SANDBOXING APPROACH

A Technical Seminar Report

in partial fulfillment of the degree

Bachelor of Technology

in

Computer Science & Engineering

by

P.PRAPUL KUMAR (16K41A0549)

Submitted to

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

S R ENGINEERING COLLEGE (A), ANANTHASAGAR, WARANGAL

(Affiliated to JNTUH, Accredited by NAAC A Grade)

2019-2020

S R ENGINEERING COLLEGE 16K41A0549

1
 DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

CERTIFICATE

This is to certify that the Seminar Report entitled “ SANDBOXING

APPROACH” is a record of bonafide work carried out by the student
P.PRAPUL KUMAR bearing Roll No(s) 16K41A0549 during the academic
year 2019-20 in partial fulfillment of the award of the degree of Bachelor of
Technology in Computer Science & Engineering by the Jawaharlal Nehru
Technological University, Hyderabad.

Seminar Incharge Head of the Department

S R ENGINEERING COLLEGE 16K41A0549

2
 ACKNOWLEDGEMENT

I wish to take this opportunity to express my sincere and deep sense of respect
to our beloved principal Dr. V Mahesh, S R Engineering College for providing
an excellent academic atmosphere in the institution.

I express heartfelt thanks to the Head of Department, Computer Science &

Engineering Mr A. Srinvas for providing me with necessary infrastructure and
thereby giving me freedom to carry out the work.

I also thank the other staff members and friends who assisted me. Finally, I
thank my parents who inspired me always to do the best

S R ENGINEERING COLLEGE 16K41A0549

3
 Table of Contents

1.Introduction

1.1 What is sandboxing?

1.2 How sandboxes are used?

2.Importance & uses of sandboxes

2.1 Importance of sandboxes

2.2 uses of sandboxes

3.Types of Sandboxing

3.1 Java sandboxing

3.2 Linux sandboxing

4.Java sandboxing

4.1 What is Java sandboxing?

4.2 Security in Java

5.Linux sandboxing

5.1 What is Linux sandboxing?

5.2 Namespace

5.3 Types of Namespaces

5.3.1 Mount namespace

5.3.2 PID namespace

5.3.3 UTS namespace

5.4.4 IPC namespace

S R ENGINEERING COLLEGE 16K41A0549

4
 5.4 User Namespace

5.5 chroot

5.6 Ip-netns

6.Benefits of using a sandbox

7.Examples of using a sandbox

8.Sandbox applications

9.Enabling new digital financial services models requires an open-minded

approach to innovation,with sufficient certainly over the legal framework

10.Implementations

11.Conclusion

12.References

S R ENGINEERING COLLEGE 16K41A0549

5
1 Introduction:

1.1 What is sandboxing?

A sandbox is an isolated testing environment that enables users to run programs or execute files
without affecting the application, system or platform on which they run. Software developers use
sandboxes to test new programming code. Cyber security professionals use sandboxes to test
potentially malicious software. Without sandboxing, an application or other system process could
have unlimited access to all the user data and system resources on a network.

1.2 How sandboxes are used?

Sandboxes are also used to safely execute malicious code to avoid harming the device on which the
code is running, the network or other connected devices. Using a sandbox to detect malware offers an
additional layer of protection against security threats, such as stealthy attacks and exploits that
use zero-day vulnerabilities.

2 Importance & uses of sandboxes

2 .1 Importance of sandboxes

As malware becomes more sophisticated, monitoring suspicious behaviour to detect malware has
become increasingly difficult. Many threats in recent years have employed advanced
obfuscation techniques that can evade detection from endpoint and network security products.

Sandboxing protects an organization's critical infrastructure from suspicious code because it runs in a
separate system. It also allows IT to test malicious code in an isolated testing environment to
understand how it works within a system as well as more rapidly detect similar malware attacks.

2.2 Uses of sandboxes

In general, a sandbox is used to test suspicious programs that may contain viruses or other malware,
without allowing the software to harm the host devices.

Sandboxing is an important feature of the Java programming language and development environment,
where the sandbox is a program area and set of rules that programmers need to use when creating Java
code (called an applet) that is sent as part of a web page.

S R ENGINEERING COLLEGE 16K41A0549

6
A sandbox can also enable a mirrored production environment that an external developer can use to
develop an app that uses a web service from the sandbox. This enables third-party developers to
validate their code before migrating it to the production environment.

An API sandbox is targeted at API developers and testers. It mimics the characteristics of the
production environment to create simulated responses for APIs that reflect the behaviour of a real
system.

3 Types of Sandboxing:

3.1 Java sandboxing

• A sandbox typically provides a tightly controlled set of resources for guest programs to run in,
such as limited space on disk and memory.
• In a Java programming language, the sandbox is the program area and it has some set of rules
that programmers need to follow when creating Java code (like an applet) that is sent as part of
a page.
• Since a Java applet is sent automatically as part of the page and can be executed as soon as it
arrives, the applet can easily do harm, either accidentally or intentionally
• The sandbox restrictions provide strict limitations on which system resources the applet can
request or access.The programmer must write code that “plays” only within the sandbox, such
as children are allowed to play within the confined limits of a place. The sandbox can be
conceived as a small area within your computer where an applet’s code can play freely – but it’s
not allowed to play anywhere else.
3.2 LINUX SANDBOXING:

Securing your system is a big priority for every production environment, whether you are a
systems admin or a software developer. The best way to secure your operating system from
doubtful programs or processes is by sandboxing (also termed as jailing). Sandboxing
involves providing a safe environment for a program or software so that you can play around
with it without hurting your system. It actually keeps your program isolated from the rest of
the system, by using any one of the different methods available in the Linux kernel.
Sandboxing can be useful to systems administrators if they want to test their tasks without any
damage and also to developers for testing their pieces of code. A sandbox can help you to
create a different environment from your base operating system. It has become trendy due to
its extensive use by PaaS and SaaS providers.
The idea of jailing is not new since it has been available in UNIX based BSD OSs. For years,

S R ENGINEERING COLLEGE 16K41A0549

7
 BSD has used the concept of ‘jails’, while Solaris has used ‘zones’. But in Linux, this concept
was started with chroot and has been possible because namespaces are present in the Linux
kernel.

4 Java sandboxing
4.1 What is Java sandboxing?

Java applets are sent automatically to the user's browser as part of the web page transmission and can
be executed as soon as they arrive at the browser. Without any other protection, the malicious code
could run without restriction and easily do harm; use of a sandbox to isolate the code can help protect
against both malicious attacks and harm done by buggy Java programs with unlimited access to
memory or operating system services. The sandbox restrictions strictly limit what system resources an
applet can request or access.

The Java sandbox comprises the program area and a set of rules that programmers need to use when
creating Java code sent with web content. The sandbox restrictions set strict limits on what system
resources the applet can request or access. Essentially, the programmer must write code that "plays"
only within the sandbox, much as children are allowed to make anything they want to within the
confined limits of a real sandbox. The sandbox can be conceived as a small area within your computer
where an applet's code can play freely -- but it's not allowed to play anywhere else.

The sandbox is implemented not only by requiring programmers to conform to certain rules but also
by providing code checkers. The Java language itself provides features such as automatic memory
management, garbage collection and the checking of address ranges in strings and arrays that
inherently help to guarantee safe code.

Java's compiled code, known as bytecode, includes a verifier that guarantees adherence to certain
limitations. Java also provides for a local name space within which code may be restricted. The
Java virtual machine (the layer that interprets the Java bytecode for a given computer platform) also
mediates access to system resources and ensures that sandbox code is restricted.

In the original sandbox security model, the sandbox code is generally known as untrusted code. In
later versions of the Java Development Kit (JDK) -- the programmer's development environment --
the sandbox has been made more sophisticated by introducing several levels of trust that the user can

S R ENGINEERING COLLEGE 16K41A0549

8
specify for sandbox code. The more trust the user allows, the more capability the code has to "play"
outside of the sandbox. In the Java Development Kit 1.1 version, the concept of a signed applet was
introduced. An applet accompanied by a digital signature can contain trusted code that is allowed to
execute if the client browser recognizes the signature.

In JDK 2.0, Java provides for assigning different levels of trust to all application code, whether loaded
locally or arriving from the Internet. A mechanism exists to define a security policy that screens all
code -- whether signed or not -- as it executes.

4.2 Security in Java

• The original security model provided by the Java platform is known as the sandbox model,
which existed in order to provide a very restricted environment in which to run untrusted code
obtained from the open network.
• The essence of the sandbox model is that local code is trusted to have full access to vital system
resources (such as the file system) while downloaded remote code (an applet) is not trusted and
can access only the limited resources provided inside the sandbox.

5 LINUX SANDBOXING
5.1 WHAT IS LINUX SANDBOXING?

Securing your system is a big priority for every production environment, whether you are a systems
admin or a software developer. The best way to secure your operating system from doubtful programs
or processes is by sandboxing (also termed as jailing). Sandboxing involves providing a safe
environment for a program or software so that you can play around with it without hurting your
system. It actually keeps your program isolated from the rest of the system, by using any one of the
different methods available in the Linux kernel. Sandboxing can be useful to systems administrators if
they want to test their tasks without any damage and also to developers for testing their pieces of
code. A sandbox can help you to create a different environment from your base operating system. It
has become trendy due to its extensive use by PaaS and SaaS providers.

S R ENGINEERING COLLEGE 16K41A0549

9
The idea of jailing is not new since it has been available in UNIX based BSD OSs. For years, BSD
has used the concept of ‘jails’, while Solaris has used ‘zones’. But in Linux, this concept was started
with chroot and has been possible because namespaces are present in the Linux kernel.

5.2 Namespaces:
Namespaces are features available in Linux to isolate processes in different system resource aspects.
There are six types of namespaces available up to kernel 4.0. And more will be added in the future.
These are:

• mnt (mount points, file systems)

• pid (processes)

• net (network stack)

• ipc (system V IPC)

• uts (host name)

• user (UIDs)
Linux namespaces are not new. The first one was added to Linux in 2008 (Linux kernel 2.6), but they
became more widely used only in Linux kernel 3.6, when work on the most complex of them all —
the users namespace — was completed. Linux kernel uses clone(), unshare() and setns() system calls
to create and control namespaces.
Creation of new namespaces is done by the clone() system call, which is also used to start a process.
The setns() system call adds a running process to the existing namespace. The unshare() call works on
a process inside the namespace, and makes the caller a member of the namespace. Its main purpose is
to isolate the namespace without having to create a new process or thread (as is done by clone()).You
can directly use some services to get the features of these namespaces. CLONE_NEW* identifiers are
used with these system calls to identify the type of namespace. These three system calls make use of
the CLONE_NEW* as CLONE_NEWIPC, CLONE_NEWNS, CLONE_NEWNET,
CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWUTS. A process in a namespace can be
different because of its unique inode number when it is created.

#ls -al /proc/<pid>/ns

lrwxrwxrwx 1 root root 0 Feb 7 13:52 ipc -> ipc:[4026532253]

lrwxrwxrwx 1 root root 0 Feb 7 15:39 mnt -> mnt:[4026532251]

S R ENGINEERING COLLEGE 16K41A0549

10
lrwxrwxrwx 1 root root 0 Feb 7 13:52 net -> net:[4026531957]

lrwxrwxrwx 1 root root 0 Feb 7 13:52 pid -> pid:[4026532254]

lrwxrwxrwx 1 root root 0 Feb 7 13:52 user -> user:[4026531837]

lrwxrwxrwx 1 root root 0 Feb 7 15:39 uts -> uts:[4026532252]

5.3 TYPES OF NAMESPACES:

• Mount namespace:A process views different mount points other than the original system
mount point. It creates a separate file system tree associated with different processes, which
restricts them from making changes to the root file system.

• PID namespace: PID namespace isolates a process ID from the main PID hierarchy. A
process inside a PID namespace can have the same PID as a process outside it, and even
inside the namespace, you can have different init with PID 1.

• UTS namespace: In the UTS (UNIX Timesharing System) namespace, a process can have a
different set of domain names and host names than the main system. It uses sethostname() and
setdomainname() to do that.

• IPC namespace: This is used for inter-process communication resources isolation and
POSIX message queues.
5.4 User namespace

This isolates user and group IDs inside a namespace, which is allowed to have the same UID
or GID in the namespace as in the host machine. In your system, unprivileged processes can
create user namespaces in which they have full privileges.
Network namespace: Inside this namespace, processes can have different network stacks,
i.e., different network devices, IP addresses, routing tables, etc.
Sandboxing tools available in Linux use this namespaces feature to isolate a process or create
a new virtual environment. A much more secure tool will be that which uses maximum
namespaces for isolation. Now, let’s talk about different methods of sandboxing, from soft to
hard isolation.

S R ENGINEERING COLLEGE 16K41A0549

11
 5.5chroot
chroot is the oldest sandboxing tool available in Linux. Its work is the same as mount namespace, but
it is implemented much earlier. chroot changes the root directory for a process to any chroot directory
(like /chroot). As the root directory is the top of the file system hierarchy, applications are unable to
access directories higher up than the root directory, and so are isolated from the rest of the system.
This prevents applications inside the chroot from interfering with files elsewhere on your computer.
To create an isolated environment in old SystemV based operating systems, you first need to copy all
required packages and libraries to that directory. For demonstration purposes, I am running ‘ls’ on the
chroot directory.
First, create a directory to set as root a file system for a process:

<em>#mkdir /chroot</em>

Next, make the required directory inside it.

<em>#mkdir /chroot/{lib,lib64,bin,etc}</em>

Now, the most important step is to copy the executable and libraries. To get the shell inside
the chroot, you also need /bin/bash.

#cp -v /bin/{bash,ls} /chroot/bin

To see the libraries required for this script, run the following command:

#ldd /bin/bash

linux-vdso.so.1 (0x00007fff70deb000)

libncurses.so.5 => /lib/x86_64-linux-gnu/libncurses.so.5 (0x00007f25e33a9000)

libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f25e317f000)

libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f25e2f7a000)

libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f25e2bd6000)

/lib64/ld-linux-x86-64.so.2 (0x00007f25e360d000)

#ldd /bin/ls

linux-vdso.so.1 (0x00007fff4f8e6000)

S R ENGINEERING COLLEGE 16K41A0549

12
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f9f00aec000)

libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9f00748000)

libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f9f004d7000)

libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9f002d3000)

/lib64/ld-linux-x86-64.so.2 (0x00007f9f00d4f000)

libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9f000b6000)

Now, copy these files to the lib or lib64 of /chroot

as required.
Once you have copied all the necessary files, it’s time to enter the chroot.

#sudo chroot /chroot/ /bin/bash

You will be prompted with a shell running inside your virtual environment. Here, you don’t have
much to run besides ls, but it has changed the root file system for this process to /chroot.
To get a more full-featured environment you can use the debootstrap utility to bootstrap a basic
Debian system:

#debootstrap --arch=amd64 unstable my_deb/

It will download a minimal system to run under chroot. You can use this to even test 32-bit
applications on 64-bit systems or for testing your program before installation. To get process
management, mount proc to the chroot, and to make the contents of home ‘lost on exit’,
mount tmpfs at /home//:

#sudo mount -o bind /proc my_deb/proc

#mount -t tmpfs -o size=100m tmpfs /home/user

To get Internet connection inside, use the following command:

#sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf

After that, you are ready to enter your environment.

#chroot my_deb/ /bin/bash

S R ENGINEERING COLLEGE 16K41A0549

13
Here, you get a whole basic operating system inside your chroot. But it differs from your main system
by mount point, because it only uses the mount property as the isolator. It has the same hostname, IP
address and process running as in the main system. That’s why it is much less secure (this is even
mentioned in the man page of chroot), and any running process can still harm your computer by
killing your tasks or affecting network based services.

• To run graphical applications inside chroot, open x server by running the following
command on the main system:

#xhost +

and on chroot system

#export DISPLAY=:0.0

On systemd based systems, chrooting is pretty straightforward. It’s needed to define the root directory
on the processes unit file only.

[Unit]

Description=my_chroot_Service

[Service]

RootDirectory=/chroot/foobar

ExecStartPre=/usr/local/bin/pre.sh

ExecStart=/bin/my_program

RootDirectoryStartOnly=yes

Here Root Directory shows where the root directory is for the foobar process.

• The program script path has to be inside chroot, which makes the full path of that process
script as /chroot/bin/my_program.

Before the daemon is started, a shell script pre.sh is invoked, the purpose of which is to set up the
chroot environment as necessary, i.e., mount /proc and similar file systems into it, depending on what
the service might need. You can start your service by using the following command:

S R ENGINEERING COLLEGE 16K41A0549

14
#systemctl start my_chroot_Service.service

5.6Ip-netns
The Ip-netns utility is one of the few that directly use network namespaces to create virtual interfaces.
To create a new network namespace, use the following command:

#ip netns add netns1

To check the interfaces inside, use the command shown below:

#ip netns exec netns ip addr

You can even get the shell inside it, as follows:

#ip netns exec netns /bin/bash

This will take you inside the network namespace, which has only a single network interface with no
IP. So, you are not connected with the external network and also can’t ping.

#ip netns exec netns ip link set dev lo up

This will bring the loop interface up. But to connect to the external network you need to create a
virtual Ethernet and add it to netns as follows:

# ip link add veth0 type veth peer name veth1

# ip link set veth1 netns netns1

Now, it’s time to set the IP to these devices, as follows:

# ip netns exec netns1 ifconfig veth1 10.1.1.1/24 up

# ifconfig veth0 10.1.1.2/24 up

• Unshare
The unshare utility is used to create any namespace isolated environment and run a program
or shell inside it.
To get a network namespace and run the shell inside it, use the command shown below:

#unshare --net /bin/bash

S R ENGINEERING COLLEGE 16K41A0549

15
The shell you get back will come with a different network stack. You can check this by using #ip
addr, as follows:

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default

link/loopback00:00:00:00:00:00 brd 00:00:00:00:00:00

To create a user namespace environment, use the following command:

#unshare --user /bin/bash

You can check your user inside the shell by using the command below:

#whoami

Nobody

To get the PID namespace, use the following command:

#unshare --pid --fork /bin/bash

Inside this namespace, you can see all the processes but cannot kill any.

#ps -aux |grep firefox

root 1110 42.6 11.0 1209424 436756 tty1 Sl 23:36 0:15 .firefox1/./firefox

root 1208 0.0 0.0 12660 1648 pts/2S+ 23:37 0:00 grepfirefox

#kill 1110

bash: kill: (1110) - No such process

To get a whole different degree of process tree isolation you need to mount another proc for the
namespace, as follows:

unshare --pid --fork --mount-proc /bin/bash

In this way, you can use unshare to create a single namespace. More about it can be found out on the
man page of unshare.

• A namespace created by using unshare can also be combined to create a single shell which
uses different namespaces. For example:

S R ENGINEERING COLLEGE 16K41A0549

16
#unshare --pid --fork --user /bin/bash

This will create an isolated environment using the PID and user namespaces.

• Firejail
Firejail is an SUID sandbox program that is used to isolate programs for testing or security
purposes. It is written in C and can be configured to use most of the namespaces. To start a
service in firejail, use the following command:

#firejail firefox

It will start Firefox in a sandbox with the root file system mounted as read only. To start Firefox with
only ~/Downloads and ~/.mozilla mounted to write, use the following command:

#firejail --whitelist=~/.mozilla --whitelist=~/Download firefox

Firejail, by default, uses the user namespace and mounts empty temporary file systems (tmpfs) on top
of the user home directory in private mode. To start a program in private mode, use the command
given below:

#firejail --private firefox

To start firejail in a new network stack, use the following command:

#firejail --net=eth0 --whitelist=~/.mozilla --whitelist=~/Download firefox

To assign an IP address to the sandbox, use the following command:

#firejail --net=eth0 --ip=192.168.1.155 firefox

• To sandbox all programs running by a user, you can change the default shell of that user to
/usr/bin/firejail.

#chsh –shell /usr/bin/firejail

• Containers

S R ENGINEERING COLLEGE 16K41A0549

17
Learning about virtualisation technologies, what attracted me most were containers because of their
easy deployment. Containers (also known as lightweight virtualisation) are tools for isolation, which
use namespaces for the purpose. They are a better sandboxing utility, because they generally use more
than one namespace and are more focused on creating a whole virtual system instance rather than
isolating a single process.
Containers are not a new technology. They have been in UNIX and Linux for decades but due to their
increasing use in SaaS and PaaS, they have become a hot topic since they provide the most secure
environment to deliver and use these services. They are called lightweight virtualisation because they
provide process level isolation, which means they depend on the Linux kernel. Hence, only those
instances can be created which use the same base kernel. There are lots of containers available for
Linux that have gained popularity over the past few years.

• Systemd-nspawn
This is a utility available by default with systemd, which creates separate containers for
isolation. It uses mount and PID namespaces by default but another namespace can also be
configured. To create a container or isolated shell, you need to download a basic distribution
which we have done already, using debootstrap. To get inside this container, use the code
below:

#systemd-nspawn -D my_deb

This container is stronger then chroot because it not only has a different mount point but also a
separate process tree (check it by ps -aux). But still, the hostname and IP interfaces are the same as the
host system. To add your own network stack, you need to connect to the existing network bridge.

#systemd-nspawn -D my_deb --network-bridge=br0

This will start the container with the network namespace with a pair of veth devices. You can even
boot the instance by the -b option, as follows:

#systemd-nspawn -bD my_deb

• While booting the container, you will be required to enter the password of the root user; so
first run #passwd inside to set the root password.
The whole nspawn project is relatively young; hence there is still a lot that needs to be
developed.

S R ENGINEERING COLLEGE 16K41A0549

18
 • Docker
Docker is the smartest and most prominent container in Linux to run an applications
environment. Over the past few years, it has grabbed the most attention. Docker containers
use most of the namespaces and croup’s present in systemd for providing a strong isolated
environment. Docker runs on the Docker daemon, which starts an isolated instance like
systemd-nspawn, in which any service can be deployed with just a few tweaks. It can be used
as a sandboxing tool to run applications securely or to deploy some software service inside it.
To get your first Docker container running, you need to first start the Docker daemon, and
then download the base image from the Docker online repository, as follows:

#service docker start

#docker pull kalilinux/kali-linux-docker

• You can also download other Docker images from the Docker Hub (https://hub.docker.com/).
It will download the base Kali Linux image. You can see all the available images on your
system by using the following code:

#docker images

REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE

kalilinux/kali-linux-docker

latest 63ae5ac8df0f 1 minute ago 325 MB

centos centos6 b9aeeaeb5e17 9 months ago 202.6 MB

hello-world latest 91c95931e552 9 months ago 910 B

To run a program inside your container, use the command given below:

#docker run -i -t kalilinux/kali-linux-docker ls

bin dev home lib64 mnt proc run selinux sys usr

boot etc. lib media opt root sbin srv tmp var

This will start (run) your container, execute the command and then close the container. To get an
interactive shell inside the container, use the command given below:

#docker run -t -i kalilinux/kali-linux-docker /bin/bash

S R ENGINEERING COLLEGE 16K41A0549

19
root@24a70cb3095a:/#

This will get you inside the container where you can do your work, isolated from your host
machine. 24a70cb3095a is your container’s ID. You can check all the running containers by using the
following command:

#docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

24a70cb3095a kalilinux/kali-linux-docker“/bin/bash” About a minute ago Up About a minute angry_cori

While installing the Docker image, Docker automatically creates a veth for Docker, which makes the
Docker image connect to the main system. You can check this by using #ifconfig and pinging your
main system. At any instance, you can save your Docker state as a new container by using the code
given below:

#docker commit 24a70cb3095a new_image

#docker images

REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE

new_image latest a87c73abca9d 6 seconds ago 325 MB

kalilinux/kali-linux-docker

latest 63ae5ac8df0f 1 hours ago 325 MB

centos centos6 b9aeeaeb5e17 9 months ago 202.6 MB

hello-world latest 91c95931e552 9 months ago 910 B

You can remove that image by using #docker rmi new_image. To stop a container, use docker stop
and after that remove the files created on the host node by that container.

#docker stop 24a70cb3095a

#docker rm 24a70cb3095a

For running applications on a Docker instance, you may require to attach it to the host system in some
way. So, to mount the external storage to the Docker image, you can use the -v flag, as follows:

#docker run -it -v /temp/:/home/ kalilinux/kali-linux-docker /bin/bash

S R ENGINEERING COLLEGE 16K41A0549

20
This will mount /temp/ from the main system to the /home/ of the host system. To attach the Docker
port to an external system port, use -–p:

#docker run -it -v /temp/:/home/ -p 4567:80 kalilinux/kali-linux-docker /bin/bash

This will attach the external port 4567 to the container’s port 80. This can be very useful for SaaS and
PaaS, provided that the deployed application needs to connect to the external network. Running GUI
applications on Docker can often be another requirement. Docker doesn’t have x server defined so, to
do that, you need to mount the x server file to the Docker instance.

#docker run -it -v -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix \ kalilinux/kali-linux-docker /bin/bash

This will forward the X11 socket to the container inside Docker. To ship the Docker image to another
system, you need to push it on the Docker online repository, as follows:

#docker push new_image

You can even save the container image in the tar archive:

#docker export new_image

There is a lot more to learn on Docker, but going deeper into the subject is not the purpose of this
article. The positive point about Docker is its many tutorials and hacks available online, from which
you can easily get a better understanding of how to use it to get your work done. Since its first release
in 2013, Docker has improved so much that it can be deployed in a production or testing environment
because it is easy to use.
There are other solutions made for Docker, which are designed for all scenarios. These include
Kubernetes (a Google project for the orchestration of Docker), Swarm and many more services for
Docker migrations, which provide graphical dashboards, etc. Automation tools for systems admins
like Puppet and Chef are also starting to provide support to Docker containers. Even systemd has
started to provide a management utility for nspawn and other containers with a number of tools like
machinectl and journalctl.

• Machinectl
This comes pre-installed with the systemd init manager. It is used to manage and control the
state of the systemd based virtual machine, and the container works underneath the system
service. To see all containers running in your system, use the command given below:

S R ENGINEERING COLLEGE 16K41A0549

21
#machinectl –a

To get a status of any running container, use the command given below:

#machinectl status my_deb

• Machinectldoesn’t show Docker containers, since the latter run behind the Docker daemon.

To log in to a container, use the command given below:

#machinectl login my_deb

Switch off a container, as follows:

#machinectl power off my_deb

To kill a container forcefully, use the following command:

#machinectl -s kill my_deb

To view the logs of a container, you can use journalctl, as follows:

#journalctl -M my_deb.

6 Benefits of using a sandbox

Using a sandbox to test software changes before they go live means there are fewer problems during
and after testing because the testing environment is totally separate from the production environment.

Sandboxing is also great for quarantining zero-day threats that exploit unreported vulnerabilities.
Although there's no guarantee that sandboxing will stop zero-day threats, it offers an additional layer
of security by separating the threats from the rest of the network. When threats and viruses are
quarantined, cybersecurity experts can study them to identify patterns, helping to prevent future
attacks and identify other network vulnerabilities.

S R ENGINEERING COLLEGE 16K41A0549

22
Sandboxing also complements other security programs, including behavior monitoring and virus
programs. It offers added protection against certain strains of malware that an antivirus program may
not detect.

7 Examples of using a sandbox

Sandboxes can be used to isolate code execution in almost any situation that software code is being
executed. Some specific examples of using a sandbox to isolate code execution include:

• Web browsers: A trusted web browser can be run inside a sandbox. Then if a website exploits a
vulnerability in that web browser, the damage is limited to the sandbox and minimized.

• Software protection: There are tools that enable users to run software they don't trust in sandboxes
so that the software can't access their private data or harm their devices. Because a sandbox
appears to be a complete system to the software, the software usually can't detect that it's
constrained to a virtual environment.

• Security research: Information security professionals use sandboxes for research or to detect
malicious code. For instance, a security tool could visit websites to monitor what files are
ultimately changed or it could install and run software.

• Virtualization: A virtual machine is basically a type of sandbox. This approach uses a virtual
machine-based sandbox to contain and examine suspicious programs.

8 Sandbox applications

Sandbox applications include:

• Browser plug-in content often depended on using a sandbox to screen content loaded by browser
plug-ins, including Microsoft Silverlight and Adobe Flash. However, this type of content has
been notoriously difficult to keep safe. While it was safer to play a flash game on a web page than
to download the game and run it as a standard program, content publishers have largely moved
away from such plug-ins in favor of publishing active content using HTML5 -- which includes
the sandbox attribute to instruct the browser to disable any features that may present security
risks.

• PDFs and other documents may include executable code, so Adobe Reader runs PDF files in a
sandbox, which stops them from escaping the PDF viewer and interfering with the rest of the

S R ENGINEERING COLLEGE 16K41A0549

23
 computer. Microsoft Office also has a sandbox mode to stop unsafe macros from tampering with
a system.

• Mobile apps are generally executed by mobile platforms in sandboxes. Apps for iOS, Android
and Windows are prohibited from doing many of the things standard desktop apps can do. For
example, to access a user's location, they have to declare permissions. Additionally, the sandbox
isolates the applications, preventing them from tampering with each other.

9 Enabling new digital financial services models requires an open-minded

approach to innovation, with sufficient certainty over the legal framework.

• Innovations in financial technology (fintech) include mobile phones, digital platforms,

biometrics, online peer-to-peer lending, crowdfunding, and blockchains. For small businesses
and households, these innovations all hold much promise as tools for helping meet modern
financial needs. They can also assist institutions scale up operations efficiently, as well as
making transactions faster and safer. In short, fintech could become the lynchpin for financial
inclusion.
• However, fintech innovations are not risk-free, and their transformative implications are being
scrutinized by regulators, including the Financial Stability Board. Regulators are exploring
ways to apply innovation responsibly – ways to manage systemic risks that may arise from
technological change.
• A few developed market regulators—the UK’s Financial Conduct Authority, the Monetary
Authority of Singapore and the Australian Securities and Investments Commission—recently
allowed the private sector to experiment within certain bounds to learn how to regulate and
supervise this emerging industry, using a “sandbox” approach.
• Although publicized as novel, the “sandbox” is not a new concept; it is just a new expression.
Quite sometime back in many developing countries, regulators adopted a flexible “test and
learn” approach to foster innovation. By letting regulation follow change, the central banks of
the Philippines and Tanzania created space for innovating with digital financial services
(DFS) to glean a better understanding of the business, its operational risks and mitigating
factors. Both countries authorized reputable early implementers to try new products and
business models under close monitoring and frequent contact, rather than imposing a
predetermined regulatory framework upfront.
• At the time, supervisors saw this as somewhat outside their mandate. They argued that there
was a conflict of interest between regulatory and developmental roles. Given this backdrop,
the recent decisions of the UK, Singaporean and Australian market regulators to go with a
‘regulatory sandbox’ vindicates the old “test and learn” approach.

S R ENGINEERING COLLEGE 16K41A0549

24
 • The sandbox gives limited authorization for fintech startups to test new products and models
with a small number of actual users in a simulated environment. This gives them more time to
build and test business ideas, instead of spending time navigating complex financial services
regulations. Focusing on regulatory compliance eats up seed capital before anyone knows
whether an idea could work and be scaled up. Participants are nonetheless required to follow
rules on marketing, privacy, anti-money laundering, disclosure, and management of conflicts
of interest.
• Establishing fintech offices that bring together business innovators with regulators is another
related development. Some governments also allocate funds for setting up innovation labs,
and supporting infrastructure.
• Piloting a product or business model in the sandbox will help companies manage their
regulatory risk during testing. Restricting transaction size will limit any large adverse
consequence of product or model failure. And this approach also allows regulators to test new
financial products and services for risk and compliance, along with creating preconditions for
ensuring competition and successful uptake. It will also improve access to sustainable equity
financing.
• Only when the risks of applying new technology become material would companies be
required to obtain full regulatory approval. Once a business grows and reaches a certain
critical mass, it could pose significant potential impact on financial stability through possible
operational disruption of core financial institutions or infrastructure, or badly affect a large
number of consumers.
• A unique aspect is the agreement to cooperate between regulatory bodies in the UK,
Singapore and Australia to share information and implement a referral process. Thus, fintech
firms from these jurisdictions are not likely to face regulatory barriers when entering each
other’s markets.
• Developing country experience shows that traditional financial players, when restricted by
regulations, do not meet end-user needs. Enabling new DFS models requires an open-minded
approach to innovation, with sufficient certainty over a legal framework that protects users
and clearly assigns liabilities. If regulators understand the product and their risks, they can
tailor the regulatory regime to specific risk characteristics.
• Governments in Asia and the Pacific should actively promote investment in developing
digital financial infrastructure. And regulators must also encourage piloting innovative fintech
applications to build better synergies with the real sector to boost productivity,
competitiveness, and resilience.

S R ENGINEERING COLLEGE 16K41A0549

25
10 IMPLEMENTATIONS:

A sandbox is implemented by executing the software in a restricted operating system environment,

thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a
process may use.[3]

Examples of sandbox implementations include the following:

• Linux application sandboxing, built on Seccomp, cgroups and Linux namespaces. Notably used
by Systemd, Google Chrome, Firefox, firejail.
• Google Sandboxed AP
• A jail: network-access restrictions, and a restricted file system namespace. Jails are most
commonly used in virtual hosting.
• Rule-based execution gives users full control over what processes are started, spawned (by other
applications), or allowed to inject code into other applications and have access to the net, by
having the system assign access levels for users or programs according to a set of determined
rules. It also can control file/registry security (what programs can read and write to the file
system/registry). In such an environment, viruses and Trojans have fewer opportunities of
infecting a computer. The SELinux and Apparmor security frameworks are two such
implementations for Linux.
• Virtual machines emulate a complete host computer, on which a conventional operating system
may boot and run as on actual hardware. The guest operating system runs sandboxed in the sense
that it does not function negatively on the host and can only access host resources through the
emulator.
• Sandboxing on native hosts: Security researchers rely heavily on sandboxing technologies to
analyse malware behaviour. By creating an environment that mimics or replicates the targeted
desktops, researchers can evaluate how malware infects and compromises a target host.
Numerous malware analysis services are based on the sandboxing technology.[7]
• Native Client is a sandbox for running compiled C and C++ code in the browser efficiently and
securely, independent of the user’s operating system.[8]
• Capability systems can be thought of as a fine-grained sandboxing mechanism, in which
programs are given opaque tokens when spawned and have the ability to do specific things based
on what tokens they hold. Capability-based implementations can work at various levels, from
kernel to user-space. An example of capability-based user-level sandboxing involves HTML
rendering in a Web browser.
• Secure Computing Mode (seccomp) is a sandbox built in the Linux kernel. When activated in
strict mode, seccomp only allows the write() , read() , exit() , and sigreturn() system calls.

S R ENGINEERING COLLEGE 16K41A0549

26
• HTML5 has a "sandbox" attribute for use with iframes.[9]
• Java virtual machines include a sandbox to restrict the actions of untrusted code, such as a Java
applet.
• The .NET Common Language Runtime provides Code Access Security to enforce restrictions on
untrusted code.
• Software Fault Isolation (SFI),[10] allows running untrusted native code by sandboxing all store,
read and jump assembly instructions to isolated segments of memory.
• Windows Vista and later editions include a "low" mode process running, known as "User
Account Control" (UAC), which only allows writing in a specific directory and registry keys.
Windows 10, from version 1903 (released May 2019), provides a feature known as "Windows
Sandbox: an isolated, temporary, desktop environment where you can run untrusted software
without the fear of lasting impact to your PC". [11]

Some of the use cases for sandboxes include the following:

• Online judge systems to test programs in programming contests.

• New-generation pastebins allowing users to execute pasted code snippets on the pastebin's server.

11 Conclusion:
A sandbox is a type of software testing environment that enables the isolated execution of software or
programs for independent evaluation, monitoring or testing. In an implementation, a sandbox also
may be known as a test server, development server or working directory. As one of the most common
software testing techniques, a sandbox is useful in environments with one or more simultaneously
operating software programs. A sandbox creates an operational environment in which the execution,
operation and processes of software testing is not affected by other running programs. Additionally,
the sandbox technique is implemented in information security to evaluate suspicious software or files
containing malicious code. Typically, the source code of sandboxed software is not tested prior to
isolation, which reduces unexpected behaviour.

12 Reference:

https://www.techopedia.com/definition/27681/sandbox-software-development
https://en.wikipedia.org/wiki/Sandbox_(software_development)
https://searchsecurity.techtarget.com/definition/sandbox

S R ENGINEERING COLLEGE 16K41A0549

27