What is a Sandbox? Definition from SearchSecurity (2024)

What is a sandbox?

A sandbox is an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run.

Software developers use sandboxes to test new programming code, while cybersecurity professionals use them to test potentially malicious software or files. Without sandboxing, software or applications could have potentially unlimited access to all the user data and system resources on a network.

Security teams also use sandboxes to safely execute malicious code to avoid harming the host device, the network and other connected devices. Using a sandbox to detect malware offers an additional layer of protection against security threats, such as stealthy attacks and exploits that use zero-day vulnerabilities.

Importance of sandboxes

As malware becomes more sophisticated, it is imperative that cybersecurity professionals have safe and isolated testing environments. Sandboxes provide malware researchers and others virtualized safe spaces to evaluate suspicious files or applications without putting the rest of the endpoint and network at risk.

More sophisticated cyberthreats feature advanced obfuscation techniques that can evade detection by endpoint and network security products, so it's important for researchers to examine suspicious files to learn how to improve an organization's existing security infrastructure.

Uses of sandboxes

In general, a sandbox is used to test programs or open files without affecting the rest of the system. Developers and security researchers use sandboxes for similar reasons. The former deploy sandboxes to determine whether new code or application works as intended and to discover any bugs before pushing it to the production environment. Security researchers use sandboxes to examine malware and other suspicious applications and files to see how they run and attempt to attack an IT environment without putting the rest of the IT environment at risk.

Sandboxing is an important feature of the Java programming language and development environment, where the sandbox is a program area and set of rules that programmers need to use when creating Java code -- called an applet -- that is sent as part of a webpage.

APIs sandboxes are targeted at API developers and testers. They mimic the characteristics of a production environment to create simulated responses for APIs that reflect the behavior of a real system.

Java sandboxing

Java applets are sent automatically to a user's browser as part of a webpage transmission and can execute as soon as they arrive at the browser. Without any other protection, buggy or potentially malicious code could run without restriction and do harm. Using a sandbox to isolate the code can help protect against malicious attacks and harm caused by buggy Java programs with unlimited access to memory or operating system (OS) services. Sandbox restrictions strictly limit what system resources an applet can request or access.

The Java sandbox comprises the program area and a set of rules that programmers need to use when creating Java code sent with web content. Sandbox restrictions set strict limits on what system resources an applet can request or access. Essentially, programmers write code that "plays" only within a sandbox, much like children are allowed to make anything they want within the confined limits of a real sandbox. The sandbox can be conceived as a small area within a computer where an applet's code can play freely, but it's not allowed to play anywhere else.

A sandbox is implemented not only by requiring programmers to conform to certain rules, but also by providing code checkers. The Java language itself provides features, such as automatic memory management, garbage collection and the checking of address ranges in strings and arrays, that inherently help guarantee safe code.

Java's compiled code, known as bytecode, includes a verifier that guarantees adherence to certain limitations. Java also provides a local namespace within which code can be restricted. The Java VM -- the layer that interprets the Java bytecode for a given computer platform -- also mediates access to system resources and restricts sandboxed code.

In the original sandbox security model, the sandbox code is generally known as untrusted code. In later versions of the Java Development Kit (JDK) -- the programmer's development environment -- the sandbox has been made more sophisticated by introducing several levels of trust that users can specify for sandbox code. The more trust a user allows, the more capability the code has to "play" outside of a sandbox.

In the Java Development Kit 1.1 version, the concept of a signed applet was introduced. An applet accompanied by a digital signature can contain trusted code that is allowed to execute if the client browser recognizes the signature.

In JDK 2.0, Java provides for assigning different levels of trust to all application code, whether loaded locally or arriving from the internet. A mechanism exists to define a security policy that screens all code -- whether signed or not -- as it executes.

Benefits of using a sandbox

Using a sandbox to test software changes before they go live reduces the chances of the updated software negatively affecting the production environment.

Sandboxing also quarantines zero-day threats that exploit unreported vulnerabilities. Although there's no guarantee that sandboxing will stop zero-day threats, it offers an additional layer of security by separating the threats from the rest of the network. When threats and viruses are quarantined, cybersecurity experts can study them to identify patterns, helping prevent future attacks and identify other network vulnerabilities.

Sandboxing complements other security programs, including behavior monitoring and virus programs. It offers added protection against certain strains of malware that an antivirus program might not detect. More advanced malware can check to see if it's running in a sandbox before executing.

Examples of using a sandbox

Sandboxes can isolate code execution in almost any situation that software code executes. Some specific examples of using a sandbox to isolate code execution include the following:

• Web browsers. A trusted web browser can be run inside a sandbox. If a website exploits a vulnerability in that web browser, the damage is limited to the sandbox.
• Software protection. Certain tools enable users to run software they don't trust in sandboxes so the software can't access their private data or harm their devices. Because a sandbox appears to be a complete system to the software, it usually can't detect that it's constrained to a virtual environment.
• Security research. Information security professionals use sandboxes for research or to detect malicious code. For instance, a security tool could visit websites to monitor what files are ultimately changed or it could install and run software. Windows Defender allows users to run the antivirus software in a sandbox.
• Virtualization. A VM is basically a type of sandbox. This approach uses a VM-based sandbox to contain and examine suspicious programs.

Sandbox applications

Sandbox applications include the following:

• Browser plugin content often depended on using a sandbox to screen content loaded by browser plugins, including the now-deprecated Microsoft Silverlight and Adobe Flash. However, this type of content has been notoriously difficult to keep safe. While it was safer to play a Flash game on a webpage than to download the game and run it as a standard program, content publishers have largely moved away from using such plugins in favor of publishing active content via HTML5, which includes the sandbox attribute to instruct the browser to disable any features that might present security risks.
• PDFs and other documents might include executable code, so Adobe Reader Protected Mode runs PDF files in a sandbox, which stops them from escaping the PDF viewer and interfering with the rest of the endpoint. Microsoft Office has a sandbox mode to stop unsafe macros from tampering with a system. Windows users can also use the built-in Windows Sandbox.
• Mobile apps are generally executed by mobile platforms in sandboxes. Apps for iOS, Android and Windows are prohibited from doing many of the things standard desktop apps can do. For example, to access a user's location, they have to declare permissions. Additionally, the sandbox isolates the applications, preventing them from tampering with each other.

Editor's note: This article was written by a TechTarget contributor in 2021. TechTarget editors revised it in 2024 to improve the reader experience.