The sandbox is a mechanism that runs programs in isolated areas so that it does not affect other programs in the event of a problem.The Japanese translation means the "sandbox" in the park, and comes from a situation where you can play freely in an external environment.
Figure 1: Mechanism of file verification using sandboxes
The advantage is that if you run a program in a sandbox, you can check the behavior in an environment that does not affect external programs, even if it is a malicious program.When reading and writing a file, access to a microphone or camera is required, if there is no explicit permission, the program executed in the sandbox is limited to protect the area outside the sandbox.
Analysis of receiving emails in a sandbox and detecting malware is a typical example.If the sandbox is verified in the sandbox and the links in the email, and if there is a problematic program, the system will be able to notify the user depending on the system.
Figure 2: Mechanism to verify receiving emails with sandboxes in virtual environment
In recent years, it is difficult to detect the conventional pattern matching method, which compares with known programs, with a clever attack method such as targeted and zero -day attacks in recent years.However, using a sandbox is to improve the detection of these attacks as a program actually sent from the outside in a isolated environment.
In addition, many applications have a sandbox mechanism in many applications, which may run unknown programs.For example, a web browser runs a program such as JavaScript in a isolated area, and gives explicit permission for the use of cameras.In addition, plug -ins like Adobe Flash limits files and writing on the terminal.
On mobile terminals, OSs such as iOS and Android are designed to run apps in a sandbox.Even if the apps downloaded from the official app store, the app developed by the third party may include problems, which is concerned about security risks.The idea is to defend the risk on the OS side.
サンドボックスiPhoneはマルウェアに感染しない?本当に必要な対策とは?
As mentioned above, although sandboxes are used as malware measures, security issues have been pointed out.First, it must take a certain amount of time to analyze whether it is malware in the sandbox and complete it.Therefore, it is difficult to respond in real time.For example, when inspecting the received email, the email may have reached the recipient when the malware is detected.
Some malware detect whether it is running in a sandbox environment and avoid countermeasures software.Since there are unique MAC addresses and processes in virtual environments such as VMware, it detects the situation performed in the virtual environment and temporarily stop the behavior as malware.It is a theory that by resuming activities after passing through the countermeasures software, the success of the attack will increase.
There are also malware that is scheduled to run the program at a specific time.In this case, the sandbox cannot detect malicious behavior except for the specified time, so it may be breaking through as an unprecedented program.
In fact, it is well known that the encryption ransomware Locky can avoid sandboxes.Dampered with spam emails and flash vulnerabilities, and many computers were infected.When infected with Locky, the files in the computer are illegally encrypted and threatened to pay for the decrypt.Locky is a ransomware that has been infected from 2016 to 2017, and has been reported around the world, including Japan.
In addition, malware that runs on memory without using files has been found.Even in this case, the file cannot be executed in the sandbox environment, so it is highly likely that detection will be avoided.
Considering the fact that a wide variety of malware exists as described above, it is not desirable to rely only on sandboxes to increase security.The perspective of multi -layer defense is important, taking measures against complex at different levels.In many cases, the terminal side is targeted, so in addition to detection on the server side, security measures at endpoints are also essential.
As a technology related to sandboxes, there is also a honey pot.The honey pot set up a fake system for the purpose of being attacked, attracts the attacker, and observes and investigates the methods and actions.It is said that a system with vulnerabilities is more likely to be targeted than the actual server, and it is said to have the effect of improving security.Although the idea is different from the sandbox, it can be said that it is common to defend using an environment separated from the actual system.
ハニーポットThe concept of sandboxes is not limited to email measures and mobile OS, but in various situations.For example, when a virtual machine is operating, sandbox thoughts have been applied to prevent host computers and virtual machines from interfering with each other.A sandbox is also used when building a specific environment and performing a test by developing a specific environment.
Docker is widely used as a container technology for building a virtual environment.In addition, virtual environments such as VirtualBox and VMware have been used frequently.Recently, a Windows sandbox tool has been provided in Windows environments.There is an advantage that files can be executed in the Windows sandbox without affecting the environment used on a daily basis, such as checking the behavior of the program developed by the third party or conducting a software development test.
An open source software called CUCKOO is known as a malware countermeasure tool using sandboxes.You can execute the program in a virtual environment, record and write the launch process, the file, and the communication IP address.
Similarly, ESET DYNAMIC THREAT DEFENSE is a cloud service that uses sandboxes and enhances the defense of unknown malware.Suspicious files found on the device are automatically sent to the sandbox environment on the cloud, verifying the behavior, and the malicious programs are immediately blocked.The great advantage is that the threat information is constantly updated on the cloud, so even if it is a zero day attack, the immediate ability to deal with it will increase.
A sandbox used in places where users are out of sight, such as web browsers and mobile apps.In recent years, it has become possible to build a wide range of sandbox environments, not limited to enterprise products.That's why I want you to properly understand the concept of sandboxes and use it for safe use of computers and the Internet.