OLD | NEW |
(Empty) | |
| 1 # Sandbox FAQ |
| 2 |
| 3 [TOC] |
| 4 |
| 5 ### What is the sandbox? |
| 6 |
| 7 The sandbox is a C++ library that allows the creation of sandboxed processes — |
| 8 processes that execute within a very restrictive environment. The only resources |
| 9 sandboxed processes can freely use are CPU cycles and memory. For example, |
| 10 sandboxes processes cannot write to disk or display their own windows. What |
| 11 exactly they can do is controlled by an explicit policy. Chromium renderers are |
| 12 sandboxed processes. |
| 13 |
| 14 ### What does and doesn't it protect against? |
| 15 |
| 16 The sandbox limits the severity of bugs in code running inside the sandbox. Such |
| 17 bugs cannot install persistent malware in the user's account (because writing to |
| 18 the filesystem is banned). Such bugs also cannot read and steal arbitrary files |
| 19 from the user's machine. |
| 20 |
| 21 (In Chromium, the renderer processes are sandboxed and have this |
| 22 protection. After the NPAPI removal, all remaining plugins are also |
| 23 sandboxed. Also note that Chromium renderer processes are isolated from the |
| 24 system, but not yet from the web. Therefore, domain-based data isolation is not |
| 25 yet provided.). |
| 26 |
| 27 The sandbox cannot provide any protection against bugs in system components such |
| 28 as the kernel it is running on. |
| 29 |
| 30 ### Is the sandbox like what you get with the Java VM? |
| 31 |
| 32 Yeah, kind of... except that to take advantage of the Java sandbox, you must |
| 33 rewrite your code to use Java. With our sandbox you can add sandboxing to your |
| 34 existing C/C++ applications. Because the code is not executed inside a virtual |
| 35 machine, you get native speed and direct access to the Windows API. |
| 36 |
| 37 ### Do I need to install a driver or kernel module? Does the user need to be Adm
inistrator? |
| 38 |
| 39 No and no. The sandbox is a pure user-mode library, and any user can run |
| 40 sandboxed processes. |
| 41 |
| 42 ### How can you do this for C++ code if there is no virtual machine? |
| 43 |
| 44 We leverage the Windows security model. In Windows, code cannot perform any form |
| 45 of I/O (be it disk, keyboard, or screen) without making a system call. In most |
| 46 system calls, Windows performs some sort of security check. The sandbox sets |
| 47 things up so that these security checks fail for the kinds of actions that you |
| 48 don’t want the sandboxed process to perform. In Chromium, the sandbox is such |
| 49 that all access checks should fail. |
| 50 |
| 51 ### So how can a sandboxed process such as a renderer accomplish anything? |
| 52 |
| 53 Certain communication channels are explicitly open for the sandboxed processes; |
| 54 the processes can write and read from these channels. A more privileged process |
| 55 can use these channels to do certain actions on behalf of the sandboxed |
| 56 process. In Chromium, the privileged process is usually the browser process. |
| 57 |
| 58 ### Doesn't Vista have similar functionality? |
| 59 |
| 60 Yes. It's called integrity levels (ILs). The sandbox detects Vista and uses |
| 61 integrity levels, as well. The main difference is that the sandbox also works |
| 62 well under Windows XP. The only application that we are aware of that uses ILs |
| 63 is Internet Explorer 7. In other words, leveraging the new Vista security |
| 64 features is one of the things that the sandbox library does for you. |
| 65 |
| 66 ### This is very neat. Can I use the sandbox in my own programs? |
| 67 |
| 68 Yes. The sandbox does not have any hard dependencies on the Chromium browser and |
| 69 was designed to be used with other Internet-facing applications. The main hurdle |
| 70 is that you have to split your application into at least two interacting |
| 71 processes. One of the processes is privileged and does I/O and interacts with |
| 72 the user; the other is not privileged at all and does untrusted data processing. |
| 73 |
| 74 ### Isn't that a lot of work? |
| 75 |
| 76 Possibly. But it's worth the trouble, especially if your application processes |
| 77 arbitrary untrusted data. Any buffer overflow or format decoding flaw that your |
| 78 code might have won't automatically result in malicious code compromising the |
| 79 whole computer. The sandbox is not a security silver bullet, but it is a strong |
| 80 last defense against nasty exploits. |
| 81 |
| 82 ### Should I be aware of any gotchas? |
| 83 |
| 84 Well, the main thing to keep in mind is that you should only sandbox code that |
| 85 you fully control or that you fully understand. Sandboxing third-party code can |
| 86 be very difficult. For example, you might not be aware of third-party code's |
| 87 need to create temporary files or display warning dialogs; these operations will |
| 88 not succeed unless you explicitly allow them. Furthermore, third-party |
| 89 components could get updated on the end-user machine with new behaviors that you |
| 90 did not anticipate. |
| 91 |
| 92 ### How about COM, Winsock, or DirectX — can I use them? |
| 93 |
| 94 For the most part, no. We recommend against using them before lock-down. Once a |
| 95 sandboxed process is locked down, use of Winsock, COM, or DirectX will either |
| 96 malfunction or outright fail. |
| 97 |
| 98 ### What do you mean by before _lock-down_? Is the sandboxed process not locked
down from the start? |
| 99 |
| 100 No, the sandboxed process does not start fully secured. The sandbox takes effect |
| 101 once the process makes a call to the sandbox method `LowerToken()`. This allows |
| 102 for a period during process startup when the sandboxed process can freely get |
| 103 hold of critical resources, load libraries, or read configuration files. The |
| 104 process should call `LowerToken()` as soon as feasible and certainly before it |
| 105 starts interacting with untrusted data. |
| 106 |
| 107 **Note:** Any OS handle that is left open after calling `LowerToken()` can be |
| 108 abused by malware if your process gets infected. That's why we discourage |
| 109 calling COM or other heavyweight APIs; they leave some open handles around for |
| 110 efficiency in later calls. |
| 111 |
| 112 ### So what APIs can you call? |
| 113 |
| 114 There is no master list of safe APIs. In general, structure your code such that |
| 115 the sandboxed code reads and writes from pipes or shared memory and just does |
| 116 operations over this data. In the case of Chromium, the entire WebKit code runs |
| 117 this way, and the output is mostly a rendered bitmap of the web pages. You can |
| 118 use Chromium as inspiration for your own memory- or pipe-based IPC. |
| 119 |
| 120 ### But can't malware just infect the process at the other end of the pipe or sh
ared memory? |
| 121 |
| 122 Yes, it might, if there's a bug there. The key point is that it's easier to |
| 123 write and analyze a correct IPC mechanism than, say, a web browser |
| 124 engine. Strive to make the IPC code as simple as possible, and have it reviewed |
| 125 by others. |
OLD | NEW |