Friday, July 14, 2006

Sandboxing for System Security

OK.

See if any of these scenarios apply to you.

1) The latest, hottest, coolest software application just got posted to the web and you really want to try it, but don't want to toast your system.

2) You just can't wait to do analysis of a possible malevolent file you collected off a pc, but don't want to toast your system.

3) You want to do some "security research" at known browser-hijacking websites, but don't want to toast your system.

4) You provide tech-support to your parents/grandparent's pc and besides being tired of cleaning malware off each visit, you worry about their "click-happy" browsing behavior.

If these computing activities sound like a fun or frequent experience for you, but you don't have a spare test-bed pc handy, using a software "sandbox" may be just what you need.

Quoting from the Wikipedia: "The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices is usually disallowed or heavily restricted."

Think of software sandboxes as being like "quarantine" rooms for your pc. Depending on the product, they will segregate the program from the system, allow it a protected "scratch-box" to write data and settings needed for execution, monitor code behavior and may even block actions outright or based on rule-sets. Sandboxes are a great resource to test and experiment with new programs and executable code while maintaining a firm grip on leaving your base system untouched/unmodified.

Software sandboxes were previously a realm left for developers, malware and security research/responders, enterprise test-labs, or the hard-core geeks. Today, polished and usable products have come down from the tech-mountain to be viable alternatives for the masses of daily pc users.

Software Sandbox Suggestions

Sandboxie - Free - The sandbox software I am using on my pc's is Sandboxie. It is a very good and well recommended application for Windows . Only drawback--requires Windows 2000/XP flavors only. Although primarily aimed at running web-browsers (IE, Firefox, Opera, etc.) in a sandbox environment for system safety, it can actually be used to run almost any program file in a sandbox state. You can even install many programs, and system tools into Sandboxie, just not system software. It is a really clever piece of software that all sysadmins should consider using. Note: It does install as a startup/auto-run item, but you can disable that with msconfig, hijackthis, autoruns, etc. and just run on demand as I prefer to do.

Virtual Sandbox 2.0 - $$/Free - Developed by Fortres Grand Corporation, this is a polished software sandbox application (though the robot-dude mascot reminds me of Bender). The interface on sandboxed apps is very clear and easy to read and the security alerts provide additional dialog on what is happening. Version 2.0 can be downloaded and tried for free, but costs $49.95. Version 1.0 is free and carries many of the same features, but is not as refined as v2.0.

Greenborder Pro (Consumer) - Free/$$ - Greenborder integrates with the Internet Explorer web browser, although the company reports it will be supporting Firefox soon. It creates a sandbox for IE to operate in thus shielding the host system's files and folders from intrusion by any internet borne baddies. Download before July 28th and you will get a year's free subscription. Review at PCMag.com

Bufferzone - Free/$$ - Trustware's sandbox product. The free version allows protection for a limited number of single-running applications. The full-protection product expands the options for users. If you use just a single browser most of the time, the free version may be all you need.

GeSWall Personal Edition - Free - GentleSecurity's sandbox product. It appears to focus primarily on providing automatic sandbox protection to (primarily) Internet utilizing/related applications.

Sandbox Recommendations

If you just want to lock-down the browsing experience for your supported family members, go with the browser-centric sandboxes like GeSWall Personal Edition, Bufferzone, or Greenborder Pro (Consumer).

If your sandboxing requirements extend to desktop and system applications and not just Internet tools, then consider checking out Sandboxie or one of the Fortres Grand Virtual Sandbox versions. These provide a wider range of system and application protection.

Of course, I can't fail to mention Norman SandBox ($-$$). This product functions in a "hybrid" sandbox mode: Data files come into the pc, they are scanned for infection, valid data is passed into the Norman Sandbox for execution in the sandbox environment and suspicious code/files are stopped. valid data is passed through to the production computing system. As an alternative solution, Norman SandBox also offers a free service for users to submit suspicious file samples for analysis.

Additional Subject Links

Want to stop viruses? Let script kiddies play in the sandbox - ZDNet

AV ALTERNATIVES: Extending Scanner Range - Information Security Magazine (Feb 2001) dated but still useful information.

See you in the skies,
--Claus

2 comments:

Anonymous said...

You have forgot about DefenseWall HIPS here

Anonymous said...

I think I left that one out only because I was trying to cover versions that offered a fully freeware version that people could use without a time-limit.

Some of the vendors I listed do offer $$ versions/trial versions as well, but they do have a version that is freeware or (effectively) not time-limited in usage.

I believe I looked into your product, but since it was trial-ware for just 30-days, I chose not to include it in this roundup.

Not to say that your product isn't worth interested customers checking out. I think it's gotten some good feedback.

Thanks for stopping by. I'm happy to have it listed here in the comments for anyone interested in looking for more options:

DefenseWall HIPS
For Windows 2000/XP/2003.
Shareware, 30-days full-functional trial.
SoftSphere Technologies

--Claus