Sandbox

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 5: Line 5:
Typically when a program is run, the hard disk is read to load program parameters and then data is written back to the hard disk from time to time during program execution and termination. The following figure demonstrates this scenario.
Typically when a program is run, the hard disk is read to load program parameters and then data is written back to the hard disk from time to time during program execution and termination. The following figure demonstrates this scenario.
 +
 +
(insert diagram here)
 +
 +
What if the program was of malicious nature doing all sorts of unscrupulous activities like trying to read sensitive data, corrupting system files or consuming network bandwidth? A sandbox is used to present such unauthorized read/write access. It provides the guest program a limited amount of scratch space on the hard disk where the program executes but is not allowed to write or read directly from any other sector of the hard disk. The figure below shows a sandbox acting as a transient storage area where data flows in both directions (read and write) between the sandbox and the guest program but no read or write takes place between the guest program and the permanent disk storage. Sandboxes intercept changes to both files and registry making it literally impossible for the guest program to reach outside the sandbox. The figure below shows the schematic of a sandbox protecting the permanent disk storage.
 +
 +
(insert diagram Sandbox)

Revision as of 05:04, 6 April 2008

A sandbox (in computer security) is a security mechanism used on servers and personal computers to execute third-party programs that are unverified or have a non-trusted source. A sandbox allows a guest program to run under tightly-controlled conditions, which typically prevent the guest program to write to the host computer’s permanent disk storage and provide a highly restricted network access (if any). Some sandboxes also disallow the guest program to read from the host’s input devices as a means to prevent malicious programs from reading sensitive data like passwords, network keys and credit card information.


Mechanism

Typically when a program is run, the hard disk is read to load program parameters and then data is written back to the hard disk from time to time during program execution and termination. The following figure demonstrates this scenario.

(insert diagram here)

What if the program was of malicious nature doing all sorts of unscrupulous activities like trying to read sensitive data, corrupting system files or consuming network bandwidth? A sandbox is used to present such unauthorized read/write access. It provides the guest program a limited amount of scratch space on the hard disk where the program executes but is not allowed to write or read directly from any other sector of the hard disk. The figure below shows a sandbox acting as a transient storage area where data flows in both directions (read and write) between the sandbox and the guest program but no read or write takes place between the guest program and the permanent disk storage. Sandboxes intercept changes to both files and registry making it literally impossible for the guest program to reach outside the sandbox. The figure below shows the schematic of a sandbox protecting the permanent disk storage.

(insert diagram Sandbox)

Personal tools