Sandboxing

Rather than running an unknown program in an environment where it can do damage, it is safer to run the program in a sandbox. The term “sandbox” was stolen from ballistics, where people test weapons by shooting bullets into a box filled with sand, so that the bullets can do no harm. A software sandbox is a controlled environment for running software.

Sandboxes for software can be implemented in several ways. For example, with a real, but disposable, machine with limited network access or with no network access at all. This is the most realistic approach, but can be inconvenient for making reproducible measurements. Instead of giving the unknown program an entire sacrificial machine, more subtle techniques can be used.

Hard or soft virtualisation differs not only in functionality and performance, but also in the degree of separation between compartments. Systems with hardware-level partition support are very expensive. Virtual machines implemented in software, such as VMWare or Virtualbox, provide a flexible way to share hardware among multiple simultaneously running operating systems.

The flexibility of soft virtual machines comes at the cost of some software overhead in the virtual machine monitor. But they have the advantage of offering features that are not available in real hardware or in guest operating systems. For example, virtual machine monitors can implement support for undoable file system changes, by redirecting disk write operations to a logfile outside the virtual machine, making it easy to repeat an experiment multiple times with the exact same initial conditions. And some allow for replaying an “incident”, rewinding, pausing or fast-forwarding the virtual machine.

Note: When a virtual machine is used for hostile code analysis, it must not allow untrusted software to escape. Keeping malware confined with a soft virtual machine requires not only correct implementation of the protection features of the processor hardware, but also requires correct implementation of the virtual machine monitor, the software that mediates all access requests to real hardware from software running inside a virtual machine. If hostile software can recognize its virtual environment then it may be able to exploit virtual monitor implementation bugs and escape confinement.