tags:

views:

170

answers:

2
+2  Q: 

Is there a lightweight, programmable Sandbox API for the Windows platform?

To run untrusted code at home I use a VMWare virtual machine. I want to find an alternate lightweight sandbox API for running untrusted applications, without the overhead of installing VMWare, or any other kind of end-user virtualization tool like that. (Edit: I don't want it to host an OS - I want it to run untrusted apps).

Ideally the sandbox would be (or could be made) transparent so the app running in the sandbox doesn't display any extra chrome or features. (Don't they do this in Parallels on the Mac)

The Windows .NET developer side of me wishes for an API so instead of booting up a special GUI, I can script scenarios for it.

It would be like how the Google Chrome web browser contains its own technology to sandbox scripts running from the Internet to protect the system. Google doesn't need to distribute VMWare with their browser and yet they achieve sandbox security for apps.

Edit:

Looking for something lightweight like Google Chrome contains with features like greatly restricted file/network/UI access, low privileges, etc. Not looking for running/hosting its own OS.

+2  A: 

No, there is not.

I mean, you can use a different Windows account (with whatever permissions you consider appropriate), but then you need to be comfortable that the untrusted app can't break out of that. But you do have that same problem with VMWare (it has had bugs in the past that let you break out). Best thing to do is run in a Virtual Machine.

Noon Silk  2010-01-07 00:06:44
silky is 100% right. I'm also not sure it's *possible* to build a "lightweight programmable sandbox API" - every existing implementation of a sandboxe I'm aware of is a very complicated beast (and that includes AppArmor and SeLinux). IMHO if you're being paranoid, a VM is the way to go - as silky said there ARE VM bypass issues but using a VM is safer than not using a VM.
Larry Osterman  2010-01-07 00:56:06
Wow, doesn't get much better than confirmation from someone such as yourself :)
Noon Silk  2010-01-07 01:08:18
@silky: Agreed - that's part of what makes SO awesome. The experts and commoners (referring to myself :) mingle on programming.
John K  2010-01-07 02:20:20
BTW normally I'd just recommend running as a standard user but I've seen evidence that malware authors are adopting their maleware to run as standard users - they can't install a rootkit on your computer (which makes it easier to remove the malware) but they can still do bad things with your computer or your data.
Larry Osterman  2010-01-07 07:27:08
A: 

You may also be interested in Google's Native Client (also known as NaCl). This is a project that aims to be able to run (verifiable) x86 code inside a sandbox.

Greg Hewgill  2010-01-07 01:56:47
It seems to be available only via a browser plugin to run x86 on the web. Very interesting nonetheless.
John K  2010-01-07 02:16:37

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)