Sandbox

The term sandbox is used to describe a technique of executing software within a special - i.e. isolated from other system resources - runtime environment. The technique can be compared with the principle of self-contained, secure containers in which software can be executed without affecting other resources of a system. Sandboxes are not an invention of the modern era, but have occupied developers since the early 1970s. There are various approaches to the realization of sandboxes, but in each case they have repercussions on the performance of the software.

An example from the history of software development - but with an effect on systems of today - is the system Hydra, which was already created in 1975. There a safety kernel supported the coding of safety mechanisms into the application programs communicating with the kernel.

Today the term sandbox is used in various contexts:

• Virtual machines( VM) can provide special runtime environments. An example here is the Java virtual machine( JVM).
• Applications can include sandbox mechanisms directly in the program code. Proof Carrying Code( PCC) is a commonly used technique here, which is applied for the safe execution of unsafe code.
• A special layer can be implemented in the application domain, for example, in the form of library functions that intercept actual system calls.
• The sandbox layer may be implemented as part of the operating system.

However, sandboxes not only have the task of providing an appropriate test environment, but various runtime parameters can also be recorded for subsequent analysis.

There are a number of products that enable "sandboxing". The following are some examples of these.

FAUmachine Implements a virtual machine and is available as open source

Solaris Zones Provides virtual services of the Solaris operating system, which can be used to create separate environments - the zones - in which the applications are then executed in isolation. The processes of different zones cannot influence each other.

VMware Server Different types of workstations and server machines can be created and simulated. For example, virtual networks are also supported.

Klik A sandbox environment under Linux.

BIND Berkeley InternetName Domain( BIND) is an open source software for implementing a Domain Name System( DNS).

In the Java programming language, for example, the term sandbox is also used in connection with special applications - applets - that have only very specific rights. The sandbox there consists of the specific class loader( ClassLoader class) and the security manager (SecurityManager). The SecurityManager does not allow, for example, the execution of external programs, since in this way system resources such as the file system could be influenced.