Tuesday, September 29, 2009

Working With Sanbox

Yesterday I was trying some modified virus versions on my MAC while I discovered that I was loosing the virus control. It was like Panic ! Fortunately I recovered my system but how to follow my tests ? Installing a new OS X system on a virtual machine seems to o much time consuming, moreover I don't have any OS X iso around my office. So I decided to use Sandboxes ! I looked around for a while before figure out that on every OS X (>10.5) there is an already installed sandbox: :"SandBox-exec".

From wikpedia for people not familiar with sandbox:

Sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users.
The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

How does it work ?
Well it's pretty easy. First of all take a look into /usr/share/snadbox/ for a complete list of configuration commands. After that try to build your own configuration file, here a very simple "Deny All network Connections"

(version 1)
(allow default)
(deny network*)

Here the screenshot of a ping used without sandbox-exec and within sandbox-exec (click on the picture to enlarge) :

I totally suggest this approach to test unknown files or suspected files, even if made from your hand.

No comments: