The Pros And Cons Of Application Sandboxing
Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect
Recent statistics are showing that application sandboxing in programs like Adobe Acrobat and Google Chrome has made a measurable difference in reducing the exploitability of the malware world's favorite punching bags. But sandboxing is far from a silver bullet to mitigating risk from application vulnerabilities. Some experts believe that it's only a matter of time before malware writers catch up and others warn that the industry shouldn't become wholly reliant on it as a replacement for effective vulnerability management.
"Sandboxing, containerization, and virtualization are all just techniques to protect administrative access to the underlying OS, or unrestricted access to data," says Lee Cocking, vice president of corporate strategy for Fixmo. "While a great technique, [sandboxing] is just one piece of the puzzle in ensuring the security of devices and data, and minimizing exposure risk."
[ Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]
A Quick Sandboxing Primer
The fundamental idea behind sandboxing is to reduce risk by limiting the environment in which certain code executes.
"The whole idea, no matter what sandbox you're talking about, is putting someone in an environment so they can't access something outside the scope of what they should be doing," explains Marcus Carey, security researcher for Rapid7.
As a concept, it's hardly new, says David Hess, founder of Trust Inn, who pointed to Java Applets as one of the earliest and most widely deployed examples.
"It's just now finally moving out of niche areas -- the Web -- into widespread adoption in all application environments," he says.
Most notable in this category is Adobe, which uses sandboxing to protect Acrobat and Flash environments, and Google, which uses the technique for Chrome. Sandboxing is also an important technique in the mobile application environment and is widely used by Apple for iOS devices and Google, though to a lesser degree, for Android apps.
Savvy technology users and administrators also use virtual machines as a way to sandbox software at will, says Scott Parcel, CTO at Cenzic. This kind of on-demand sandboxing through virtualization is being adopted by a number of conventional and niche security products, and they do show promise, according to those like Parcel, who points to Bromium as a particularly interesting example in this category.
"Bromium uses what they refer to as 'micro virtualization' to run hundreds of micro virtual machine sandboxes on one machine," he says. "This is an interesting approach to this problem, and may allow more complete isolation than previous sandbox approaches."
But as these virtual machine sandboxes are still being put through their paces, application sandboxing driven by mainstream commercial software vendors has already been put through the crucible. So, for the sake of simplicity and to keep all of our experts on the same page, we've limited this particular back-and-forth strictly to the discussion of application sandboxing.
Pro: Sanboxing Is An Elegant Workaround For Application Vulnerability Problems
Humans will always be imperfect. And because its humans that are behind the development of applications, their code will always have vulnerabilities, Carey says.
"We're never going to be able to eliminate all the vulnerability risks. Some people may criticize sandboxing, and say it's some kind of workaround," he says. "But I think that it's the best approach we've taken lately. If you look at how tough it is to actually develop exploits, you quickly realize that this approach works."
Carey and those like him who are strong proponents of sandboxing will rarely argue for sandboxing to replace normal bug-finding and patch remediation efforts. But sandboxes do act as an effective supplement because they further minimize a program's attack surface and quarantine its activities, says Tim "TK" Keanini, chief research officer for nCircle.
"This strategy is similar to the immune system response that creates benign tumors -- essentially the body encapsulates cell errors into a sandbox," he says.
Con: Sandboxing Can Introduce More Complexity And Bugs To The Mix
Nevertheless, skeptics wonder if the sandboxing medicine may be worse than the cure.
"We must remember that this does introduce an additional attack surface and a basic sandbox may do more harm for the security of an application than good," says Tyler Borland, security researcher for Alert Logic.
Yishay Yovel agrees, stating that he believe sandboxing won't be a long-term game changer for several reasons.
"First, sandboxing is a software platform that will have vulnerabilities that can be exploited," says Yovel, vice president of marketing for Trusteer. "Second, the sandbox typically needs some route for users to export content out of the sandbox to the underlying device. This path can be exploited."
Security bugs and software glitches are a big hazard anytime an application uses a second layer of logic for its functions to limit behavior, Parcel says.
"One unfortunate side effect of such second layers of logic is that it can add another source of complexity in its interaction with the primary logic and, hence, bugs," he says. "It has been reported that there have been more crashes in Flash in the new Chrome sandbox."
Even without being plagued specifically by bugs, the extra layer of abstraction still has the potential to hit performance.
"It's a trade-off between functionality and security," says Chris Valasek, senior security research scientist for Coverity. "While 'better' from a security standpoint is a more restrictive sandbox, it may not fit with current functionality requirements."
Next Page: Two more important pairs of pros and cons. Pro: Sandboxing Keeps Privileges Low
The gist of most application sandbox approaches is to lower the systems privileges granted to that application to limit what kind of code it can ever execute on a system, even when the user permissions are elevated elsewhere on the machine. According to Valasek, the limited permissions model is an effective stumbling block for malware that depends on high permission levels to take over a machine.
"For example, the capabilities of a user on a system do not directly correlate to the permissions an Adobe Reader X process has when run by the same user in the sandboxed process," he says. "So if there is a vulnerability, an attacker won't be able to bad things, such as write files to disk."
Con: It's Possible To Escape The Sandbox Container
But this doesn't mean that sandboxing necessarily solves the vulnerability and exploit problem -- all an attacker needs to do is find a vulnerability that will escalate privileges to a higher level, which will permit more exploit functionality, Valasek says.
"These can be found in the parent process of the sandbox or in the operating system itself," he says. "Windows Kernel vulnerabilities are quite popular for privilege escalations because if exploited, they give the user total control of the system."
So-called "escaping" of the borders of the sandbox neutralizes the security benefits of the containment method. Hackers can craft escaping attacks that exploit vulnerabilities in the sandbox itself or through social engineering if the privilege permissions are at all under the control of the user.
"Clever social engineering, a bad user interface, or plain stupidity can defeat any sandbox," says Axelle Apvrille, senior mobile antivirus researcher at Fortinet's FortiGuard Labs. "And everybody is vulnerable to that, one way or another."
According to Hess, any developer that depends on sandboxing has to address potential escaping attacks if they want to depend on the sandbox as an effective control.
"Bottom line, the market success of any sandboxing effort will always revolve around how permissions to escape the sandbox are managed," he says.
Pro: Stats Bear Out The Success Of Sandboxing So Far
Researchers are increasingly backing up sandboxing's security claims with hard numbers to prove results in sandboxing cases like Adobe Reader and Chrome. For example, the website www.cvedetails.com showed that the year that Adobe first implemented sandboxing in Acrobat, 2010, there were 68 vulnerabilities. So far this year there have been only 30. IBM researchers similarly tracked lower vulnerabilities and exploits in Adobe products.
"The data that we've accumulated over the first half of this year and also the data that we can trend back to the release of Adobe Reader X shows there's a correlation between a nosedive in PDF vulnerability disclosures and exploitation and the adoption of Adobe Reader X," says Clinton McFadden, senior operations manager for IBM X-Force research and development, pointing to recent results in the IBM X-Force Mid-Year Report.
Con: Sandboxing Is Still In The Honeymoon Period
Yovel believes that part of the favorable early statistics around sandboxing can be attributed to the technology still being in its honeymoon period.
"It is not widely deployed yet," he says. "Ultimately all new security controls get bypassed by advanced threats."
That honeymoon could potentially fizzle out very soon. Security researchers have already found ways to exploit sandbox environments such as Adobe Acrobat X, most notably Zhenhua Liu and Guillaume Lovet of Fortinet, who presented such an exploit at this year's Black Hat Europe event. As Keanini puts it, it's all part of security's circle of co-evolution.
"Like almost everything else in information security, attack strategies and sandboxing defenses are co-evolving. Programs are designed and made more secure with sandbox strategies, then they are eventually exploited so the program is redesigned to be more secure," he says. "Then new exploits are created and the cycle is repeated ad infinitum."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like