Sandboxing untrusted code is useful when you have to rely on third-party developed software where you don't have access to source code, or you don't have resources to perform a source code assessment. Sandboxing can also be useful as an additional security boundary for your own code.
Depending on your use case, different tools are available for code containment. The table below gives an overview of different products and their applicable use case. Some of these products are used within Google and developed by Google engineers.
Sandbox2 and Sandboxed API are two products developed by the Google security team's sandboxing division.
Product | Description | Use Case |
---|---|---|
Sandbox2 | Linux sandboxing using namespaces, resource limits and seccomp-bpf syscall filters. Provides the underlying sandboxing technology for Sandboxed API. | General Sandboxing |
gVisor | Implements system calls within an application kernel. Intercepts system calls using ptrace or with hardware virtualization. | General Sandboxing |
Bubblewrap | Sandboxing tool implemented with a subset of user namespaces. Used as an execution engine for example Flatpak. | CLI Tools |
Minijail | The sandboxing and containment tool used in ChromeOS and Android. Provides an executable and a library that can be used to launch and sandbox other programs and code. | CLI Tools |
NSJail | Process isolation for Linux using namespaces, resource limits and seccomp-bpf syscall filters. Can optionally make use of Kafel, a custom domain specific language, for specifying syscall policies. | CLI Tools |
Sandboxed API | Reusable sandboxes for C/C++ libraries using Sandbox2. | C/C++ Code |
Native Client | Deprecated
Powerful technique to sandbox C/C++ binaries by compiling to a restricted subset of x86 (NaCl)/LLVM bytecode (PNaCl). Influenced design of its successor (WebAssembly) and largely replaced by it. |
C/C++ Code |
WebAssembly (WASM) | A binary format for portable binaries. WASM modules are executed in isolated runtime environments. | C/C++ Code |
RLBox | A sandboxing API (written in C++17), which can use various execution backends: Native Client, WebAssembly, or remote processes. | C/C++ Code |
Flatpak | Built on top of Bubblewrap, provides sandboxing for Linux desktop applications. Puts an emphasis on packaging and distribution of native apps. | Desktop Applications |
Sandbox2
Sandbox2 is an open-source C++ security sandbox for Linux. With Sandbox2 you can restrict the runtime environment to the minimum required for genuine operations, thus limiting the impact of potential code execution vulnerabilities.
Sandbox2 can be used to sandbox entire programs or portions of programs written in C/C++.
Sandboxed API
Sandboxed API (SAPI) is an open-source project to sandbox C/C++ libraries. Libraries sandboxed with Sandboxed API can be easily reused, which removes the burden for future projects. Before Sandboxed API, sandboxes available for use at Google required additional implementation work with each new instance of a project which was intended to be sandboxed, even if it reused the same software library. Sandbox2 policies and other restrictions applied to the sandboxed process had to be reimplemented each time, and data exchange mechanisms between trusted and untrusted parts of the code had to be designed from scratch.