The present invention relates, generally, to the field of computer security, and more specifically, to utilizing operating-system-level virtualization to implement a separate and secure computing environment (e.g. a sandbox).
In computer security, a sandbox is a security mechanism for separating running software applications usually in an effort to mitigate system failures or software vulnerabilities from spreading. A sandbox may be used to run untested or untrusted software applications, possibly from unverified third parties (e.g. suppliers, users, or websites), without risking harm to the host computing device or operating system. For example, sandboxing may be used to test unverified programs which may contain a computer virus or other malicious code without exposing the host computing device to infection. A sandbox typically provides a controlled set of resources for an unverified application to utilize. Network access, the ability to inspect the host computing device, or read from input devices are usually disallowed or restricted.
Operating-system-level virtualization, also known as containerization, refers to an operating system feature in which the kernel allows the creation of multiple isolated user-space environments, called containers. A container is a lightweight, stand-alone, executable package of a piece of software that includes everything needed to run it (i.e., code, runtime, system tools, system libraries, settings, etc.). A computer program running on a typical computer can see all resources (e.g., connected devices, files and folders, network shares, CPU power, and other quantifiable hardware capabilities) of that computer. However, a computer program running inside a container can only see the container's contents and devices assigned to the container.