Thursday, January 29, 2009

Virtual Machines and Sandboxes

From a security perspective, virtual machines (VMs) and sandboxes are methods of providing isolation. They have other uses as well, but in this post I'm going to focus on this ability to provide isolation.

So what exactly does "isolation" mean? Isolation is the ability to run an application in such a way as to limit its access to other programs or data on your computer. Basically it means preventing an application from being able to modify files on your computer or interact with other applications. In practival terms, for example, it can mean preventing a virus you receive via email from infecting your computer.

So what is the difference between a Sandbox and a virtual machine? Conceptually they are similar, but they are implemented very differently and provide very different flavors of protection.

Virtual machines (e.g. VMWare, Xen, VirtualBox) provide a way of running a whole separate virtual computer in your computer. It literally is a completely different computer - it will have different applications, different files, even a different operating system (e.g. you can run Linux virtual machine on a Windows computer).

Sandboxes (e.g. Sandboxie, sandbox-exec) are ways of running an application on your existing computer but selectively restricting what it can do. So you could sandbox your email client so that it can't write files to your disk, but it can open URLs in your web browser.

Put simply, virtual machines provide a heavy weight, complete isolation between what is running it and your computer. A sandbox provides a lighter-weight, flexible isolation between an application and your computer. (Virtual machines have other non-security benefits in terms of the flexibility they give you to run different applications, operating systems, make snapshots, etc., that I'm ignoring for this discussion.)

"These things sound great. Why doesn't everyone use one or the other all the time?"

Like a lot of security mechanisms, they have a usability trade-off. It's most pronounced with virtual machines. If you were to run your email client in a virtual machine, the same protection that keeps a virus from infecting your computer makes it hard to save an attachment a colleague sent you to your documents folder. Likewise if you wanted to send a document to a colleague, you have to jump through hoops to do so.

Sandboxes are a little friendlier. They let you allow and prevent actions selectively, so, for example, your email client can send URLs to your web browser or write to certain parts of your disk, but not overwrite another application or read your more sensitive files. But it takes you configuring the sandbox security policy to allow that ("configuring the security policy" is fancy talk for either clicking on "Allow this" pop-ups or editing a file, depending on the sandbox application). Depending on how complicated your use of your applications is and how much security you want, this configuration can be somewhat onerous.

So, all-in-all these are great tools if you are doing something with an application you don't trust - e.g. some game you downloaded off the Internet and just have to try, in which case they give you protection angainst any bad behavior of that game. But, they are a little much for the average person to use for ordinary daily activities.

One last word of warning, neither virtual machines or sandboxes will prevent bad things from happening within an application. For example, if a virus infects your email client, a virtual machine or sandbox won't stop it from sending out email. Or if your web broswer gets corrupted, stop it from visiting other web sites and changing your password.

No comments:

Post a Comment