Is there a lightweight, programmable Sandbox API for the Windows platform? [closed]

Answer 1

Unfortunately, for Windows hosts your options are extremely limited. However, on Linux hosts, options such as mbox and capsicum are available which do what what you describe - i.e. lightweight, application level sandboxing.

Answer 2

No, there is not.

I mean, you can use a different Windows account (with whatever permissions you consider appropriate), but then you need to be comfortable that the untrusted app can't break out of that. But you do have that same problem with VMWare (it has had bugs in the past that let you break out). Best thing to do is run in a Virtual Machine.

Answer 3

In a "sandboxing" question of mine I was pointed to Sandboxie. I does not solve my problem at all but maybe it is interesting for you?

I don't know if it has an API but a quick google indicates that it is at least somehow automatable via command line.

Answer 4

I have not implemented this..but my $.02.

You can consider implementing a Windows station. A windows station is basically a security boundary to contain desktops and processes Only one Windows Station is permitted for Console Logon (Winsta0) http://msdn.microsoft.com/en-us/library/windows/desktop/ms682573(v=vs.85).aspx

You can achieve, process, Windows Object, and ACL Isolation on a per station basis. Some API functions used in Windows Station are listed here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687107(v=vs.85).aspx

An Overview of Sessions,Desktops and Windows Stations. http://blogs.technet.com/b/askperf/archive/2007/07/24/sessions-desktops-and-windows-stations.aspx

There is a CodeProject example here with source: http://www.codeproject.com/Articles/21352/Virtual-Desktop-A-Simple-Desktop-Management-Tool

I would recommend using API Monitor to debug Win32 API Calls http://www.rohitab.com/apimonitor

hth

Answer 5

You can use Invincea FreeSpace or the free Sandboxie. Not sure if any of them are scriptable or not.

These are called Containment applications, i.e., sandboxes. You can read about it here: https://www.fas.org/irp/congress/1997_hr/h970211gm.htm

Answer 6

You may also be interested in Google's Native Client (also known as NaCl). This is a project that aims to be able to run (verifiable) x86 code inside a sandbox.