12:10 PM
Connect Directly

The Pros And Cons Of Application Sandboxing

Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect

Recent statistics are showing that application sandboxing in programs like Adobe Acrobat and Google Chrome has made a measurable difference in reducing the exploitability of the malware world's favorite punching bags. But sandboxing is far from a silver bullet to mitigating risk from application vulnerabilities. Some experts believe that it's only a matter of time before malware writers catch up and others warn that the industry shouldn't become wholly reliant on it as a replacement for effective vulnerability management.

"Sandboxing, containerization, and virtualization are all just techniques to protect administrative access to the underlying OS, or unrestricted access to data," says Lee Cocking, vice president of corporate strategy for Fixmo. "While a great technique, [sandboxing] is just one piece of the puzzle in ensuring the security of devices and data, and minimizing exposure risk."

[ Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

A Quick Sandboxing Primer
The fundamental idea behind sandboxing is to reduce risk by limiting the environment in which certain code executes.

"The whole idea, no matter what sandbox you're talking about, is putting someone in an environment so they can't access something outside the scope of what they should be doing," explains Marcus Carey, security researcher for Rapid7.

As a concept, it's hardly new, says David Hess, founder of Trust Inn, who pointed to Java Applets as one of the earliest and most widely deployed examples.

"It's just now finally moving out of niche areas -- the Web -- into widespread adoption in all application environments," he says.

Most notable in this category is Adobe, which uses sandboxing to protect Acrobat and Flash environments, and Google, which uses the technique for Chrome. Sandboxing is also an important technique in the mobile application environment and is widely used by Apple for iOS devices and Google, though to a lesser degree, for Android apps.

Savvy technology users and administrators also use virtual machines as a way to sandbox software at will, says Scott Parcel, CTO at Cenzic. This kind of on-demand sandboxing through virtualization is being adopted by a number of conventional and niche security products, and they do show promise, according to those like Parcel, who points to Bromium as a particularly interesting example in this category.

"Bromium uses what they refer to as 'micro virtualization' to run hundreds of micro virtual machine sandboxes on one machine," he says. "This is an interesting approach to this problem, and may allow more complete isolation than previous sandbox approaches."

But as these virtual machine sandboxes are still being put through their paces, application sandboxing driven by mainstream commercial software vendors has already been put through the crucible. So, for the sake of simplicity and to keep all of our experts on the same page, we've limited this particular back-and-forth strictly to the discussion of application sandboxing.

Pro: Sanboxing Is An Elegant Workaround For Application Vulnerability Problems
Humans will always be imperfect. And because its humans that are behind the development of applications, their code will always have vulnerabilities, Carey says.

"We're never going to be able to eliminate all the vulnerability risks. Some people may criticize sandboxing, and say it's some kind of workaround," he says. "But I think that it's the best approach we've taken lately. If you look at how tough it is to actually develop exploits, you quickly realize that this approach works."

Carey and those like him who are strong proponents of sandboxing will rarely argue for sandboxing to replace normal bug-finding and patch remediation efforts. But sandboxes do act as an effective supplement because they further minimize a program's attack surface and quarantine its activities, says Tim "TK" Keanini, chief research officer for nCircle.

"This strategy is similar to the immune system response that creates benign tumors -- essentially the body encapsulates cell errors into a sandbox," he says.

Con: Sandboxing Can Introduce More Complexity And Bugs To The Mix
Nevertheless, skeptics wonder if the sandboxing medicine may be worse than the cure.

"We must remember that this does introduce an additional attack surface and a basic sandbox may do more harm for the security of an application than good," says Tyler Borland, security researcher for Alert Logic.

Yishay Yovel agrees, stating that he believe sandboxing won't be a long-term game changer for several reasons.

"First, sandboxing is a software platform that will have vulnerabilities that can be exploited," says Yovel, vice president of marketing for Trusteer. "Second, the sandbox typically needs some route for users to export content out of the sandbox to the underlying device. This path can be exploited."

Security bugs and software glitches are a big hazard anytime an application uses a second layer of logic for its functions to limit behavior, Parcel says.

"One unfortunate side effect of such second layers of logic is that it can add another source of complexity in its interaction with the primary logic and, hence, bugs," he says. "It has been reported that there have been more crashes in Flash in the new Chrome sandbox."

Even without being plagued specifically by bugs, the extra layer of abstraction still has the potential to hit performance.

"It's a trade-off between functionality and security," says Chris Valasek, senior security research scientist for Coverity. "While 'better' from a security standpoint is a more restrictive sandbox, it may not fit with current functionality requirements."

Next Page: Two more important pairs of pros and cons.

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.