Google Open Sources Sandboxing Tool
Written by Kay Ewbank   
Monday, 06 May 2019

Google has made its Sandboxed API tool open source. The tool can be used to create security policies for individual software libraries.

Sandboxed API is designed to get around the problem that developers are faced with then they need to process externally generated data that is potentially untrusted.

sandbox

The tool is designed to avoid security vulnerabilities such as  memory corruption bugs or problems related to the parsing logic such as path traversal issues. Finding a sandboxing tool that is highly resistant to attacks, protects the rest of the operating system, but is sufficiently easy-to-use, can be problematic. 

Google says its Sandboxed API is battle-tested, and makes it possible to create security policies for individual software libraries, while still being granular enough to protect the rest of used software infrastructure.

As Sandboxed API serves the purpose of accessing individual software functions inside a sandboxed library, Google is also making its core sandboxing project, Sandbox2, publicly available. This is now part of Sandboxed API and provides the underlying sandboxing primitives. It can be also used standalone to isolate arbitrary Linux processes.

Sandboxed API is currently implemented for software libraries written in C or providing C bindings. From a high-level perspective, Sandboxed API separates the library to be sandboxed and its callers into two separate OS processes: the host binary and the sandboxee. Actual library calls are then marshalled by an API object on the host side and send via interprocess communication to the sandboxee where an RPC stub unmarshals and forwards calls to the original library.

Users just need to provide a sandbox policy, a set of system calls that the underlying library is allowed to make, and the resources it is allowed to access and use. Once ready, a library based on sandboxed API can easily be reused in other projects.

sandbox

More Information

Sandboxed API

Related Articles

Google Bans Obfuscated Code - Who's To Judge?

Tink Library Helps You Develop Secure Code

Counting Vulnerabilities In Open Source Projects and Programming Languages

Don't Neglect Open Source Security

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner

Falco On Track To Version 1.0.0
02/04/2024

Falco is a cloud native runtime security tool for the Linux operating system, designed to detect abnormal behavior and warn of potential security threats in real-time. Now it's about to release its fi [ ... ]


+ Full Story
The University of Tübingen's Self-Driving Cars Course
22/03/2024

The recorded lectures and the written material of a course on Self-Driving Cars at the University of Tübingen have been made available for free. It's a first class opportunity to learn the in an [ ... ]


+ Full Story
More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info
Last Updated ( Monday, 06 May 2019 )