Sandboxing was the wonderchild of security a decade ago. Today, it is widely used by security researchers, embedded in modern security solutions like endpoint detection and response (EDR) and next-generation antivirus (NGAV), used as part of software development workflows, and employed by many end users to test unknown or untrusted software in a safe environment. The sandboxing market is expected to grow to $9 billion in 2022 from $2.9 billion in 2016.
However, sandboxing never really did deliver on its promise: to turn the unknown into the known. Too often, sandboxing misses threats, and in doing so gives organizations a false sense of security. In this article, I’ll discuss the story of security sandboxing, how sandboxes evolved into what they are today, what’s wrong with the sandboxing concept, and why we shouldn't rely on sandboxing today as a viable security solution.
How Does Sandbox Security Work?
Sandboxes prevent applications from gaining access to all system resources and user data, and thus provide proactive malware detection. A sandboxing test executes or detonates code in a safe and isolated environment, where the behavior of the code and output activity can be safely observed.
Sandbox solutions claim to add another layer of security that can help detect unknown or evasive threats. Sandboxing can detect threats that were missed by other tools, and help admins quickly remove these threats from production environments.
There are several sandboxing methods, including:
- Full system emulation: A sandbox simulating the physical hardware of the host machine, including memory and CPU.
- Emulation of operating systems: A sandbox emulating the operating system of the end user. It does not emulate the machine hardware.
- Virtualization: A virtual machine (VM)-based sandbox that contains and examines suspicious programs.
Common types of sandboxing solutions include:
- Browser sandboxes like those built into Google Chrome, Firefox, and Safari.
- Browser EDR, which gives security teams visibility into attacks on endpoint browsers and lets them isolate threats using a sandbox.
- General purpose virtual machines (VMs) like VirtualBox can also be used to isolate suspected malicious software.
5 Reasons Sandboxing Is (Almost) Dead
At the onset of the sandboxing era — about a decade ago, sandboxes were treated as a near-magical solution for many security problems. However, like any popular security control, they have come under the focus of attackers, and they're now just as susceptible to exploits as the software they were intended to protect.
Here are five reasons sandboxes are no longer secure, and cannot be used as an effective security control in enterprise environments:
- Sandboxes can be used for investigation but not for detection. Most sandbox technologies require time, typically measured in minutes, to execute and detonate a suspicious program. This makes them ineffective for detection of security threats because detection requires analysis of all software encountered by the targeted system. Sandboxes may be used only for investigation of already suspicious software — which means that a prior detection mechanism must be in place.
- Attackers can escape from a sandbox. There is a huge variety of exploits that enable privilege escalation, many of them involving the Windows kernel. An attacker need only discover a privilege escalation vulnerability to break out of the sandbox and take control of the local device.
- Sandboxes are vulnerable to social engineering. In virtually all cases, some aspects of the sandbox environment are under control of the user. For example, if there is any way for a user to manually approve or reject software in the sandbox, or grant permissions to software in the sandbox, attackers can design a social engineering attack that will cause the user to perform that action, rendering the sandbox useless.
- Sandbox interfaces are imperfect. A kink in a sandbox’s user interface, an inexperienced user, or even an accidental click by an expert user can be enough to unleash malware from a sandbox into a production environment.
- Modern malware has built-in evasion. Attackers have been working on sandbox evasion for years. Many types of malware use techniques like delayed execution, analysis of mouse and keyboard patterns, evaluation of hardware environment, and other checks to identify if the malware is in a sandbox or a real user environment. If malware can evade the sandbox, it is impossible to rely on sandboxes as a security control.
Can Theses Issues Be Addressed by More Advanced Sandboxes?
The sad answer is no. In the ongoing "arms race" between attackers and sandbox developers, one side develops more sophisticated measures to evade or escape the sandbox, while the other side improves measures to detect and contain such attacks. However, sandbox developers are at a strong disadvantage.
Malware runs only once, and can, theoretically, use any number of resources to evade or break the sandbox. However, sandboxes must be highly efficient because they need to perform a large number of scans. As sandboxes become more sophisticated, they also become heavier and more resource-intensive — making them less practical for ongoing production use.
The battle is not yet lost — but it soon will be, and organizations should start to evaluate other security measures to replace or complement the once-venerated security sandbox.