The Pros And Cons Of Application Sandboxing

Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect
Pro: Sandboxing Keeps Privileges Low
The gist of most application sandbox approaches is to lower the systems privileges granted to that application to limit what kind of code it can ever execute on a system, even when the user permissions are elevated elsewhere on the machine. According to Valasek, the limited permissions model is an effective stumbling block for malware that depends on high permission levels to take over a machine.

"For example, the capabilities of a user on a system do not directly correlate to the permissions an Adobe Reader X process has when run by the same user in the sandboxed process," he says. "So if there is a vulnerability, an attacker won't be able to bad things, such as write files to disk."

Con: It's Possible To Escape The Sandbox Container
But this doesn't mean that sandboxing necessarily solves the vulnerability and exploit problem -- all an attacker needs to do is find a vulnerability that will escalate privileges to a higher level, which will permit more exploit functionality, Valasek says.

"These can be found in the parent process of the sandbox or in the operating system itself," he says. "Windows Kernel vulnerabilities are quite popular for privilege escalations because if exploited, they give the user total control of the system."

So-called "escaping" of the borders of the sandbox neutralizes the security benefits of the containment method. Hackers can craft escaping attacks that exploit vulnerabilities in the sandbox itself or through social engineering if the privilege permissions are at all under the control of the user.

"Clever social engineering, a bad user interface, or plain stupidity can defeat any sandbox," says Axelle Apvrille, senior mobile antivirus researcher at Fortinet's FortiGuard Labs. "And everybody is vulnerable to that, one way or another."

According to Hess, any developer that depends on sandboxing has to address potential escaping attacks if they want to depend on the sandbox as an effective control.

"Bottom line, the market success of any sandboxing effort will always revolve around how permissions to escape the sandbox are managed," he says.

Pro: Stats Bear Out The Success Of Sandboxing So Far
Researchers are increasingly backing up sandboxing's security claims with hard numbers to prove results in sandboxing cases like Adobe Reader and Chrome. For example, the website showed that the year that Adobe first implemented sandboxing in Acrobat, 2010, there were 68 vulnerabilities. So far this year there have been only 30. IBM researchers similarly tracked lower vulnerabilities and exploits in Adobe products.

"The data that we've accumulated over the first half of this year and also the data that we can trend back to the release of Adobe Reader X shows there's a correlation between a nosedive in PDF vulnerability disclosures and exploitation and the adoption of Adobe Reader X," says Clinton McFadden, senior operations manager for IBM X-Force research and development, pointing to recent results in the IBM X-Force Mid-Year Report.

Con: Sandboxing Is Still In The Honeymoon Period
Yovel believes that part of the favorable early statistics around sandboxing can be attributed to the technology still being in its honeymoon period.

"It is not widely deployed yet," he says. "Ultimately all new security controls get bypassed by advanced threats."

That honeymoon could potentially fizzle out very soon. Security researchers have already found ways to exploit sandbox environments such as Adobe Acrobat X, most notably Zhenhua Liu and Guillaume Lovet of Fortinet, who presented such an exploit at this year's Black Hat Europe event. As Keanini puts it, it's all part of security's circle of co-evolution.

"Like almost everything else in information security, attack strategies and sandboxing defenses are co-evolving. Programs are designed and made more secure with sandbox strategies, then they are eventually exploited so the program is redesigned to be more secure," he says. "Then new exploits are created and the cycle is repeated ad infinitum."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.