A Complete Guide to Browser Sandbox and its Architecture

Sandboxing is a vast concept used in a variety of domains, from children’s toys to computer security. This term originates from creating a box of sand for children who do not go along together very well. By this method, they create a boundary or their own space in which they can play and not interfere with one another. Today, whenever we want to create a concept where two entities need to be separated in such a way that the working of one does not interfere with the working of the other, we name it a sandbox. When we implement the same in browsers, we call it a browser sandbox.

Browser sandboxing is a strong concept without which a browser might not even get accepted by the user. Since the browser connects us with the world, we must be sure that we are safe in this heavy communication relationship. This post sheds some light on browser sandboxing by touching on topics of security, relevance, and how modern browsers implement it.

What is Browser Sandboxing?

When we implement sandboxing (which means that any two entities will work separately) in browsers to separate it from the local system resources, we term it browser sandboxing. This sandboxing can be related to any process done inside a browser, be it downloading/uploading, browsing, or streaming media. Technically, when we say a browser has sandboxing feature, we are not hinting at any user experience or convenience feature. This purely falls in the security category for the user.

How bad could you think the security vulnerabilities are today that we need to talk about sandboxing in the browser?

In an advisory practice, a staff member opened an attachment file sent to him through email. While people like you and I could think that the attack would be limited to the staff’s PC, it actually infected all the PC on the network and shut them down. So, maybe you are extremely aware of such a case, and even if a single staff is not on the network, they might take you down with them.

Such attacks are not limited to just infecting the PC “for fun” by an amateur hacker. When it gets big, it gets pretty serious. Browser sandboxing says to the user that whatever happens inside this instance of the application will only stay inside. If any application or shell/batch code tries to exit this sandbox, it will be denied access. So, not only does it help secure the local system by restricting access, but it also saves the servers and networks on the other side. If a browser downloads a virus/malware, it gets deleted when the browser instance is destroyed.

Benefits of Browser Sandboxing

Browser sandboxing is a necessary (and currently mandatory) feature in browsers. Its positive sides are as follows:

• Security – The main motive of implementing sandboxing in the browsers is to secure our resources from malicious content that can get downloaded through the internet.
• Financial saver – On Dec 23, 2021, a 20-year-old man sent an SMS to OCBC bank users with a link stating that their bank account had issues and that they could resolve them by clicking the link. The link redirected to a replica of the OCBC bank page where they entered their credentials, and he recorded them on his end. OCBC suffered a loss of $13 million in this incident. While this is not a complete case of sandboxing, it shows the magnitude of financial losses a user and organization can suffer if browsers are not secure.
• Testing – Browser sandbox can help you test technologies related to browsers without affecting local resources. If a crash happens or data is wiped out, it all happens within the browser boundaries.
• Research – R&D teams can take advantage of the browser sandbox and experiment their way through a new invention without any risks to the local resource.

While these are diverse benefits, many other benefits in the sub-fields of these domains can also be considered.

Types of Sandboxing (in general)

In general, if we consider major areas of the software, sandboxing may be the most crucial element in the following ones.

Application Sandboxing

Operating systems apply their own sandboxing mechanisms for applications that the user will install. Each operating system may have its own sandbox policies around which it lets installed applications work. Windows, for example, isolates each application into its own sandbox and deletes this sandbox when the application is closed. It also uses Microsoft’s hypervisor to separate the Windows sandbox from the host.

Android, on the other hand, uses user ID, which is a Linux-based technique to create a secure environment. Two applications with different user IDs (which would mean they are different applications) cannot interact with each other. In this case, they establish permissions from the user (which also happens in an iOS sandbox). If the user does not grant permission, it gets stored in its sandbox policy, and the application cannot use that particular hardware, such as a microphone.

Two applications can exchange data, such as images from the phone gallery to an application, but that does not happen directly. Operating systems provide APIs and other contexts for this exchange.

Browser Sandboxing

A browser connects us to the outer world. And to be honest, that world is filled with malicious content just trying to find a gap in security and slip into your local system. This is why the browser needs to be isolated from local resources, and it is done through browser sandboxing. The various methods, benefits, and architectures will be discussed further in this post.

Cloud-based or Virtual Sandboxing

Sandboxing, as a concept, isolates the application from other resources to prevent any malicious code from entering our system. However, if the applications are installed locally, the chances of a virus entering other local processes is high. So sometimes, we try to move the applications to the cloud or virtual OS to isolate them from the main primary OS resources. This is termed cloud-based or virtual sandboxing. We’ll discuss this in detail in the browser isolation section below.

Cloud-Based Browser Testing – An Alternative to Native Local Browser Sandboxing

The best way to be guaranteed about the security of the sandbox and not compromise the browsing experience is to take the browser to the cloud. It helps in a lot of ways to users varying from end-users that just want to use a cloud browser for a safe experience to organization testers that do not want any bug to affect their systems. All these segments can be satisfied by Testsigma.

Testsigma is a cloud-based test automation platform that provides access to real devices with browsers installed on them. When we take these browsers over to the cloud, we also take the attached sandbox with it. Therefore, it can completely eliminate security concerns. As a user, we just need to select the browser we wish to open and enter the desired web address. That’s it. The browser will be opened in their system and visible to us over the secure infrastructure.

But actually, we can achieve a lot more with this platform. Organizations and individual testers are always looking for a system on which they can experiment and freely test their own applications. This can include testing for penetrations and security vulnerabilities. When we achieve this with a platform like Testsigma, we need not worry about the consequences and, in turn, get two very important things – an array of installed browsers on different systems and features that support testing. Such features include English-based automated script execution, recording, AI-enabled self-healing capabilities, and much more. All these are hard to match in any other platform as of now.

Understanding Browser Sandbox Architecture at a Lower Level – The Chromium Sandbox

Now that we are well versed with the browser sandbox concept in theory, it is important to understand how it works at lower levels. Since browsers implement browser sandboxes in different ways, we will pick up Chromium Browser Sandbox for explanation purposes as more browsers use it. Also note that since operating system implementations and architecture are different, browser developers have to develop different sandboxes for different OSs. In this post, due to the simplest design, we are taking the Chromium browser sandbox on the Windows operating system.

The sandbox configuration of Chromium in Windows OS has two processes:

• A Broker.
• A Target.

Broker Process in Chromium Sandbox

Broker in Chromium is referred to the browser process on Windows OS. It helps supervise all the sandbox processes and related activities. Its primary responsibilities include:

1. Specify the policies associated with each target process.
2. Spawn the target processes.
3. Host the sandbox policy engine service.
4. Host the sandbox interception manager.
5. Host the sandbox IPC service (to the target processes).
6. Perform the policy-allowed actions on behalf of the target process.

In the above-stated responsibilities, all are easy to decode except for the IPC service hosting to the target processes. Here, sandbox IPC refers to the “Inter Process Communication” service that occurs between the sandbox and OS but is not a part of Chromium IPC. Since this is a critical operation, the broker needs to evaluate all the Window API calls that come from the target. The process should be transparent and confined to the defined policies. If they are alright, results are returned to the target process using the same IPC.

Since the broker has to supervise and host a lot of services, it should (and must) outlive all the target processes for high security.

Target Process in Chromium Sandbox

The target processes are the renderers. Their work includes running all of the code present inside the sandbox. Along with it, the target process in the Chromium browser sandbox handles the client-side code for the services executed by the broker. For instance, the broker hosts the sandbox policy engine service and the target executes the policy engine client. Similar execution has to be done for IPC service also inside the sandbox.

Any developer can take advantage of the Windows API calls through their code running inside the target process. These calls are first taken up by “interceptions”, forwarded to the IPC client, and then to the broker. These interceptions are also called hooks, which are not responsible for security. If they comply with the sandbox policies and restrictions, then only they are forwarded to the broker, from where it either rejects or processes these calls. This complete flow is secured inside the sandbox using its policies and restrictions.

Also, to make the broker and the target work, the sandbox is provided as a static library that must be linked to both the broker and the target executables.

Sandbox Security Elements

At last, we can talk about the elements that help the Chromium browser sandbox create a secure environment in Windows OS.

Token

A token is derived from the user’s token and associated with the user’s login. This token is obtained by Chromium to acquire all the processes that the render processes are using.

Job Object

The Windows job object helps enforce security to those mechanisms that conventionally do not have any security in the OS like copying to the clipboard. This creates a barrier if someone wants to take advantage of non-secure elements of Windows.

Desktop Object

If the applications in Windows are on the same desktop, they fall into the same security context. This, in the past, has resulted in shatter attacks, meaning that a user with lower privileges could inject messages into a message loop to a higher-privilege user. This can create security vulnerabilities, and since a browser will also be on the same desktop, it could easily exploit data.

To avoid this, Chromium creates an alternate desktop for the sandbox that works in an entirely different security context and prevents injections into the message loops of other Windows services such as kernel which can be devastating.

Integrity levels

Integrity levels in Windows are essential to restrict a process from accessing something that is not meant for a process of that level. Therefore, we divide them into integrity levels with lower integrity level tokens only allowed to read (not write) higher integrity level processes or files. This helps create a security barrier between high-risk processes with hackers.

Chromium’s integrity level is kept at the “lowest untrusted” integrity level. The other integrity levels are “high integrity,” “medium integrity,” and “low integrity.”With these elements and a brief overview of sandbox security, Chromium allows users to safely browse the internet from their local machine.

Browser Sandboxing in Other Major Browsers

If you are not a user of a Chromium-based browser, your browser sandbox may differ from what we discussed above. We can list their architecture in brief for your understanding.

Firefox Sandbox Architecture

Firefox sandbox separates processes into two categories – a parent process and a child process.

A child process is the one that handles the untrusted and malicious code. Hence, it is the riskiest element of the architecture, and therefore it is confined inside a sandbox. If anything has to happen, it will happen in a child process and hence inside a sandbox. There are a lot of child processes, and Firefox keeps integrating more of them with its security updates. So when we deal with a child process that handles web-related content, the process is called the Web Content process.

The parent process is called the “Chrome process” in Firefox. It is responsible for running only trusted code and dealing with the operating system directly. It can access file systems, networks, and devices to enhance functionality. If the child process requires anything, an IPC call is made to the parent requesting the same. It may be granted access or rejected based on the sandbox policies and type of request.

The parent process, however, is not confined to the sandbox mechanism, as seen in the image above.

Safari Sandbox Architecture

Sandboxing in Safari is not yet made as clear to the public as in other browsers. This could be because Safari is not an open-source software, and opening up about architecture may lead to finding out loopholes in it. For now, all we know is that Apple’s browser implements a sandbox that is claimed not to be as strong as Chromium on open community channels. It provides isolation of tabs, and each tab works independently of another to increase security. If you happen to know more about the Safari sandbox architecture, let us know in the comment section.

Isolation in a Browser Sandbox

The main threat of using a web browser was that the malware downloaded from the malicious website could land in the local system. A browser regularly monitors the requested websites and their history to flag any that seem to fit the description. Websites also have to go through a set of rules to be fit for the user, and sometimes a user might also see a warning “Your connection is not private” with a link of “Proceed to ….” to proceed forcefully.

While the browser has done a lot of hard work in identifying the state of this website, a user cannot be trusted. A lot of the users take the risk (as they are not aware of its magnitude) and proceed forcefully. A better solution, therefore, is to separate the browser entity from the local system completely and “isolate” the browser.

There are two ways to achieve it:

• Isolate the browser installed on the local machine – Local isolation.
• Isolate the browser by taking it to a remote machine – Remote isolation.

Local Isolation in Web Browsers

Separating the browsing activity that exists in the local system is called local isolation in web browsers. This is done by sandboxing the browser instance and restricting its access to the user’s local applications. Anything harmful, if downloaded, will stay inside the sandbox and can be managed smoothly, as local system resources will not be affected.

Another method for achieving local isolation in web browsers is installing the browser in a virtual environment. A virtual environment will have its own operating system and pool of resources. Even if the browser downloads any virus and hurts the system, it will be isolated from the primary OS, and you can re-install the environment again.

Remote Isolation in Web Browsers

Remote isolation in web browsers takes the browser to a remote machine so that we can separate the browser and a user’s machine completely. The browser is then hosted on a remote server and what the user sees is not the actual render by the browser but a visual stream of the render available on the server. This way, even if the malicious code is downloaded, it does not reach the user’s system. Once the user is done, the live instance of the browser is destroyed with any virus in it. Next time when the user opens the browser again, they will see a new fresh instance.

As seen in the above image on remote browser isolation, the threats are isolated, and the network and the user are protected without any extra efforts from the users.

Another major advantage of using remote browser isolation is that since the browser is on another server, the local resources are not eaten up by heavy processes running on the local machine browser. It keeps the local system fast and provides a good browsing experience.

As a tip of the IT industry, whenever someone refers to “browser isolation,” consider that they mean “remote browser isolation” by default. Since local browser isolation does not need to be a concern to the user, remote isolation is the term that has popularized “browser isolation” to the public, and hence they are used interchangeably.

Remote Browser Isolation Methods

Remote browser isolation has become a popular concept as it is more secure and provides the user with almost the same experience (including rare lags). How do we achieve remote browser isolation? We do it using a couple of methods.

DOM mirroring

The first and the riskiest method of remote browser isolation is DOM mirroring. Here DOM refers to the Document Object Model, which you can essentially consider that it means all of the website’s code. In a website, the malicious content that can be downloaded and harm the system is also inserted as code. So, in this method, the remote server will analyze the requested website code (or DOM), remove the part that it feels is malicious or risky for the local system, and send the rest to the user.

As you can analyze, this method is not recommended and is risky in execution.

Pixel reconstruction

As the name suggests, pixel reconstruction reconstructs the pixels on the local user system. These pixels will be identical to the web page, but the actual website is opened on the remote server and not on the user’s system.

What the user sees is just a reconstructed image of the website, and there is no direct interaction.

Streaming

The last type of remote browser isolation is when it is done through a visual stream. Here, the website is completely run on the remote server while the client sees the stream of the website on their system. As a modified technique, we can combine DOM mirroring and pixel reconstruction. If DOM mirroring finds some code as malicious, it can stream it using pixel reconstruction so that the user doesn’t skip while the rest of the code can be sent. However, DOM mirroring is a risk, so it should be handled carefully. The point is worth mentioning though. 🙂

Challenges in Remote Browser Isolation

With such a vast application area, remote browser isolation does face a few challenges.

• DOM mirroring filtering – DOM mirroring is not an accurate method to decide between malicious code and harmless code. What if it filters out non-malicious code and the user cannot use a few features of the website? It hurts the business unnecessarily. On the contrary, it can also pass the malicious code if the code has been written too close to real code.
• Latency: Since the remote browser isolation technique of the browser sandbox is executed on a remote server, the network can face latency (sometimes high) and can hinder a good user experience.
• Costs: Needless to say, if we are involving a server along with these functionalities and connecting them to the machine, it will cost us a lot more than operating on a local machine itself. We can also add the extra internet consumption it will take to perform these operations.

With that being highlighted, remote browser isolation benefits are a long list that definitely overshadows its challenges.

Can we Disable the Sandbox in a Browser?

While most of us would not want to work with a browser that is not secure and can harm our data, a few can raise the question of whether we can disable the sandbox in the browser.

There are no generalized scenarios for such a requirement. However, I can recall my personal experience where the below-described methods were used to disable the sandbox in a browser.

1. There are a few people who are in sandbox development as a combined open-source project or personal project. They require to disable the browser and verify the working of their own sandbox.
2. There are a few people who may want to use a third-party browser sandbox due to any reason.
3. Linux systems may prohibit using a browser sandbox due to security policy clashes at the root user level. The browser could only be operated when the browser sandbox is disabled in such cases.

When we are in such a situation, although it is strongly advised never to disable the sandbox, we may have to do so. Let’s see what options a browser provides to disable sandbox.

Disabling sandbox in Chromium browsers

To disable the sandbox in chromium browsers such as Google Chrome, execute the following steps:

1. Go to the shortcut icon of the browser and right-click on it.
2. Select Properties.
3. Type “–no-sandbox” after the path written in front of the Target box.

4. Close and reopen the browser with the applied effect.

Disabling sandbox in Mozilla Firefox

Mozilla’s Firefox browser works according to the set environment variables in the system. A lot of them correspond to the sandbox feature, also. So unlike what we did in the Chromium browser, here you can select which part of the sandbox you would like to disable.

1. Locate the firefox.exe file as it is the directory where you have installed the Firefox browser.
2. Open the command prompt in this location.
3. Alternatively, you can also open the command prompt in any location and change the directory to the firefox.exe location.
4. Now here, you can set the DISABLE sandbox variables to 1 where you don’t need any.

For instance, if the content sandbox needs to be disabled, then: set MOZ_DISABLE_CONTENT_SANDBOX = 1You can find the list of all the environment variables in Firefox here.

Disable sandbox in Safari browser

Currently, disabling the sandbox in the Safari browser is not allowed due to security reasons.

How Secure is a Browser Sandbox?

Sandboxes are made to be leakproof and provide a safe environment for the user to work. Browser sandboxes are no different story. It helps users browse through the internet without risking their local resources. But can we say that a browser is 100% secure?

There are three methods by which we can witness security exploitation in a browser:

1. From a user’s side – If the user approves of a potential threat even after warnings from the browser and forcefully bypasses security mechanisms, the virus can enter the local system.
2. From the browser’s side – If the browser is not able to recognize something as a potential virus, it can let it access certain permissions not meant for such risky codes.
3. From local system – Our local system hosts many applications that do a lot of work throughout the time you are working on the system. If any of them could change the browser’s access levels and then infiltrate through a website, nothing can be done.

The point is, security can never be said as 100% proof until broken and as long as you have an application like a browser in your local systems, they can attack the local resources as the line between them is too fine. These reasons popularized remote browser isolation.

Third-Party Browser Sandbox

If you wish to do so, you can use a third-party sandbox developed by open-source communities or individuals and install them to run on the browser’s default browser.

The following may help you give start in this direction:

• The Sandbox.
• Sandboxie plus.
• Shade Sandbox.
• Shadow Defender.

Applications of Sandbox

Finally, we can list down areas where the sandbox is used apart from inside the browser.

• OS sandboxes including mobile OS.
• API sandbox.
• Virtual OS/hosted system sandbox.
• Capability system sandbox.
• HTML sandbox for iframes.
• JVM sandbox (or any other compiling programming language).
• Online system sandbox.

Wrapping up!

A sandbox is a security mechanism that protects our resources from unwanted malicious codes. While its application is probably in each computer-related domain, our post focused on browser sandbox, which translates to implementing a sandbox in a browser and separating it from local resources. It helps prevent harmful effects that might not be reversible and can cost a lot to us.

Browser sandboxing works both ways by simultaneously protecting the servers and client side, and there are no downsides to having a sandbox tagging along with the browser. Such a mechanism deserves to have a detailed post that describes each corner of it, from importance to benefits to its working.

In this post, we talked about browser sandbox and how they are implemented in various browsers, giving a little more focus to Chromium browser sandbox in Windows. But since these browsers are kept in the local system using local resources, the system can “theoretically” be defined as always at risk. So, we try to move our browser to a remote server and apply the sandbox on that server so that even if any penetration occurs, it occurs on the server keeping us safe. This is also called remote browser isolation.

Lastly, we talked about how we can disable a browser sandbox and why it is never recommended to go this way, even if you are testing software. Wrapping this post with diverse sandbox applications, we can recall a quote by Dan Kaminsky that makes us realize the current security scenario:

“It is fairly open secret that almost all systems can be hacked, somehow. It is a less spoken of secret that such hacking has actually gone quite mainstream.”

Frequently Asked Questions

What are some of the assets that are being sandboxed?

The most popular assets that are being sandboxed today are:

• Web Browsers.
• Web Pages.
• Browser Plug-ins.
• Mobile Apps.
• Windows Software.

How does a sandbox work?

A sandbox is a security mechanism applied to various assets across a vast variety of domains. A sandbox creates an impenetrable boundary for the asset and separates it from the main system. Since the asset is risky, it prevents damage to the local system by keeping malicious code inside the sandbox that can be deleted and reset easily.

What are some of the issues with sandboxing?

Sandboxed assets are installed on the local system; therefore, it has to consume local resources to work. A good sandbox can differentiate between good code and bad code, while some sandboxes implement a broker-like mechanism to mediate between the app and the system. The biggest issue with sandboxes is that if malicious code is passed as “good code,” the local system is compromised.

Secondly, sandboxes can limit the functionalities of software as most of the things are blocked for use.

Is Incognito a sandbox?

Yes, an incognito mode in a browser is a sandbox where everything a user does is erased and deleted once the incognito is closed. However, if the user has downloaded any files, they will remain on the system.