Aaron takes a look at sandboxing, a popular security technique used to keep your PC safe and sound
In your travels online or talking with other PC users, you may well have stumbled on the term ‘sandboxing’. It’s a term that’s thrown around quite a lot online, especially in technical circles, and it’s also very popular in business and large scale networking. What exactly is it, though, and is it something you may want to look into? Let’s see.
Table of Contents
[sc name=”ad 1″]
Play Safe
Simply put, sandboxing is a security measure people use to keep their PCs safe from attack. The actual name, sandboxing, may be a little confusing, however. If you’re a gamer, you may consider the term to mean a large, free and open space where you can do whatever you want. It’s a common way to describe such games as GTA, Minecraft and Skyrim. In computing, however, it’s quite the opposite. Here users create a virtual, restricted sandbox for applications and code to run within. This sandbox is separate from the rest of the system, thus creating a contained and safe place to test out new programs, websites and code. It’s a quarantine of sorts, able to prevent any possible attacks that may arise from running unknown code.
This is very important in today’s world, where even a visit to
It’s a great way of giving your own home PC or network some rock solid security
the wrong website can cause you all sorts of grief. With various exploits found in things like Java code, it’s not always possible to protect yourself from threats, even if you have a decent anti-virus app installed.
With the massive availability of software online, especially freeware and trials, it’s also possible to install applications that come with unexpected guests like trojans and viruses. Even if a program is clean, it may still cause problems with compatibility and react badly with your hardware setup, causing system instability.
There are many ways to protect against this, with your own caution being among the best weapons in your arsenal, but with so many back doors and hidden ways for threats to get into your system, a better, more reliable way is needed. This is where sandboxing comes in.
Any Which Way
There are a few different methods of sandboxing that people employ, with the different options being more suitable for different roles.
Not all of these are viable for home use, and some are designed for corporate environments and larger networks.
For example, many IT departments utilise a rule-based method, often using Linux to provide different users various permissions and rules, thereby limiting the amount of users who can perform certain tasks, such as installing software, running code and starting processes. These rules can be applied to programs, as well as people, and they provide a useful framework for controlling computer activity. A similar method is employed by companies using a Microsoft-based domain, with utilities like Active Directory.
Another popular method is to use a ‘jail’, which is a method of using virtualisation to separate programs into virtual spaces or partitions. Keeping items or even user sessions in separate virtual environments is one way to ensure security. Again, this kind of virtualisation isn’t feasible or necessary in the home (in most situations, but there’s an app that is, which we’ll look at later), but the tech is the basis for what is arguably the most popular method of sandboxing in the home, and that’s virtual machines.
Virtual Sanity
Virtual machines have been around for a long time, and although server virtualisation is relatively new in terms of corporate infrastructure, compared to traditional physical servers, virtually emulating a stand-alone system is something that’s now tried and tested to the extreme. Therefore, it’s a great way of giving your own home PC or network some rock solid security.
Using this approach, you employ a virtual machine package to assign a portion of your hard drive to become the hard drive of the virtual PC, specify the percentage of system resources like RAM and CPU usage, and install an OS onto it. Once this is installed, you can boot up the virtual PC, which functions just like a normal PC, only it’s all virtual and self-contained. Should anything happen to the system, such as a virus infection, all that’s affected is the virtual PC.
This system can be dedicated to any task, such as trying out downloaded software or browsing the internet. As it’s basically a software image, it can be deleted and you can start again, no harm no foul. If you back up the original, fresh image, creating a copy of it before you use it, you can simply copy and paste the image back into place and start again. Easy.
It’s reasons such as this that make sandboxing such a popular approach to security for many, and even for everyday internet browsing it can be a useful trick. Fortunately, there are many ways to do this, some that require a purchase and others that are totally free.
Pretend PC
Virtual PC image software is plentiful, and there are many options for you to pick from. Many of these are expensive, with some designed mainly for corporate and other large-scale use, but some are perfectly suited to the home user. Let’s take a look at some of these options.
VMware
One of the most well-known applications in the virtualisation market is VMware. This is one of the most powerful virtual options, but it isn’t as home user friendly as it once was, with no real free official version available other than limited trials. However, due to its power, it’s still worth considering for many.
VMWare Player can still be found for free and is a very good virtual PC tool
VirtualBox is free and arguably the most popular home VM tool
Once the mainstay of virtual machines, even for home users, it’s now the go-to choice for business thanks to its heavy lean towards virtual server farms and large-scale installations. The main website doesn’t really offer any free options any more, but you can still find the free VMware Player on various sites, including many software download sites.
VMware Player is a stripped-back but perfectly usable virtual PC program that can be used for home sandboxing, and it’s very easy to create multiple PCs with whatever operating systems you need. The only real setback of this program is the high resource use. The overheads for all virtual machines are understandably high, but VMware Player seems to be particularly hoggish here.
VirtualBox
VirtualBox is probably the most popular virtual machine tool for Windows, and it’s totally free. Creating machines in the program is easy, and it also features very useful file sharing and drive sharing mechanics. It has full networking support, can be used as an actual test bed, and you can set up the system to function as a jail. There are extensive guides and documentation on the main website (www.virtualbox.org), as well as a full user manual.
Although it’s one of the most popular options for Windows, as it’s free, it’s also cross-platform and thus supports both Mac and Linux. Highly recommended.
QEMU
If you’re a Linux user and are looking into the possibility of sandboxing via the virtual PC route, then you should check out QEMU (wiki.qemu.org/Main_Page). This is a free, open-source virtual machine tool. As with many programs of this type, it can be used to run multiple OS installations virtually, and it can emulate other hardware systems, so you can run programs designed for other components.
A popular use for QEMU is to emulate Windows, so Linux users can run their favourite OS but still have the option of using Windows-based programs that they’d otherwise not be able to access. In this regard, it’s a very useful tool and is also one of the
– QEMU is popular with Linux users looking for VM functionality
– Windows 7’s XP Mode came from MS Virtual PC and, although no longer supported, is a good sandbox option for Windows 7 users
most efficient, with many finding that it drains less of their system’s resources than some other virtualisation options.
MS Virtual PC
Once one of the most popular virtual machine options, as it was free and had Microsoft behind it, this virtual PC options is no longer all that useful, sadly. With the arrival of Windows 7, the previously free virtualisation package that could create multiple virtual systems was refurbished to function as a free copy of Windows XP for compatibility uses, bypassing any problems that arose from the new OS. Instead of a proper VM app, the system was used to emulate a free copy of XP on Windows 7, allowing users to run their old programs.
Today, however, this is no longer supported. The option isn’t available within Windows 8, and Microsoft has posted on its website that it no longer provides support for Windows XP Mode, going so far as to say that it recommends you only use the tool if your PC isn’t connected to the internet (thanks to numerous security issues that may be present).
If you’re still using Windows 7 and have XP applications you wish to use, this remains a good option, as you can use the XP mode as a sandbox, keeping your Windows 7 system safe and sound.
– User Account Control is a variant of sandboxing, restricting program access
– Sandboxie creates isolated sandboxes for programs to run within
DIY Sandbox
Sandboxing usually requires extra software, such as a virtual PC program, but you can operate your PC with more safety using some basic principles that apply to sandboxing – that is, restricting access to your PC.
This can be achieved by simply running programs as a limited user instead of one with admin rights. This way, no changes can be made to the PC, so programs can’t do anything they shouldn’t. This won’t protect you from any potential viruses, but any attacks that make changes to the system can be prevented. Therefore, it’s a good trick to use if you’re testing out new software downloaded from the internet.
Windows makes this kind of sandboxing very easy, thanks to User Account Control (UAC). With this turned on, any changes a program attempts to make to your PC are questioned, and you’re prompted to intervene. This means you always know what’s going on behind the scenes and if a program needs to make changes to or gain access your system.
– You can quickly run browsers and email via preset options
– Create a new file in a sandboxed app, and you’ll be able to recover it right away
Pros And Cons
That’s just a couple of virtual machine apps, and these are very effective ways to sandbox. However, they do have their ups and downs.
On the plus side, there’s arguably no safer way to test programs and browse the internet, as the virtual PC is separate from your real, physical computer ,and any attacks or problems are contained. It’s a great security solution, and if you use a free application, you’re golden. Virtual machines even have their own IPs and names, so they can be identified on your network and externally. This all requires a lot of computing muscle, though.
Running a virtual PC within another PC takes a lot of power and resources, and after you’ve assigned the virtual PC’s share of memory, hard disk space, CPU usage and so on, your system will be very busy dividing its resources between the real and virtual system. This obviously means it’s not going to be as fast as usual, and you’ll notice both the real and virtual PCs aren’t going break any speed records.
This is fine if you’re not planning on heavy use, but if you need to run powerful apps and don’t have a monster PC, you’re going to suffer. If this is the case, the virtual PC option may not be the best one for you. There is another option you may want to consider, however.
Sandboxie
Sandboxie (www.sandboxie.com) is an intriguing take on sandboxing, not only in name but in how it works. Instead of virtualising an entire PC, Sandboxie creates (what else?) a sandbox for programs to play in. It does this by isolating a portion of your hard disk and running any applications within it. Programs are unable to make any changes to any other part of your computer, and even things like temporary internet files are contained. As an example, if you run a browser within a sandbox and download a file, it’s saved to the sandbox, and if you want to move it to your actual PC, you have to recover it first. Simple.
Using Sandboxie
Let’s rake a quick look at how to use Sandboxie. First, you’ll need to install Sandboxie, and once you’ve progressed through the initial tutorial, you’ll be able to use the program itself. To begin, open the program and right-click the ‘Sandbox DefaultBox’ option. Here you’ll be able to select from a few options, including existing presets and set up your own. To do this, go to the ‘Run Sandboxed’ option.
You can select options to run common applications like internet browsers and email. Selecting these options will run your default
– When you delete a Sandboxie session, you’ll be able to recover any files you need
– Programs running within a sandbox have a yellow (by default) border when you roll over them
– Sandboxie lets you restrict access to various parts of your PC, and the internet
choices for these apps, which will be denoted by the yellow border (which can be changed), showing that they’re Sandboxie applications. If you have a browser already open, Sandboxie will open the browser, complete with any pages and tabs already active. You’ll notice that the Sandboxie app also appear as separate program on the taskbar, prefixed with ‘[#] Sandboxie’.
If you create a new file within a program, Sandboxie will tell you and offer you the chance to recover them right away (you can always do so later on). This can be saved to your PC as normal, recovered from within the sandbox itself.
When you’re done with sandboxed apps, close them as normal. To clear the actual sandbox, right-click the Sandboxie icon in the taskbar or the entry in the Sandboxie interface, and select ‘Delete Contents’.
When you select the option to delete contents, you’ll also be shown any other files that can be recovered before you delete the session. Be sure to check this in case you need to save anything to your actual system.
If you have a specific program you want to run, you need to use the ‘Run Any Program’ option. Clicking this will prompt you to locate the application, which you can do by typing in the path or using the browse button to find it. You can also run programs as a UAC admin, if you like, but this will still be protected.
The program will run, once again denoted by the yellow border. You can use the program as normal, using the same method to recover save files if you need to, but it’ll run in a safe area. This is a great method to use when trying out new software and downloads from various freeware and trial websites.
Sandboxie also has a settings section that lets you tinker with how it works. These are all useful, but the Restrictions section is of particular interest. Here you can limit application access to the internet, prevent applications from running in a sandbox and restrict more admin rights.
The first option here is very useful and can be great if you want to run a program without it being able to connect to the internet. By default, all applications can access the internet, but you can change this to specify which are allowed.
The second option lets you create a sandbox that can run only certain apps and no others. This could be great if you want to let your kids use the computer and only want them to run certain programs. Also in the settings is the option to restrict file and folder access on the PC, so sandboxed items can only access data you allow, and you can also restrict access to the Windows registry.
As you can see, it’s a powerful tool, and there’s plenty of scope to create a truly safe system, with sandboxing being a fantastic tool to help keep your PC and your data safe. So if you’ve never tried sandboxing, now’s a good time to get started, mm
Shifting Sands
Although you may not know it, you’re already using sandboxing to some degree. Many programs we use on a daily basis these days function as sandboxes, keeping the rest of our system safe or at least attempting to do so. Perhaps the most common example would be the humble internet browser.
An internet browser is effectively a sandbox, as it runs the internet in a self-contained environment, running scripts and other code within this area, which is separated from the rest of the system. This means that we can browse the internet with relative safety, and the browser can handle most issues. Every time you see your browser ask if you want to run a script or allow a pop-up, it’s effectively acting as a sandbox.
Sure, you may suffer the odd home page hijack, but for the most part, this is better than the alternative. Of course, browsers aren’t bulletproof, hence the need for added protection, but without their basic abilities to sandbox, PC security would be a whole different matter.
Any program that runs on your computer with limited permissions is a sandbox really, as that program cannot make changes or do anything to your PC. It’s for this reason that it’s advisable to limit what programs can and cannot do by running them as restricted accounts.
