A sandbox is a restricted environment in which untrusted software may be executed in a way that limits the ability of the untrusted software to perform actions that might be exploited by malware. The sandbox may be used as a development environment, limiting the effects of errors that could damage an unprotected environment. Similarly, a sandbox may be used for testing untrusted software, such as software obtained from an untrusted source. Essentially, the programmer must write code that “plays” only within the sandbox, much as children are allowed to make anything they want to within the confined limits of a real sandbox, but without being allowed to escape from the sandbox on their own.
Some programming environments, such as the JAVA® platform available from Oracle America, Inc. provide a sandbox environment as part of their development environment. (“JAVA” is a registered trademark of Oracle America, Inc.) In the JAVA development environment, the sandbox is a security measure that establishes a set of rules that are used when creating an applet that prevents certain functions when the applet is sent as part of a Web page, for example. When a browser requests a Web page with applets, the applets are sent automatically and can be executed as soon as the page arrives in the browser. If the applet were allowed unlimited access to memory and operating system resources, it could do harm if the applet were malware. The sandbox creates an environment in which there are strict limitations on what system resources the applet can request or access. In addition to the rules, the JAVA language provides code checkers to guarantee adherence to the limitations of the sandbox.
However, as in every security environment, weaknesses or flaws in the security environment may be exploited once discovered to escape from the sandbox and access resources that the sandboxed software should not be able to access. Intrusion prevention systems attempt to protect against vulnerabilities in an operating system, application, or development environment that would allow such exploits to succeed. Typically, such intrusion prevention systems have used customized sandboxes or virtual machines to monitor exploit behaviors and signature-based detection of sandbox exploits, similar to traditional anti-malware software. However intrusion prevention systems often fail to detect exploits, such as exploits that have not yet been analyzed (often referred to as 0-day exploits). Alternatively, some conventional approaches produce false positive indications, calling something an exploit that is not. A better approach would be helpful.