| justincarlson | b4730a0c | 2017-04-20 20:22:13 | [diff] [blame] | 1 | # Sandbox FAQ |
| 2 | |
| 3 | [TOC] |
| 4 | |
| 5 | ### What is the sandbox? |
| 6 | |
| 7 | The sandbox is a C++ library that allows the creation of sandboxed processes — |
| 8 | processes that execute within a very restrictive environment. The only resources |
| 9 | sandboxed processes can freely use are CPU cycles and memory. For example, |
| 10 | sandboxes processes cannot write to disk or display their own windows. What |
| 11 | exactly they can do is controlled by an explicit policy. Chromium renderers are |
| 12 | sandboxed processes. |
| 13 | |
| 14 | ### What does and doesn't it protect against? |
| 15 | |
| 16 | The sandbox limits the severity of bugs in code running inside the sandbox. Such |
| 17 | bugs cannot install persistent malware in the user's account (because writing to |
| 18 | the filesystem is banned). Such bugs also cannot read and steal arbitrary files |
| 19 | from the user's machine. |
| 20 | |
| 21 | (In Chromium, the renderer processes are sandboxed and have this |
| 22 | protection. After the NPAPI removal, all remaining plugins are also |
| 23 | sandboxed. Also note that Chromium renderer processes are isolated from the |
| 24 | system, but not yet from the web. Therefore, domain-based data isolation is not |
| 25 | yet provided.). |
| 26 | |
| 27 | The sandbox cannot provide any protection against bugs in system components such |
| 28 | as the kernel it is running on. |
| 29 | |
| 30 | ### Is the sandbox like what you get with the Java VM? |
| 31 | |
| 32 | Yeah, kind of... except that to take advantage of the Java sandbox, you must |
| 33 | rewrite your code to use Java. With our sandbox you can add sandboxing to your |
| 34 | existing C/C++ applications. Because the code is not executed inside a virtual |
| 35 | machine, you get native speed and direct access to the Windows API. |
| 36 | |
| 37 | ### Do I need to install a driver or kernel module? Does the user need to be Administrator? |
| 38 | |
| 39 | No and no. The sandbox is a pure user-mode library, and any user can run |
| 40 | sandboxed processes. |
| 41 | |
| 42 | ### How can you do this for C++ code if there is no virtual machine? |
| 43 | |
| 44 | We leverage the Windows security model. In Windows, code cannot perform any form |
| 45 | of I/O (be it disk, keyboard, or screen) without making a system call. In most |
| 46 | system calls, Windows performs some sort of security check. The sandbox sets |
| 47 | things up so that these security checks fail for the kinds of actions that you |
| 48 | don’t want the sandboxed process to perform. In Chromium, the sandbox is such |
| 49 | that all access checks should fail. |
| 50 | |
| 51 | ### So how can a sandboxed process such as a renderer accomplish anything? |
| 52 | |
| 53 | Certain communication channels are explicitly open for the sandboxed processes; |
| 54 | the processes can write and read from these channels. A more privileged process |
| 55 | can use these channels to do certain actions on behalf of the sandboxed |
| 56 | process. In Chromium, the privileged process is usually the browser process. |
| 57 | |
| 58 | ### Doesn't Vista have similar functionality? |
| 59 | |
| 60 | Yes. It's called integrity levels (ILs). The sandbox detects Vista and uses |
| 61 | integrity levels, as well. The main difference is that the sandbox also works |
| 62 | well under Windows XP. The only application that we are aware of that uses ILs |
| 63 | is Internet Explorer 7. In other words, leveraging the new Vista security |
| 64 | features is one of the things that the sandbox library does for you. |
| 65 | |
| 66 | ### This is very neat. Can I use the sandbox in my own programs? |
| 67 | |
| 68 | Yes. The sandbox does not have any hard dependencies on the Chromium browser and |
| 69 | was designed to be used with other Internet-facing applications. The main hurdle |
| 70 | is that you have to split your application into at least two interacting |
| 71 | processes. One of the processes is privileged and does I/O and interacts with |
| 72 | the user; the other is not privileged at all and does untrusted data processing. |
| 73 | |
| 74 | ### Isn't that a lot of work? |
| 75 | |
| 76 | Possibly. But it's worth the trouble, especially if your application processes |
| 77 | arbitrary untrusted data. Any buffer overflow or format decoding flaw that your |
| 78 | code might have won't automatically result in malicious code compromising the |
| 79 | whole computer. The sandbox is not a security silver bullet, but it is a strong |
| 80 | last defense against nasty exploits. |
| 81 | |
| 82 | ### Should I be aware of any gotchas? |
| 83 | |
| 84 | Well, the main thing to keep in mind is that you should only sandbox code that |
| 85 | you fully control or that you fully understand. Sandboxing third-party code can |
| 86 | be very difficult. For example, you might not be aware of third-party code's |
| 87 | need to create temporary files or display warning dialogs; these operations will |
| 88 | not succeed unless you explicitly allow them. Furthermore, third-party |
| 89 | components could get updated on the end-user machine with new behaviors that you |
| 90 | did not anticipate. |
| 91 | |
| 92 | ### How about COM, Winsock, or DirectX — can I use them? |
| 93 | |
| 94 | For the most part, no. We recommend against using them before lock-down. Once a |
| 95 | sandboxed process is locked down, use of Winsock, COM, or DirectX will either |
| 96 | malfunction or outright fail. |
| 97 | |
| 98 | ### What do you mean by before _lock-down_? Is the sandboxed process not locked down from the start? |
| 99 | |
| 100 | No, the sandboxed process does not start fully secured. The sandbox takes effect |
| 101 | once the process makes a call to the sandbox method `LowerToken()`. This allows |
| 102 | for a period during process startup when the sandboxed process can freely get |
| 103 | hold of critical resources, load libraries, or read configuration files. The |
| 104 | process should call `LowerToken()` as soon as feasible and certainly before it |
| 105 | starts interacting with untrusted data. |
| 106 | |
| 107 | **Note:** Any OS handle that is left open after calling `LowerToken()` can be |
| 108 | abused by malware if your process gets infected. That's why we discourage |
| 109 | calling COM or other heavyweight APIs; they leave some open handles around for |
| 110 | efficiency in later calls. |
| 111 | |
| 112 | ### So what APIs can you call? |
| 113 | |
| 114 | There is no master list of safe APIs. In general, structure your code such that |
| 115 | the sandboxed code reads and writes from pipes or shared memory and just does |
| 116 | operations over this data. In the case of Chromium, the entire WebKit code runs |
| 117 | this way, and the output is mostly a rendered bitmap of the web pages. You can |
| 118 | use Chromium as inspiration for your own memory- or pipe-based IPC. |
| 119 | |
| 120 | ### But can't malware just infect the process at the other end of the pipe or shared memory? |
| 121 | |
| 122 | Yes, it might, if there's a bug there. The key point is that it's easier to |
| 123 | write and analyze a correct IPC mechanism than, say, a web browser |
| 124 | engine. Strive to make the IPC code as simple as possible, and have it reviewed |
| 125 | by others. |
