In the world of cybersecurity, a sandbox environment is an isolated virtual machine in which potentially unsafe software code can execute without affecting network resources or local applications.
Cybersecurity researchers use sandboxes to run suspicious code from unknown attachments and URLs and observe its behaviour. Telltale signs include whether the code replicates itself, tries to contact a command-and-control server, downloads additional software, encrypts sensitive data, and so on. Because the sandbox is an emulated environment with no access to the network, data or other applications, security teams can safely “detonate” the code to determine how it works and whether it is malicious.
Outside of cybersecurity, developers also use sandbox testing environments to run code before widespread deployment.
What is the Purpose of a Sandbox?
In a standard business production environment, a sandbox might be misunderstood or considered a needless expense. But sandboxes are critical for several scenarios in development, cybersecurity and research. Making sure the sandbox is truly isolated and secure is more important in cybersecurity research than in software development because malware actively and aggressively scans the network for exploitable vulnerabilities.
In development, a sandbox usually involves a development server and a staging server. The development server is separated from the production environment but may still require basic network access. Developers use this server to upload code and test it as the codebase changes.
The staging server is designed to be an exact replica of production. This server is where quality assurance (QA) tests code before deploying to production. Because the staging environment is the same as the production environment, code that runs without issues in staging should run without issues in production. After code is tested, it’s deployed to production.
In cybersecurity research
Cybersecurity researchers and analysts use their sandbox environment in a similar way. But in this case, it’s much more critical to ensure that no network resources are available to malware. The sandbox environment has its own network and often no physical connection to production resources. The purpose of the sandbox is to execute malicious code and analyse it. Sometimes, this code could be a zero-day exploit where the malware’s effect and payload are unknown. Because of this, the sandbox must not have any access to critical infrastructure.
With a sandbox, cybersecurity researchers and analysts can understand the way malware works and what can be done to stop it. It’s the first step in designing antivirus software to stop malware from spreading to other systems and to remove it from the already-infected systems.
For complex attacks, sandbox environments are readily available to quickly analyse malware and stop it before it becomes a global issue. Ransomware, for example, can spread globally and crash critical government systems. This makes it important for researchers to have ready access sandboxes to help stop it.
How Does a Sandbox Work?
The way a sandbox functions depends on what is being tested. For instance, a sandbox environment used to test malware is set up and functions differently from a sandbox meant to test code for application updates. For research into potential malware and execution of malicious code, a sandbox requires isolation from production software.
Regardless of how a sandbox is be used, every environment has a few basic features:
- Emulation of an actual device. This could be emulation of a desktop or mobile device. In either case, the application being tested must have access to the same resources as the code being analysed, including CPU, memory and storage.
- Emulation of the target operating system. Using a virtual machine, the application must have access to the operating system. With a virtual machine, the sandbox is isolated from the underlying physical hardware but has access to the installed operating system.
- Virtualised environment. Usually, a sandbox is on a virtual machine so that it has no access to physical resources but can access virtualised hardware.
Virtualisation and emulation are not silver bullets. Some malware writers design code that stays under security researchers’ radar if it senses that it’s running in a sandbox.
Sandbox-detection measures might include looking for user interactions that aren’t consistent with real-world usage. Others might read system settings to look for common virtual machine system configurations. In these cases, the malware lays dormant so that it’s not detected as malicious, activated only after it reaches a real-world target.
In some cases, the malware author might even create exploits to compromise a weakly secured sandbox.
Virtualised environments are also called “jails” because the emulated operating system and hardware resources have restricted network access and file system namespaces. Sandboxes are also included in some applications and cloud hosts where anything running within them is prevented from accessing certain aspects of the host machine.
Benefits of a Sandbox
Like a development testing environment, a sandbox can be used to run any application on a safe resource before deploying it to production or giving it access to production resources. A sandbox lets organisations run programs that could potentially cause issues, whether from malware or unintended software flaws, without bogging down or damaging business-critical resources.
A sandbox is often used as a quarantine for unknown email and attachments. Email filters will detect potential malicious email messages and attachments, but an administrator needs a safe place to view them to detect false positives. Malicious documents may contain macros that exploit flaws in popular productivity apps such as Microsoft Office. An administrator can use a sandbox virtual machine to open attachments and view the macros to see whether they’re safe.
For organisations that do not have specialised cybersecurity staff, a sandbox can be used by any employee to isolate suspicious programs. A sandbox can let workers run unknown code without exposing their systems to new threats.
A sandbox can have both software and hardware components. With hardware restrictions, a sandbox could be on its own isolated network. For very restricted isolation, the sandbox could be on its own Wi-Fi router and ISP connection. This setup would make it physically impossible for a malicious application to access the main network.
Several applications use sandboxes by default to protect the local operating system. Browsers have their own sandboxes to separate malicious applications that run on the web from accessing local machine resources. Languages such as Java have their own sandbox to protect local resources from untrusted code, such as a Java applet running on a web page.
The Windows 10 operating system has a sandbox built in to protect the desktop from untrusted code. While this feature should not be used as a replacement for antivirus, firewall, and anti-malware programs, it adds a layer of security that older Windows operating systems do not have.
HTML5 has a sandbox to protect misuse of its iframe feature. And the Linux operating system has several application sandboxes built on Seccomp and cgroup. Google Sandbox API is available to developers who write C++ code and need to sandbox their code before deploying it to the production environment.
How Do You Set Up a Sandbox Environment?
A sandbox’s purpose depends on the way you set it up. Many cloud platforms have their own sandbox to work with new programs and updates. For instance, if you decide to work with PayPal as a payment processor, the platform has a full sandbox where you can emulate the production environment. Any code using the sandbox is isolated from production, so errors and bugs do not affect the main platform.
If you need a sandbox to test code or potential malware, you can create your own sandbox by installing a virtual machine. VirtualBox is often used to host the virtual environment, also called a virtual machine. Then you just need an installation file to run the operating system within the virtual machine.
Before installing the operating system within the virtual machine, set the hardware resources that will be available to the environment such as memory, CPU, storage capacity, and network adapter. These resources are virtualised and will be unavailable outside of the virtual machine. Conversely, programs running in your new environment will not be able to share memory resources with the main operating system or anything outside of the virtual machine.
Even though a sandbox should be a safe space, attackers always try to break sandbox security. Technology firms will often give large bounties to anyone who can find a flaw in the sandbox that can be exploited. Microsoft Edge developers will pay up to $30,000 to anyone who can find a bypass on the browser’s sandbox. Google Chrome developers paid $60,000 to a someone who was able to execute unsanctioned code on a fully patched machine in 2012.
To do any security research or dive into malware analysis, a sandbox is a must. It will ensure that all resources are unavailable to the virtual machine, including network storage. With a sandbox, you can analyse code without the risk of destroying a production environment.
- Webinar: The Phishing Problem - Your Security Sandbox Won't Catch It All
- Sandbox Suspicious URLs with Proofpoint Targeted Attack Protection
- White Paper: Ransomware Detection & Survival Guide