Google has announced the public availability of Sandboxed API, for easy sandboxing of C and C++ libraries and creating secure and reusable implementations of functionality residing within other popular libraries.
While it is pretty common for applications to be affected by different types of vulnerabilities that could be exploited for remote code execution, sandboxing is a technique that helps to mitigate those problems, by isolation the app processes employed by software developers.
Albeit, the tasks of sandboxing are often very demanding, therefore the open-sourcing of the Sandboxed API by Google will makes it relatively easier to create security policies for individual software libraries, and offer granular protection for reusable software infrastructure.
The API can also separate the library to be sandboxed from a high-level perspective, with callers into two separate processes: the sandboxee and the host binary. And actual library calls marshalled by an API object from the host side and forwarded via inter-process communication to the sandboxee whereby an RPC stub unmarshals and send calls to original library.
It is currently implemented for software libraries written in the C programming language (C bindings), though Google has promised adding support for more programming runtimes in the near future.
Additionally, Google is making publicly available the core sandboxing project, Sandbox2, which is now part of Sandboxed API as the underlying sandboxing primitives. But it can also be used as standalone to isolate arbitrary Linux processes, which is considered a lower-level API.
No comments