Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:10 PM

The Pros And Cons Of Application Sandboxing

Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect

Recent statistics are showing that application sandboxing in programs like Adobe Acrobat and Google Chrome has made a measurable difference in reducing the exploitability of the malware world's favorite punching bags. But sandboxing is far from a silver bullet to mitigating risk from application vulnerabilities. Some experts believe that it's only a matter of time before malware writers catch up and others warn that the industry shouldn't become wholly reliant on it as a replacement for effective vulnerability management.

"Sandboxing, containerization, and virtualization are all just techniques to protect administrative access to the underlying OS, or unrestricted access to data," says Lee Cocking, vice president of corporate strategy for Fixmo. "While a great technique, [sandboxing] is just one piece of the puzzle in ensuring the security of devices and data, and minimizing exposure risk."

[ Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

A Quick Sandboxing Primer
The fundamental idea behind sandboxing is to reduce risk by limiting the environment in which certain code executes.

"The whole idea, no matter what sandbox you're talking about, is putting someone in an environment so they can't access something outside the scope of what they should be doing," explains Marcus Carey, security researcher for Rapid7.

As a concept, it's hardly new, says David Hess, founder of Trust Inn, who pointed to Java Applets as one of the earliest and most widely deployed examples.

"It's just now finally moving out of niche areas -- the Web -- into widespread adoption in all application environments," he says.

Most notable in this category is Adobe, which uses sandboxing to protect Acrobat and Flash environments, and Google, which uses the technique for Chrome. Sandboxing is also an important technique in the mobile application environment and is widely used by Apple for iOS devices and Google, though to a lesser degree, for Android apps.

Savvy technology users and administrators also use virtual machines as a way to sandbox software at will, says Scott Parcel, CTO at Cenzic. This kind of on-demand sandboxing through virtualization is being adopted by a number of conventional and niche security products, and they do show promise, according to those like Parcel, who points to Bromium as a particularly interesting example in this category.

"Bromium uses what they refer to as 'micro virtualization' to run hundreds of micro virtual machine sandboxes on one machine," he says. "This is an interesting approach to this problem, and may allow more complete isolation than previous sandbox approaches."

But as these virtual machine sandboxes are still being put through their paces, application sandboxing driven by mainstream commercial software vendors has already been put through the crucible. So, for the sake of simplicity and to keep all of our experts on the same page, we've limited this particular back-and-forth strictly to the discussion of application sandboxing.

Pro: Sanboxing Is An Elegant Workaround For Application Vulnerability Problems
Humans will always be imperfect. And because its humans that are behind the development of applications, their code will always have vulnerabilities, Carey says.

"We're never going to be able to eliminate all the vulnerability risks. Some people may criticize sandboxing, and say it's some kind of workaround," he says. "But I think that it's the best approach we've taken lately. If you look at how tough it is to actually develop exploits, you quickly realize that this approach works."

Carey and those like him who are strong proponents of sandboxing will rarely argue for sandboxing to replace normal bug-finding and patch remediation efforts. But sandboxes do act as an effective supplement because they further minimize a program's attack surface and quarantine its activities, says Tim "TK" Keanini, chief research officer for nCircle.

"This strategy is similar to the immune system response that creates benign tumors -- essentially the body encapsulates cell errors into a sandbox," he says.

Con: Sandboxing Can Introduce More Complexity And Bugs To The Mix
Nevertheless, skeptics wonder if the sandboxing medicine may be worse than the cure.

"We must remember that this does introduce an additional attack surface and a basic sandbox may do more harm for the security of an application than good," says Tyler Borland, security researcher for Alert Logic.

Yishay Yovel agrees, stating that he believe sandboxing won't be a long-term game changer for several reasons.

"First, sandboxing is a software platform that will have vulnerabilities that can be exploited," says Yovel, vice president of marketing for Trusteer. "Second, the sandbox typically needs some route for users to export content out of the sandbox to the underlying device. This path can be exploited."

Security bugs and software glitches are a big hazard anytime an application uses a second layer of logic for its functions to limit behavior, Parcel says.

"One unfortunate side effect of such second layers of logic is that it can add another source of complexity in its interaction with the primary logic and, hence, bugs," he says. "It has been reported that there have been more crashes in Flash in the new Chrome sandbox."

Even without being plagued specifically by bugs, the extra layer of abstraction still has the potential to hit performance.

"It's a trade-off between functionality and security," says Chris Valasek, senior security research scientist for Coverity. "While 'better' from a security standpoint is a more restrictive sandbox, it may not fit with current functionality requirements."

Next Page: Two more important pairs of pros and cons.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...