I read your article, "How is a smart sandbox different from traditional sandbox technology?" As a follow up to...
that, I sometimes find mandatory access control-based protection overlaps with application sandboxing. How would you distinguish the two?
The mandatory access control (MAC) model and application sandboxing protection do overlap, particularly as the term sandboxing is used in a variety of ways by different vendors and security experts. Both technologies implement one of the key foundations of any IT security strategy: controlling access to a computer's resources. It is not access control in the sense of authentication or identity verification, like controlling the user login process for example, but controlling access to system resources after a user's account credentials have been authenticated and access to the system granted.
The mandatory access control model is the strictest of all types of access control, operating on the ethos of default denial. In a MAC environment, access to all resource objects is controlled by the operating system or security kernel, based on settings configured by the system administrator. Unlike most operating systems, such as Unix and Windows, where users can exercise discretionary access control by assigning read-write-execute permissions to their own data, it's not possible under MAC for end users to change the access control of a resource.
Implementing a mandatory access control model using Security Enhanced Linux (SELinux), for example, is a big undertaking and requires a considerable amount of planning by dedicated and fully-trained systems administrators. All resource objects like files, directories, ports, IO devices and so on have to be assigned security labels. These labels contain the object's security classification and category, the group to which the object is available. Likewise, each user and device, process or thread is assigned a classification and category. Whenever a user or process attempts to access a resource, the operating system checks they have matching classification and category properties. The high management overhead of keeping object and account labels up to date is why the mandatory access control model tends to be found only in environments that require very high levels of security.
Application sandboxing differs from MAC as it controls access to system resources on a per-application basis. It does this by executing a program in a restricted operating system environment with limited access to resources. If malicious code gains control of a properly sandboxed application, it can only access the files and resources in the sandbox. This makes it ideal for running programs or viewing data downloaded or received from an untrusted source, as it reduces the scope of any potential damage. However, if the malicious code manages to break out of the sandbox, it can potentially access additional system resources.
Application sandboxing doesn't tie resources to a user's classification or category, so it is a lot less onerous to manage than MAC. While the Android sandbox uses SELinux to enforce MAC over all processes, like with most other sandboxes, users can change access permissions. For example, browsers like Chrome and Internet Explorer run requested webpages in a sandbox with access to a limited set of resources, but a user can still grant a page permission to use the microphone or access geolocation data.
The mandatory access control model and application sandboxing both provide important layers of security, but MAC is only viable when a risk assessment deems it a cost-effective control, due to the time and resources needed to implement it.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Take a look at what tools software engineers have in their application sandbox environments
Learn how network protection and malware defense can be improved with sandboxing
Read about Apple sandbox flaws such as password stealing
Dig Deeper on Network Access Control technologies
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading