OS solution or get a demo to learn about Enterprise OS Security.

Sandbox Software Development: Use Cases and Techniques

What is Sandbox Software Development?

A sandbox is an independent testing environment that lets you run programs and files without affecting the surrounding applications or operating system. The sandbox ensures that applications under test and related processes cannot access user data, system resources, and networks without restrictions.

Sandboxes provide many benefits for developers and testers, including:

Predictable behavior of software regardless of where or how it was deployed, which is critical for consistent testing results
The ability to test software in multiple environments using one physical test machine
Protecting other parts of the environment against faults in the software under test
Faster deployment of software for testing purposes and easier automation

When software developers use sandboxes to test new code, they are known as development sandboxes or testing sandboxes. Another use of sandboxes is for security—sandboxes can be used by security experts to test for malware and security threats.

Use Cases of Sandboxes in Software Development

Here are a few ways sandboxes can be used as part of a software development lifecycle:

Development

Developers need a fast feedback cycle to be productive. Instead of coding on their local machine and waiting for a build server to create the full product on a remote environment, with the help of a sandbox they can build and test software on their local machine. The local sandbox can contain a full working environment, including databases and other integrated components.

Software testing

Agile software testing needs a way to deploy software automatically and consistently multiple times a day. Sandboxes are a great way to achieve this—packaging software in an isolated environment, which can be deployed on any test server, and functions the same way regardless where it is installed.

Security testing

Security is an inseparable part of modern software development processes, with the advent of DevSecOps (the joining of development, security, and operations into one organization). Sandboxes are extremely important in security testing, because if software is infected by malware or other threats, they could do damage to test machines and spread to the rest of the environment. Sandbox testing ensures that threats cannot have any effect on the system outside the sandbox.

Related content: read our guide to sandboxing security

Demos and POCs

Software often needs to be demonstrated to stakeholders, prospective customers, or existing customers considering an upgrade. Sandboxes make it easy to package software in a predictable environment, together with test data that can allow the user to try out its important functions. The sandbox can either be deployed and used by sales engineers or marketing teams, or it can be shipped directly to the customer or user, and installed in their local environment.

Sandboxing Techniques

There are four primary ways you can set up a sandbox for software development purposes:

Sandbox Programs

Possibly the most popular is Sandboxie, but other options include SHADE, Turbo.net and BitBox. These are easy to use software programs that can run any software in a sandbox, and also allow you to manage multiple sandboxes on the same machine.

Virtual Machine (VM)

A VM creates a full operating system, running directly on the host machine’s hardware (a Type 1 hypervisor) or on top of the host operating system (a Type 2 hypervisor). It provides a high level of isolation, and an environment that is indistinguishable from a regular operating system installed on a regular machine.

You can create a virtual machine image that contains your software under test and all its relevant dependencies. The downside is that VMs require a lot of system resources and take time to start, which can be significant in fast-paced testing environments.

For large-scale enterprise environments the leading providers of virtualization are VMware, Citrix, and Microsoft Hyper-V. For smaller scale use cases, you can use free, lightweight virtualization software like Oracle VirtualBox and Solarwinds Virtualization Manager.

Containers

Containerization, typically based on the Docker container engine, is extremely popular in software development. Containers package a software component, its configuration, files, and everything else it needs to run, in an isolated environment. A container is—for all intents and purposes—a sandbox.

However, containers can in theory allow access to the underlying operating system and other containers, and they must be configured properly to ensure full isolation.

Built-In Operating System Sandboxes

Windows 10 comes with Windows Sandbox, a built-in sandbox environment, based on Windows Container technology. It provides a clean operating system, into which you install the software you want to test and its dependencies. Windows Sandbox is lean on system resources because it uses the underlying Windows operating system.

Apple provides similar capability with its Apple Sandbox, based on the TrustedBSD API. In Linux, you can do something similar with seccomp-BPF, a kernel extension that can isolate a Linux process and prevent it from communicating with other processes.

Learn more in our detailed guides to:

Application sandboxing

Windows Sandbox

What is API Sandboxing?

An API sandbox is a special type of software development sandbox, which allows users to experience APIs in a controlled environment.

A common problem with APIs is that, while they can be extremely useful, it can be difficult to connect to an API and learn how to use it. API sandboxes help users get a taste of an API without having to go to the effort of integrating it with their systems.

There are three main ways you can set up an API sandbox for your users: API sandbox, API virtualization, and API playground.

API Sandboxes

An API sandbox consists of a complex interactive UI and a predefined set of features defined by the provider. It is usually limited in capabilities, allowing users to perform simple calls and see their results.

Another big advantage of API sandboxes is that they can be preloaded with test data. This means that:

There are less security and compliance issues
Users can immediately get started with the API without having to load their proprietary data, which can be complex
It is easy to showcase important functions of the API, by loading it with relevant data

API sandboxes are not only useful for users—they can also provide testing data to developers. However, this data has limited significance, because the sandbox is not equivalent to the full production environment.

API virtualization

API virtualization, also known as service virtualization, has been around for more than a decade. There are many well known tools that provide it out of the box, such as Micro Focus Service Virtualization, Smartbear SoapUI, and Tricentis OSV.

API virtualization lets you provide a copy of your full API server. It is a mirror of the full production API, but which will typically showcase a new version or different functionality that is not available in the current production version.

The advantage of this approach is that it enables consistent and accurate testing, because the API is provided in a full, production-like environment. The disadvantage is that it is less suitable for user testing purposes, because it can be just as difficult for users to adopt as the real API. In addition, because it is a real variant of production code, it can create security and compliance risks.

API Playground

An API playground is a middle ground between sandboxing and API virtualization. An API playground is a full, production-like environment, but it is configured to offer limited functionality and may be loaded with limited data for testing and evaluation purposes. It is common to provide an API playground as a cloud-hosted service—meaning that the user can immediately access it, without having to download and deploy it locally.

API playgrounds are useful both for users and testers:

For users, they enable fast onboarding and easy testing of API capabilities.
For testers, they make it possible to see how real users interact with a realistic production system.

Hysolate: A Fully Managed, Secured Sandbox Solution

Hysolate is a full OS isolation solution for Windows 10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate can be used as a sandbox, where developers can download open source-code repositories, access training videos over YouTube, as well as for productivity and communication tools like Zoom and Slack. Developers can have full access to all the websites and applications they need to do their jobs, but these activities are contained within a corporate-managed sandbox.

Hysolate has several advantages over traditional sandbox solutions. It sits on the user endpoint so provides a better UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the sandbox environment for, and can easily be wiped if threats are detected. Hysolate is easy to deploy, and can be scaled to your entire team, not just the technical members. Hysolate sandboxes applications, websites, documents and peripherals, gives you better security, and manageability, including the ability to choose to keep apps persistent within the sandbox.

Try out Hysolate Free today – a free sandbox platform on steroids

Sandboxing Security: A Practical Guide

What is Sandboxing Security?

Sandboxing security techniques and tools enable you to move suspicious software and files into an isolated environment—a sandbox—where the threat is tested. A sandbox is designed to mimic production environments, but it is deployed safely away from your real assets.

A major advantage of sandbox environments is the ability to isolate threats. Once the threat is isolated, you can test and analyze it, usually by “detonating” the suspicious file and causing it to deploy its malicious payload. The information gathered from the analysis can help you protect your systems from similar threats—essentially turning a zero-day threat into a known factor.

There is a wide range of sandboxing security solutions. Typically, a solution provides capabilities for analysis, pre-filtering, visualization, emulation, anti-evasion, and threat intelligence.

How Does Sandbox Cyber Security Work?

Sandbox security testing proactively detects malware by running suspicious code in a safe and isolated environment, and monitoring the behavior and outputs of the code. This is known as “detonation”.

The major advantage of sandbox-based security testing is that it can reliably detect unknown threats. Other methods of testing, both traditional signature-based methods, and modern behavioral analysis based on machine learning (known as featureless detection), are limited in their ability to detect unknown threats.

These traditional methods are only as good as the threat databases and models that support them. The sandbox technique provides an additional layer of defense, making it possible to test payloads that passed other detection techniques, but may still contain threats.

There are three primary ways to implement a sandbox for security testing:

Complete system emulation—the sandbox simulates the host’s physical hardware such as CPU and memory to gain a comprehensive understanding of program behavior and impact.
Operating system emulation—the sandbox emulates the end user’s operating system, but does not accurately simulate system hardware.
Virtualization / containerization—this method uses a virtual machine (VM) or container to run software in an isolated environment.

Because a VM or container is not an identical environment to a full operating system, there is lower confidence that malware will behave in the same way as it does on a real endpoint. However, VMs and containers are easier to deploy and require less system resources to run compared to full OS or complete system emulation.

Related content: read our guide to application sandboxing.

Using Sandboxes to Detonate Malicious Payloads

Malware typically distributes payloads (macros, scripts, hyperlinks, files) when copied or downloaded to a device, or when a file is opened. Sandbox systems with detonation features can automatically analyze files and identify suspicious activity.

Some popular sandbox solutions do not provide detonation capabilities out of the box—but it is still possible to “play around” with malicious software to investigate its behavior. Other solutions have built-in, automated security testing features.

Typical Workflow for Sandboxing Detonation

If the malware doesn’t immediately activate its payload, the sandbox system can attempt to trick the malware into deploying, by changing certain virtual machine settings (such as date and time settings), or restarting the VM. Sandbox engines can also simulate different system properties that may trigger malicious behavior.

typical workflow for detonation is as follows:

The sandboxing system detects content that is suspicious and needs to be tested.
Content is moved to the sandbox environment.
The end user is notified that the content is being tested.
If the content is safe, the user can retry the download or attempt visiting the website again. If not, the content is blocked and administrators are notified.

Payload Detonation Best Practices

Here are a few best practices that can identify malicious payloads more effectively.

Use variable durations—sandboxes typically analyze malware for a few seconds, but this does not capture many malicious behaviors. Some of the most damaging types of malware lie dormant for some time and are only then activated. Long-term analysis greatly increases the chances of detecting this type of malware, but because this has a high resources cost, a best practice is to randomize the sandbox’s sleep settings, increasing the chance of capturing malicious activity.
Use realistic software and hardware settings—some malware checks the size of your hard drive, latest files created, CPU capabilities, operating system version, amount of memory, and other system characteristics. Use realistic settings in your sandbox or virtual machines to elicit malware to perform its intended behavior.
Real time monitoring—prefer a sandbox tool that monitors how malware interacts with the virtualized system, including calls to system APIs by malicious programs, and recording stack traces.
Dynamic sandboxes—prefer a sandboxing method that lets the sandbox interact with the malware and simulates processes to find additional paths of execution. This can also help you counter sandbox evasion techniques used by sophisticated malware.

How to Choose Sandbox Security Software

Here are some of the key capabilities you should look for in a sandbox security solution:

- Analyzing a variety of suspicious objects—a sandbox should be able to analyze executables, DLLs, PDFs, Microsoft Office documents, Java and Flash programs, and any other artifact that may be used in your environment.

Analyzing web content—modern sandboxes can detect browser vulnerabilities and malicious websites by analyzing JavaScript and HTML elements on web pages. Related content: read our guide to web filtering.

Pre-filtering—sandboxes should attempt to minimize the number of objects sent to the sandbox for analysis, reduce analysis time and false positives. These techniques include static code analysis, antivirus scans, threat intelligence feeds, and other methods of identifying malware without sandbox analysis. Only if an object cannot be identified as suspicious, it is sent to the sandbox.
Combination of virtualization and emulation—for sandboxes running in production, it is not feasible to emulate the full stack. Virtualization-based methods can be combined with emulation methods to analyze suspicious objects. The emulation method uses a layer of software that mimics an application, operating system, or hardware platform.
Fine-grained emulation—the sandbox solution should provide the ability to emulate hardware, system properties, and software, including specific minor versions of the operating system or software that is targeted by the malware.
Anti-evasion—sophisticated malware can try to detect sandbox environments. Most commonly, malware will try to detect the presence of a hypervisor, which can indicate the code is running in a sandbox. Some sandboxes may use custom hypervisors to avoid detection, but this limits the ability to accurately simulate the end-user environment.
Threat intelligence—a security sandboxing solution should combine testing with threat intelligence data, to understand the identity and motivation of the attackers. This can help incident responders determine whether the malware is part of a targeted attack or advanced persistent threat (APT), or an automated or mass distributed attack.

Sandboxing Security with Hysolate

Looking for a managed sandbox solution to isolate risky or sensitive activities on a user’s endpoint device? Hysolate can be used as a sandbox, where developers or researchers can download open source-code repositories, access training videos over YouTube, as well as for productivity and communication tools like Zoom and Slack. Users can have full access to all the websites and applications they need to do their jobs, but these activities are contained within a corporate-managed Windows10 sandbox.

Hysolate is more than just a sandbox, it’s a full OS isolation solution for Windows10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Try Hysolate Free, a Windows10 sandbox on steroids here.

Sandboxing: Isolating Applications, Browsers, and Malicious Software

What is Sandboxing?

Sandboxing is the practice of isolating an application, a web browser, or a piece of code inside a safe environment. The goal of sandboxing is typically to increase security. Organizations leverage sandboxing for a wide variety of purposes, including application sandboxing, web browser sandboxing, and security sandboxing.

An application sandbox lets you run untrusted software in a safe location and observe it to detect malicious components. A web browser sandbox lets you run browser applications in isolated environments, to block browser-based malware from spreading to the network. A security sandbox lets you observe and analyze threats in an isolated and safe environment.

Sandbox Use Cases

There are three main use cases for running software in a sandbox environment:

Application sandbox—there are tools that allow users to run untrusted software in a sandbox, to prevent it from accessing personal data or damaging the device. The sandbox behaves like a complete computer system, so the software cannot detect that it is operating within an isolated virtual environment.
Web browser sandbox—you can run a trusted web browser in a sandbox. If a malicious website or file exploits vulnerabilities in the web browser, the damage is limited to the sandbox. The detonation process can also help discover new vulnerabilities and remediate them in real user browsers.
Security sandbox—information security experts use sandboxes to investigate and detect malicious code. For example, they can run a scanner that visits a list of suspected malicious sites and check which of them downloads or activates malicious files.

Application Sandboxing

Application sandboxing isolates a specific application on an end user’s device. Most commonly, the goal is to protect system resources and other applications from malware and other threats that may affect the sandboxed application.

There are two technical approaches for application sandboxing:

Wrapping applications with a security policy – adding a management layer on the user’s endpoint that applies controls to the application and limits its communication with other applications.
Splitting the application into a container or virtual machine – this provides stronger isolation and improved security, by running the application in a completely separate environment from the rest of the endpoint.

All major operating system providers provide integrated application sandboxing capabilities. Here is how application sandboxing works in three common operating systems. Microsoft provides Windows Sandbox, which runs applications in a virtualized container, while Linux and Apple provide sandbox solutions that use the security policy approach.

Microsoft Windows: Windows Sandbox

Windows Sandbox is a sandbox environment that lets you run Windows applications in an isolated, lightweight desktop environment. It is based on Windows Containers and Hyper-V technologies. Other software on the host is not available to the sandbox environment, meaning that all supporting software must be installed again within the sandbox. The sandbox is non persistant – closing it deletes all software and files.

Related content: read our guide to Windows sandbox

Linux: seccomp-BPF

seccomp-BPF is an open source Linux sandbox platform. It works by assigning a filter to a process – this allows or disallows system calls by that process. The BPF interpreter inspects system calls using predefined rules, and can kill the process if rules are violated. This enables a configurable level of isolation for processes running an application.

seccomp-BPF is not a full sandbox environment, but can be used to create Linux sandbox environments.

Apple: The Apple Sandbox

The Apple Sandbox provides library functions that initialize and configure a sandbox. It uses a kernel extension based on the TrustedBSD API, which enforces sandbox policies.

Apple Sandbox provides the sandbox_init function, which accepts human-readable policies, passes them to the kernel, and creates a sandbox based on the rules defined in the policies.

Learn more in our detailed guide to app sandboxing.

Browser Sandboxing

Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. There are two main browser isolation techniques:

Local browser isolation, which typically involves running the browser in a container or virtual machine.
Remote browser isolation, which works by running a browser on an organization-hosted or cloud-based server, allowing users to browse the web in a remote virtual environment.

Local Browser Isolation: Virtual Browser

Virtual browsers run in an isolated environment, which act as a protective barrier between web-based threats and end-user machines connected to the corporate network. If the user visits a malicious site or downloads a malicious file, these threats cannot reach the endpoint.

Virtual browsers significantly improve security, and allow organizations to leverage old, unsupported versions of browsers, which may be required for legacy applications. Their main downside is that it is difficult to synchronize two browsers running in parallel, in terms of browsing history, passwords, and cookies..

Learn more in our detailed guide to virtual browsers

Remote Browser Isolation (RBI)

Remote browser isolation can be hosted by an organization, or offered by third-party providers over the cloud. When users need to browse the Internet, the remote server starts a browser in a container.

There are two ways to stream web content from remote browsers to users: pixel pushing, which transmits a visual stream to the user’s device, and DOM reconstruction, which filters out harmful content and reconstructs the page on the user’s browser.

Like local isolation, remote isolation is costly, because it requires allocating resources to run large numbers of containerized browsers, or paying for those resources allocated by an external provider. In addition, pixel pushing introduces high latency which provides a poor user experience, while DOM reconstruction has higher performance, but can break web pages and may not be able to eliminate all security threats.

Learn more in our detailed guide to remote browser isolation

Security Sandbox

Unlike application and browser sandboxing, which primarily serve end users, security sandboxes are used by security professionals. They can help security experts test and investigate suspected malicious software in a safe environment.

A security sandbox is a secure virtual environment that can accurately simulate the computing resources of the underlying system. The sandbox should be as similar as possible to the protected system. Today, sophisticated malware has sandbox evasion capabilities, so there is a need to “trick” the malware into thinking it is running in a real production environment.

The security sandboxing process works as follows:

A file is detected as suspicious by other security systems, or manually selected for investigation by security teams
The file is moved to the sandbox
The file is “detonated”, in an attempt to see its impact in a controlled environment
If the file is deemed to be malicious, it is quarantined. If not, it is allowed for use by organizational users.

Sandboxing is a highly effective security technique. It provides a controlled testing environment, and makes it possible to identify and protect against unknown and zero-day threats. However, the downsides are that full security sandboxing environments are costly, resource-intensive, and require special expertise to operate, straining under-staffed security teams.

Learn more in our detailed guide to sandboxing security (coming soon)

Hysolate: A fully managed and secured Sandbox solution

Hysolate is a full OS isolation solution for Windows10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Try out Hysolate Free today- a free Windows sandbox on steroids.

Windows Sandbox: An In-Depth Look

What is Windows Sandbox?

Windows Sandbox is a sandboxing environment built into Microsoft Windows version 1903 and higher, which lets you safely run your applications in isolated, lightweight desktop environments.

When you install software inside Windows Sandbox, Windows runs applications in an isolated virtual machine, preventing threats from impacting the rest of the environment. This ensures software components run separately from the host, and any software installed on the host is not available to the sandbox environment. Any software needed in the sandbox should be directly installed in the environment.

Because the sandbox is temporary, once it is closed all software, files, and the state are deleted. When you open the application, a new sandbox instance is created.

Here are key features of Windows Sandbox:

Secure—Windows Sandbox leverages the Hyper-V hypervisor to run a separate operating system kernel, isolating the sandboxed environment from the physical host.
Windows native—Windows Sandbox components are included in Windows 10 Pro and Enterprise.
Clean environment—Windows Sandbox initiates a clean installation for each sandboxed application
Disposable—the device is wiped clean after a user closes the application.
Efficient—Windows Sandbox uses advanced capabilities, including an integrated kernel scheduler, virtual graphics processing unit (GPU), and smart memory management.
No file system duplication—files in the sandbox are pointers to the same file system, so the storage overhead of the sandbox is minimal.

How Windows Sandbox Works

Windows Sandbox leverages several technologies when creating isolated environments:

A dynamic base image—Windows Sandbox uses virtual machines (VMs) to generate a sandbox. A VM requires an operating system (OS) to work. To consistently create new and clean OS-installed VMs, Windows Sandbox generates a dynamic base image, and each sandbox is a clean copy of the original host operating system, with a clean registry and file system, just like a fresh OS installation.

Snapshots—makes the boot process faster than booting up a full operating system.. Windows Sandbox boots an individual sandbox only once, then uses snapshots to save memory and device state for subsequent use. This helps the environment to restore memory without initiating another boot process.
Kernel-based memory management—enables the host to reclaim memory from Windows Sandbox, as needed. A direct memory map that lets the sandbox use the same memory pages accessed by the host.
Integrated scheduler—the host OS treats the visual processors of the sandbox like process threads. This means that the host OS manages Windows Sandbox like a process and not like a traditional VM. The integrate scheduler ensures that the base OS prioritizes the operations of the host over other processes. This makes resource allocation more efficient compared to a traditional VM, where the host doesn’t have visibility to the guest.
Graphics—Windows Sandbox uses hardware-accelerated rendering, for GPUs with WDDM version 2.6 and higher, to improve the performance and responsiveness of applications. In addition, Sandbox dynamically allocates graphic resources across the host and environments.

Related content: read our guide to app sandboxing

Windows Sandbox Architecture

Dynamically Generated Image

Instead of using separate copies of Windows when booting the sandbox, Windows Sandbox dynamically generates pointers to different operating system images.

The majority of OS files are immutable. This means that files can be shared with the sandbox environment. However, several OS files cannot be shared, and in this case the sandbox image creates clean copies of these files.

Together—the shared immutable files and the copies of the mutable files—create a complete image, used to boot a sandbox environment. Before the installation of the environment, the image is packaged and stored as a compressed file. Once installed, the image takes up approximately 500 MB of disk space.

Memory Management

VMs usually use static allocation to apportion host memory. This means that traditional VMs are limited—once resource needs change, there are few mechanisms that enable you to scale. A Windows Sandbox, on the other hand, offers more flexibility.

Windows Sandbox leverages containers to enable collaboration with the host, which can then dynamically determine how to allocate host resources. The goal is to supply hosts with resources when it is under memory pressure. In this case, the host can reclaim memory from a container.

Memory Sharing

A “direct map” technology enables the image and the host to share the same physical memory pages. This technology ensures that the image and host use less memory without compromising host secrets.

Integrated Kernel Scheduler

Traditionally, the Microsoft hypervisor controls the scheduling of any virtual processor running in the VM. Windows Sandbox leverages an integrated scheduler that lets the host scheduler specify when the sandbox environment gets central processing unit (CPU) cycles.

This process lets the Sandbox schedule virtual processors like host threads, and prioritize the most important jobs regardless of where they are performed.

WDDM GPU Virtualization

To ensure optimal performance and responsiveness, Windows Sandbox leverages hardware-accelerated rendering. This is especially useful for graphic-intensive workloads. Sandbox uses DirectX and Windows Display Driver Model (WDDM), which lets sandbox-based programs compete for GPU resources with any application running on the host.

To use this feature you need a GPU, and graphics drivers supporting WDDM 2.5+. Otherwise, applications will be rendered based on the CPU using Windows Advanced Rasterization Platform (WARP), without leveraging GPU resources.

Battery Pass-Through

Windows Sandbox is always aware of the battery state of the host. This enables Sandbox to continuously optimize power consumption. Battery pass-through processes are critical for laptops, which heavily rely on battery life.

Windows Sandbox Configuration

Windows Sandbox provides simple configuration files that let you customize ten parameters per sandbox environment. This feature supports Windows 10 build 18342 or newer versions.

A Windows Sandbox configuration file can only be formatted as XML. The .wsb file extension associates configuration files with Sandbox.

Here are the ten customizations you can achieve with a Windows Sandbox configuration file:

Virtualized GPU (vGPU)—lets you enable or disable the vGPU. Note that when you disable vGPU, the sandbox starts using WARP.
Networking—lets you enable or disable the sandbox’s network access.
Mapped folders—lets you share host folders with write or read permissions. However, do this with caution because exposing host directories might let malware perform unauthorized actions on the data and applications.
Logon command—executed when Sandbox starts.
Audio input—lets you share the microphone input of the host with the sandbox.
Video input—lets you share the webcam input of the host with the sandbox.
Protected client—adds extended security measures on the remote desktop protocol (RDP) session.
Printer redirection—lets you share host printers with the sandbox.
Clipboard redirection—lets you share the host clipboard with a sandbox environment. This configuration enables you to paste text and files between host and sandbox.
Memory in MB—lets you define the amount of required memory per sandbox, in megabytes.

Hysolate- Windows Sandbox on Steroids

Hysolate can be used as a sandbox for isolating risky websites, applications documents or even peripherals on Windows10 endpoint devices. Developers or researchers can download open source-code repositories, access training videos over YouTube, or try out potentially malicious software within an isolated OS, without exposing risk to corporate data.

Hysolate is a full OS isolation solution, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate has several advantages over Windows10 sandbox. It sits on the user endpoint so provides a better UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the sandbox environment for, and it can be wiped at the touch of a button if threats are detected. Unlike Windows Sandbox, Hysolate can be scaled to your entire team, not just the technical members. Hysolate sandboxes all applications, websites, documents and peripherals in a “risky” Workspace, giving you better security, and manageability.

Try out Hysolate Free today for easier sandboxing to isolate risky activities.

What is App Sandboxing?

The term “sandbox” originally means a safe environment in which small children can play. In computing, a sandbox makes it possible to isolate and protect system resources and other applications from malware and other threats.

To protect applications from these impacts, developers can wrap their applications with a security policy, or split each application into its own virtual machine. This type of application management improves security by limiting the environments in which certain code can run, and preventing users from accessing environments they do not need access to.

There are major security benefits to sandboxing, and software vendors like Apple and Google are using them to provide users with a secure application environment. Also, another advantage of the sandbox is that it provides secondary security measures to account for human error. It provides another layer of security in case errors lead to unexpected vulnerabilities. Errors are essentially “encapsulated” in the sandbox and isolated from the application, reducing security risks.

App Sandbox Principles

These principles were provided by Apple, for its App Sandbox technology that is part of MacOS (read more in the following section). However they apply to other other sandboxing environments as well.

An application sandbox limits access to sensitive resources on a per-application basis. If an attacker exploits security vulnerabilities in an application, user data could be stolen, corrupted, deleted, or system hardware hijacked for the attacker’s use. A sandbox is a last line of defense, providing protection in case an application is already compromised.

What does an application sandbox limit?

Sandboxes applications should use permissions to clearly indicate their intention to use system resources. This could be anything from files and application data, including downloads, photos, calendar contacts, or the user’s location, to network connections, to hardware peripherals like cameras or printers.

The system denies access to resources not explicitly requested in the application definition at runtime. For example, if you’re writing an application that never needs access to the microphone, don’t ask for access. The operating system will know to reject any requests to access the microphone or any other peripherals not explicitly allowed.

What does an application sandbox allow?

Sandboxed applications should be able to access basic operating system operations that do not carry a large security risk. For example, users should be able to see running services, view files on a read-only basis, and access files specifically created by the user in the application.

Application Sandboxing with Integrated OS Support

There are several operating systems (OS) that provide built-in support for application sandboxing. Below are some notable examples.

Windows Sandbox

Windows Sandbox is a built-in sandbox environment for Microsoft Windows that allows you to safely run applications in a separate, lightweight desktop environment.

When installing software on the Windows Sandbox, the environment isolates it from the underlying operating system. Software components run separately from the host, making other software installed on the host unavailable to the sandbox environment. All software required by the sandbox must be installed directly into the isolated environment.

The sandbox is temporary, so closing it will delete all software, files and state. When you run the sandboxed application again, a new sandbox instance is created.

Related content: read our guide to Windows sandbox.

seccomp-BPF

seccomp-BPF is a sandboxing framework available on Linux. seccomp-BPF, which stands for SECure COMPuting with Berkeley Packet Filters, lets users assign a system call filter to a process.

The filter then allows or disallows access to calls according to predefined parameters. However, you cannot dereference addresses in these parameters, which means seccomp cannot compare strings.

The BPF interpreter used in seccomp was originally designed for network socket filtering, which lets you restrict specific data types coming through a socket. In this process, packets represent system calls and are sent to the BPF interpreter.

The interpreter inspects calls using predefined rules and initiates actions as needed. For example, allowing a call is one type of action and disallowing a call is another. If a call is not allowed, the interpreter can either kill or return the process.

While seccomp was not designed as a complete sandbox solution, it can serve as a tool for creating sandbox environments. seccomp-BPF has been adopted as a component of Android security since 2017.

The Apple Sandbox

Apple offers a sandbox that provides user-level library functions that let you initialize and configure a sandbox environment. Apple’s sandbox does not use BPF technology.

The Apple sandbox comes with a server process dedicated to handling kernel logging, and a kernel extension that enforces sandbox policies via the TrustedBSD API. Another kernel extension provides support for regular expression pattern matching, which is used to enforce predefined policies.

To initialize the sandbox, the system calls the sandbox_init function. The sandbox_init function reads human-friendly policy files and converts them into binaries, which are then passed to the kernel, and the sandbox is created.

Once the sandbox is created, function calls passing through the TrustedBSD layer are moved to the sandbox kernel extension, where the system consults a list of sandbox rules. Actions are then taken according to the predefined rules.

Chromium Native Client (NaCl)

NaCI is a browser plug-in that provides user-level sandboxing capabilities that restrict the type of code a browser can execute and sandbox. It was designed to ensure safe executions of untrusted, platform-independent native code in a browser.

You can use NaCI for a range of applications, including compute-intensive and interactive applications like games. NaCI restricts untrusted code and runs trusted code, letting you run code in a controlled and monitored environment.

To run untrusted code, you need to compile it with either the NaCl SDK or another compiler. Note that the compiler needs to adhere to the data alignment rules and instruction restrictions supported by NaCI.

NaCI does not allow applications to directly access resources. Instead, the code is linked with NaCI libraries, which can provide access to required system services. NaCl comes with a GNU-based toolchain, which contains custom versions of common libraries like gcc and gdb.

Security Pros and Cons of Application Sandboxing

Let’s review some of the advantages and disadvantages of application sandboxing as a security technique.

The Attacker Perspective

Sandboxing an application is highly effective at protecting that specific application from attackers. However, there are many other ways to break into an endpoint:

A user device runs many different applications and an operating system, all of which may have security vulnerabilities, or may be exposed to new zero day vulnerabilities. It is difficult to sandbox all applications on the device.

Devices often connect to non-secured networks.
Removable hardware devices such as USB disks can infect a device with malware.
As long as users have access to email or file sharing services, it is possible for attackers to trick them into running malware on the local device.

For these reasons, sandboxing is one defensive measure, but cannot prevent many types of attacks on the endpoint device.

The User Perspective

On corporate devices, users can leverage application sandboxing to reduce restrictions on the types of files they can access. However, sandboxing has significant downsides for users:

Each instance of the application runs in a separate VM or other containerized solution, which increases performance overhead and slows down the user’s device

For many enterprise applications, running them in VMs or containers can cause compatibility issues. Many applications are built to interact with a full operating system or other applications, and will not function properly in an isolated environment.
Even if applications are customized to run in an isolated environment, this creates an ongoing maintenance overhead of adapting each new version of the software to a sandbox.

In summary, while sandboxing can improve security and release restrictions on users, they can result in severe performance and functionality issues that outweigh their benefits for users.

Learn more in our blog post: Application Sandboxing: 3 Perspectives to Consider

App Sandboxing with Hysolate

Hysolate can be used as a sandbox for isolating risky websites, applications documents or ever peripherals. Developers or researchers can download open source-code repositories, access training videos over YouTube, or try out potentially malicious software within an isolated OS, without exposing risk to corporate data.