Sandboxing

What Is Sandboxing?

In computing, sandboxing is a security mechanism that isolates running programs. A digital sandbox provides a virtual environment for executing programs, containing virtual hardware and software resources like file systems, networks, and operating systems. A sandboxed program can only access a limited number of resources within the sandbox, without affecting the external application, system, or platform. This prevents the program from making permanent changes to other programs or data on the computer. In cybersecurity, sandboxing isolates malicious files to identify unknown attacks.

Principles of Sandboxing

Sandboxing involves three key technologies: virtualization, access control, and anti-evasion.

Virtualization

Virtualization is a resource management technology that abstracts physical computer resources into virtual resources for efficient resource allocation. In the context of sandboxing, virtualization ensures that untrusted resources are protected and can operate normally within an isolated environment. This means that suspicious or untested programs are isolated within the sandbox and run using internal resources, without impacting external programs and ensuring the security of external resources.

Based on the layers of virtualization, sandboxes can be categorized into system-level sandboxes and container-level sandboxes. A system-level sandbox is essentially a specialized virtual machine that typically includes a complete set of virtualized computer software architecture, including virtual devices and an operating system. On the other hand, a container-level sandbox functions more like a container deployed within an application, containing isolated files, programs, and necessary resources. In comparison to a system-level sandbox, a container-level sandbox requires less memory and hard disk space.

Access Control

When a program running in a sandbox needs to access external resources for normal operation, access control rules can be applied to restrict its behavior. Typically, implementing access control requires a program monitor and an access control rule engine. The program monitor observes the program's behavior and reports it to the access rule control engine. The access rule control engine then decides whether to allow the program to access the external resources based on the defined access rules.

Anti-Evasion

When the sandboxing mechanism is detected, malware attempts to bypass the sandbox's detection and analysis. To accomplish this, the following anti-evasion technologies are required:

• Concealing information about the hardware registry that contains fixed character strings of virtual machines (VMs) from viruses.

• Returning a message indicating that a symbolic link does not exist when a virus tries to create a symbolic link for a driver by opening a VM or a kernel debugger.

• Hiding unique service processes in VMs from viruses.

• Concealing unique application software information in VMs from viruses.

• Intercepting the system serial number registry query action and returning a serial number that is not suspicious.

Benefits of Sandboxing

• Protecting hosts and operating systems. Running unknown suspicious files in the sandbox reduces the risk of virus infection and intrusion on hosts.

• Preventing unknown threats such as zero-day vulnerabilities. Signature-based defense is effective against known attacks but is outdated in dealing with rapidly evolving threats. Sandboxing is an effective method for network protection as it can prevent unknown threat malware that exploits zero-day vulnerabilities. A sandbox can isolate threats, effectively blocking their spread on the intranet.

• Collaboration with other security devices such as firewalls for protection. The sandbox can collaborate with other security devices deployed on the enterprise network, including antivirus software and endpoint security software. After identifying unknown threats, the sandbox can share threat information with other security devices to block similar threats across the network.

• Prevention of future attacks. Sandboxing provides a virtual environment for security experts to study new threats, observe how hosts are infected, and integrate the research results into future threat defense.

Applications of Sandboxing

In the realm of cybersecurity, sandboxing primarily serves to identify viruses and prevent the propagation of unknown software vulnerabilities.

Traditional virus detection methods, relying on the virus signature database, often fall short in identifying or defending against novel viruses. For example, if the signature database does not contain the signature of a new virus, antivirus software will fail to detect the infected file, leaving the endpoint vulnerable to infection. As virus attacks become increasingly sophisticated, this passive defense approach is becoming outdated. To address this challenge, sandboxing is introduced. A sandbox provides a controlled environment to execute suspicious files or programs, allowing each command to be analyzed for any suspicious behaviors, such as self-replication or file overwriting, common to viruses. If a potentially harmful action is detected, the file or program is flagged as dangerous.

Therefore, sandboxes can effectively establish a security defense against unknown viruses, transitioning from a passive to a proactive defense strategy, and effectively mitigating zero-day attacks or advanced persistent threats (APTs).

Additionally, cybersecurity experts utilize sandboxing to analyze malware behavior and programming. This allows for a detailed examination of threats by observing how malware behaves and operates within the sandbox, enabling experts to analyze how the target host becomes infected. The insights gained from this analysis are then used to enhance malware prevention strategies on hosts.