Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Bachelor of Technology
in
by
Submitted to
2019-2020
CERTIFICATE
I wish to take this opportunity to express my sincere and deep sense of respect
to our beloved principal Dr. V Mahesh, S R Engineering College for providing
an excellent academic atmosphere in the institution.
I also thank the other staff members and friends who assisted me. Finally, I
thank my parents who inspired me always to do the best
1.Introduction
3.Types of Sandboxing
4.Java sandboxing
5.Linux sandboxing
5.2 Namespace
5.5 chroot
5.6 Ip-netns
8.Sandbox applications
10.Implementations
11.Conclusion
12.References
A sandbox is an isolated testing environment that enables users to run programs or execute files
without affecting the application, system or platform on which they run. Software developers use
sandboxes to test new programming code. Cyber security professionals use sandboxes to test
potentially malicious software. Without sandboxing, an application or other system process could
have unlimited access to all the user data and system resources on a network.
Sandboxes are also used to safely execute malicious code to avoid harming the device on which the
code is running, the network or other connected devices. Using a sandbox to detect malware offers an
additional layer of protection against security threats, such as stealthy attacks and exploits that
use zero-day vulnerabilities.
2 .1 Importance of sandboxes
As malware becomes more sophisticated, monitoring suspicious behaviour to detect malware has
become increasingly difficult. Many threats in recent years have employed advanced
obfuscation techniques that can evade detection from endpoint and network security products.
Sandboxing protects an organization's critical infrastructure from suspicious code because it runs in a
separate system. It also allows IT to test malicious code in an isolated testing environment to
understand how it works within a system as well as more rapidly detect similar malware attacks.
In general, a sandbox is used to test suspicious programs that may contain viruses or other malware,
without allowing the software to harm the host devices.
Sandboxing is an important feature of the Java programming language and development environment,
where the sandbox is a program area and set of rules that programmers need to use when creating Java
code (called an applet) that is sent as part of a web page.
An API sandbox is targeted at API developers and testers. It mimics the characteristics of the
production environment to create simulated responses for APIs that reflect the behaviour of a real
system.
3 Types of Sandboxing:
Securing your system is a big priority for every production environment, whether you are a
systems admin or a software developer. The best way to secure your operating system from
doubtful programs or processes is by sandboxing (also termed as jailing). Sandboxing
involves providing a safe environment for a program or software so that you can play around
with it without hurting your system. It actually keeps your program isolated from the rest of
the system, by using any one of the different methods available in the Linux kernel.
Sandboxing can be useful to systems administrators if they want to test their tasks without any
damage and also to developers for testing their pieces of code. A sandbox can help you to
create a different environment from your base operating system. It has become trendy due to
its extensive use by PaaS and SaaS providers.
The idea of jailing is not new since it has been available in UNIX based BSD OSs. For years,
4 Java sandboxing
4.1 What is Java sandboxing?
Java applets are sent automatically to the user's browser as part of the web page transmission and can
be executed as soon as they arrive at the browser. Without any other protection, the malicious code
could run without restriction and easily do harm; use of a sandbox to isolate the code can help protect
against both malicious attacks and harm done by buggy Java programs with unlimited access to
memory or operating system services. The sandbox restrictions strictly limit what system resources an
applet can request or access.
The Java sandbox comprises the program area and a set of rules that programmers need to use when
creating Java code sent with web content. The sandbox restrictions set strict limits on what system
resources the applet can request or access. Essentially, the programmer must write code that "plays"
only within the sandbox, much as children are allowed to make anything they want to within the
confined limits of a real sandbox. The sandbox can be conceived as a small area within your computer
where an applet's code can play freely -- but it's not allowed to play anywhere else.
The sandbox is implemented not only by requiring programmers to conform to certain rules but also
by providing code checkers. The Java language itself provides features such as automatic memory
management, garbage collection and the checking of address ranges in strings and arrays that
inherently help to guarantee safe code.
Java's compiled code, known as bytecode, includes a verifier that guarantees adherence to certain
limitations. Java also provides for a local name space within which code may be restricted. The
Java virtual machine (the layer that interprets the Java bytecode for a given computer platform) also
mediates access to system resources and ensures that sandbox code is restricted.
In the original sandbox security model, the sandbox code is generally known as untrusted code. In
later versions of the Java Development Kit (JDK) -- the programmer's development environment --
the sandbox has been made more sophisticated by introducing several levels of trust that the user can
In JDK 2.0, Java provides for assigning different levels of trust to all application code, whether loaded
locally or arriving from the Internet. A mechanism exists to define a security policy that screens all
code -- whether signed or not -- as it executes.
5 LINUX SANDBOXING
5.1 WHAT IS LINUX SANDBOXING?
Securing your system is a big priority for every production environment, whether you are a systems
admin or a software developer. The best way to secure your operating system from doubtful programs
or processes is by sandboxing (also termed as jailing). Sandboxing involves providing a safe
environment for a program or software so that you can play around with it without hurting your
system. It actually keeps your program isolated from the rest of the system, by using any one of the
different methods available in the Linux kernel. Sandboxing can be useful to systems administrators if
they want to test their tasks without any damage and also to developers for testing their pieces of
code. A sandbox can help you to create a different environment from your base operating system. It
has become trendy due to its extensive use by PaaS and SaaS providers.
5.2 Namespaces:
Namespaces are features available in Linux to isolate processes in different system resource aspects.
There are six types of namespaces available up to kernel 4.0. And more will be added in the future.
These are:
• pid (processes)
• user (UIDs)
Linux namespaces are not new. The first one was added to Linux in 2008 (Linux kernel 2.6), but they
became more widely used only in Linux kernel 3.6, when work on the most complex of them all —
the users namespace — was completed. Linux kernel uses clone(), unshare() and setns() system calls
to create and control namespaces.
Creation of new namespaces is done by the clone() system call, which is also used to start a process.
The setns() system call adds a running process to the existing namespace. The unshare() call works on
a process inside the namespace, and makes the caller a member of the namespace. Its main purpose is
to isolate the namespace without having to create a new process or thread (as is done by clone()).You
can directly use some services to get the features of these namespaces. CLONE_NEW* identifiers are
used with these system calls to identify the type of namespace. These three system calls make use of
the CLONE_NEW* as CLONE_NEWIPC, CLONE_NEWNS, CLONE_NEWNET,
CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWUTS. A process in a namespace can be
different because of its unique inode number when it is created.
• Mount namespace:A process views different mount points other than the original system
mount point. It creates a separate file system tree associated with different processes, which
restricts them from making changes to the root file system.
• PID namespace: PID namespace isolates a process ID from the main PID hierarchy. A
process inside a PID namespace can have the same PID as a process outside it, and even
inside the namespace, you can have different init with PID 1.
• UTS namespace: In the UTS (UNIX Timesharing System) namespace, a process can have a
different set of domain names and host names than the main system. It uses sethostname() and
setdomainname() to do that.
• IPC namespace: This is used for inter-process communication resources isolation and
POSIX message queues.
5.4 User namespace
This isolates user and group IDs inside a namespace, which is allowed to have the same UID
or GID in the namespace as in the host machine. In your system, unprivileged processes can
create user namespaces in which they have full privileges.
Network namespace: Inside this namespace, processes can have different network stacks,
i.e., different network devices, IP addresses, routing tables, etc.
Sandboxing tools available in Linux use this namespaces feature to isolate a process or create
a new virtual environment. A much more secure tool will be that which uses maximum
namespaces for isolation. Now, let’s talk about different methods of sandboxing, from soft to
hard isolation.
<em>#mkdir /chroot</em>
<em>#mkdir /chroot/{lib,lib64,bin,etc}</em>
Now, the most important step is to copy the executable and libraries. To get the shell inside
the chroot, you also need /bin/bash.
To see the libraries required for this script, run the following command:
#ldd /bin/bash
linux-vdso.so.1 (0x00007fff70deb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f25e360d000)
#ldd /bin/ls
linux-vdso.so.1 (0x00007fff4f8e6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9f00d4f000)
You will be prompted with a shell running inside your virtual environment. Here, you don’t have
much to run besides ls, but it has changed the root file system for this process to /chroot.
To get a more full-featured environment you can use the debootstrap utility to bootstrap a basic
Debian system:
It will download a minimal system to run under chroot. You can use this to even test 32-bit
applications on 64-bit systems or for testing your program before installation. To get process
management, mount proc to the chroot, and to make the contents of home ‘lost on exit’,
mount tmpfs at /home//:
• To run graphical applications inside chroot, open x server by running the following
command on the main system:
#xhost +
#export DISPLAY=:0.0
On systemd based systems, chrooting is pretty straightforward. It’s needed to define the root directory
on the processes unit file only.
[Unit]
Description=my_chroot_Service
[Service]
RootDirectory=/chroot/foobar
ExecStartPre=/usr/local/bin/pre.sh
ExecStart=/bin/my_program
RootDirectoryStartOnly=yes
Here Root Directory shows where the root directory is for the foobar process.
• The program script path has to be inside chroot, which makes the full path of that process
script as /chroot/bin/my_program.
Before the daemon is started, a shell script pre.sh is invoked, the purpose of which is to set up the
chroot environment as necessary, i.e., mount /proc and similar file systems into it, depending on what
the service might need. You can start your service by using the following command:
5.6Ip-netns
The Ip-netns utility is one of the few that directly use network namespaces to create virtual interfaces.
To create a new network namespace, use the following command:
This will take you inside the network namespace, which has only a single network interface with no
IP. So, you are not connected with the external network and also can’t ping.
This will bring the loop interface up. But to connect to the external network you need to create a
virtual Ethernet and add it to netns as follows:
• Unshare
The unshare utility is used to create any namespace isolated environment and run a program
or shell inside it.
To get a network namespace and run the shell inside it, use the command shown below:
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default
You can check your user inside the shell by using the command below:
#whoami
Nobody
Inside this namespace, you can see all the processes but cannot kill any.
root 1110 42.6 11.0 1209424 436756 tty1 Sl 23:36 0:15 .firefox1/./firefox
root 1208 0.0 0.0 12660 1648 pts/2S+ 23:37 0:00 grepfirefox
#kill 1110
To get a whole different degree of process tree isolation you need to mount another proc for the
namespace, as follows:
In this way, you can use unshare to create a single namespace. More about it can be found out on the
man page of unshare.
• A namespace created by using unshare can also be combined to create a single shell which
uses different namespaces. For example:
This will create an isolated environment using the PID and user namespaces.
• Firejail
Firejail is an SUID sandbox program that is used to isolate programs for testing or security
purposes. It is written in C and can be configured to use most of the namespaces. To start a
service in firejail, use the following command:
#firejail firefox
It will start Firefox in a sandbox with the root file system mounted as read only. To start Firefox with
only ~/Downloads and ~/.mozilla mounted to write, use the following command:
Firejail, by default, uses the user namespace and mounts empty temporary file systems (tmpfs) on top
of the user home directory in private mode. To start a program in private mode, use the command
given below:
• To sandbox all programs running by a user, you can change the default shell of that user to
/usr/bin/firejail.
• Containers
• Systemd-nspawn
This is a utility available by default with systemd, which creates separate containers for
isolation. It uses mount and PID namespaces by default but another namespace can also be
configured. To create a container or isolated shell, you need to download a basic distribution
which we have done already, using debootstrap. To get inside this container, use the code
below:
#systemd-nspawn -D my_deb
This container is stronger then chroot because it not only has a different mount point but also a
separate process tree (check it by ps -aux). But still, the hostname and IP interfaces are the same as the
host system. To add your own network stack, you need to connect to the existing network bridge.
This will start the container with the network namespace with a pair of veth devices. You can even
boot the instance by the -b option, as follows:
• While booting the container, you will be required to enter the password of the root user; so
first run #passwd inside to set the root password.
The whole nspawn project is relatively young; hence there is still a lot that needs to be
developed.
• You can also download other Docker images from the Docker Hub (https://hub.docker.com/).
It will download the base Kali Linux image. You can see all the available images on your
system by using the following code:
#docker images
kalilinux/kali-linux-docker
To run a program inside your container, use the command given below:
bin dev home lib64 mnt proc run selinux sys usr
boot etc. lib media opt root sbin srv tmp var
This will start (run) your container, execute the command and then close the container. To get an
interactive shell inside the container, use the command given below:
This will get you inside the container where you can do your work, isolated from your host
machine. 24a70cb3095a is your container’s ID. You can check all the running containers by using the
following command:
#docker ps
While installing the Docker image, Docker automatically creates a veth for Docker, which makes the
Docker image connect to the main system. You can check this by using #ifconfig and pinging your
main system. At any instance, you can save your Docker state as a new container by using the code
given below:
#docker images
kalilinux/kali-linux-docker
You can remove that image by using #docker rmi new_image. To stop a container, use docker stop
and after that remove the files created on the host node by that container.
#docker rm 24a70cb3095a
For running applications on a Docker instance, you may require to attach it to the host system in some
way. So, to mount the external storage to the Docker image, you can use the -v flag, as follows:
This will attach the external port 4567 to the container’s port 80. This can be very useful for SaaS and
PaaS, provided that the deployed application needs to connect to the external network. Running GUI
applications on Docker can often be another requirement. Docker doesn’t have x server defined so, to
do that, you need to mount the x server file to the Docker instance.
This will forward the X11 socket to the container inside Docker. To ship the Docker image to another
system, you need to push it on the Docker online repository, as follows:
You can even save the container image in the tar archive:
There is a lot more to learn on Docker, but going deeper into the subject is not the purpose of this
article. The positive point about Docker is its many tutorials and hacks available online, from which
you can easily get a better understanding of how to use it to get your work done. Since its first release
in 2013, Docker has improved so much that it can be deployed in a production or testing environment
because it is easy to use.
There are other solutions made for Docker, which are designed for all scenarios. These include
Kubernetes (a Google project for the orchestration of Docker), Swarm and many more services for
Docker migrations, which provide graphical dashboards, etc. Automation tools for systems admins
like Puppet and Chef are also starting to provide support to Docker containers. Even systemd has
started to provide a management utility for nspawn and other containers with a number of tools like
machinectl and journalctl.
• Machinectl
This comes pre-installed with the systemd init manager. It is used to manage and control the
state of the systemd based virtual machine, and the container works underneath the system
service. To see all containers running in your system, use the command given below:
To get a status of any running container, use the command given below:
• Machinectldoesn’t show Docker containers, since the latter run behind the Docker daemon.
#journalctl -M my_deb.
Using a sandbox to test software changes before they go live means there are fewer problems during
and after testing because the testing environment is totally separate from the production environment.
Sandboxing is also great for quarantining zero-day threats that exploit unreported vulnerabilities.
Although there's no guarantee that sandboxing will stop zero-day threats, it offers an additional layer
of security by separating the threats from the rest of the network. When threats and viruses are
quarantined, cybersecurity experts can study them to identify patterns, helping to prevent future
attacks and identify other network vulnerabilities.
Sandboxes can be used to isolate code execution in almost any situation that software code is being
executed. Some specific examples of using a sandbox to isolate code execution include:
• Web browsers: A trusted web browser can be run inside a sandbox. Then if a website exploits a
vulnerability in that web browser, the damage is limited to the sandbox and minimized.
• Software protection: There are tools that enable users to run software they don't trust in sandboxes
so that the software can't access their private data or harm their devices. Because a sandbox
appears to be a complete system to the software, the software usually can't detect that it's
constrained to a virtual environment.
• Security research: Information security professionals use sandboxes for research or to detect
malicious code. For instance, a security tool could visit websites to monitor what files are
ultimately changed or it could install and run software.
• Virtualization: A virtual machine is basically a type of sandbox. This approach uses a virtual
machine-based sandbox to contain and examine suspicious programs.
8 Sandbox applications
• Browser plug-in content often depended on using a sandbox to screen content loaded by browser
plug-ins, including Microsoft Silverlight and Adobe Flash. However, this type of content has
been notoriously difficult to keep safe. While it was safer to play a flash game on a web page than
to download the game and run it as a standard program, content publishers have largely moved
away from such plug-ins in favor of publishing active content using HTML5 -- which includes
the sandbox attribute to instruct the browser to disable any features that may present security
risks.
• PDFs and other documents may include executable code, so Adobe Reader runs PDF files in a
sandbox, which stops them from escaping the PDF viewer and interfering with the rest of the
• Mobile apps are generally executed by mobile platforms in sandboxes. Apps for iOS, Android
and Windows are prohibited from doing many of the things standard desktop apps can do. For
example, to access a user's location, they have to declare permissions. Additionally, the sandbox
isolates the applications, preventing them from tampering with each other.
• Linux application sandboxing, built on Seccomp, cgroups and Linux namespaces. Notably used
by Systemd, Google Chrome, Firefox, firejail.
• Google Sandboxed AP
• A jail: network-access restrictions, and a restricted file system namespace. Jails are most
commonly used in virtual hosting.
• Rule-based execution gives users full control over what processes are started, spawned (by other
applications), or allowed to inject code into other applications and have access to the net, by
having the system assign access levels for users or programs according to a set of determined
rules. It also can control file/registry security (what programs can read and write to the file
system/registry). In such an environment, viruses and Trojans have fewer opportunities of
infecting a computer. The SELinux and Apparmor security frameworks are two such
implementations for Linux.
• Virtual machines emulate a complete host computer, on which a conventional operating system
may boot and run as on actual hardware. The guest operating system runs sandboxed in the sense
that it does not function negatively on the host and can only access host resources through the
emulator.
• Sandboxing on native hosts: Security researchers rely heavily on sandboxing technologies to
analyse malware behaviour. By creating an environment that mimics or replicates the targeted
desktops, researchers can evaluate how malware infects and compromises a target host.
Numerous malware analysis services are based on the sandboxing technology.[7]
• Native Client is a sandbox for running compiled C and C++ code in the browser efficiently and
securely, independent of the user’s operating system.[8]
• Capability systems can be thought of as a fine-grained sandboxing mechanism, in which
programs are given opaque tokens when spawned and have the ability to do specific things based
on what tokens they hold. Capability-based implementations can work at various levels, from
kernel to user-space. An example of capability-based user-level sandboxing involves HTML
rendering in a Web browser.
• Secure Computing Mode (seccomp) is a sandbox built in the Linux kernel. When activated in
strict mode, seccomp only allows the write() , read() , exit() , and sigreturn() system calls.
11 Conclusion:
A sandbox is a type of software testing environment that enables the isolated execution of software or
programs for independent evaluation, monitoring or testing. In an implementation, a sandbox also
may be known as a test server, development server or working directory. As one of the most common
software testing techniques, a sandbox is useful in environments with one or more simultaneously
operating software programs. A sandbox creates an operational environment in which the execution,
operation and processes of software testing is not affected by other running programs. Additionally,
the sandbox technique is implemented in information security to evaluate suspicious software or files
containing malicious code. Typically, the source code of sandboxed software is not tested prior to
isolation, which reduces unexpected behaviour.
12 Reference:
https://www.techopedia.com/definition/27681/sandbox-software-development
https://en.wikipedia.org/wiki/Sandbox_(software_development)
https://searchsecurity.techtarget.com/definition/sandbox