Sandboxing is a security technique for isolating the execution of untested code and untrusted applications. The best prior sandboxing solutions used virtual machines to isolate one application from the rest of the applications on a system. With the application isolated in a virtual machine, the isolated application cannot compromise the state of the system or other applications. The isolated application can also be migrated from one computer to another computer by carrying the entire virtual machine container (both memory and storage). Finally, vendors can create application appliances by bundling an application and the required operating system components into a virtual machine that is distributed to customers.
Users seldom use isolated virtual machines for security in practice because the machines are too expensive in terms of computer resources because the virtual machines emulate low-level hardware interfaces, thus forcing the isolation container to contain a complete operating system. Furthermore, in common use, only the largest applications (such as server applications) are distributed in virtual machines, again, because the storage resource overheads of including a complete separate copy of the operating system are too high to justify for all but the largest applications.
Additionally, memory overhead for virtual machines is high because each virtual machine runs a complete (or nearly complete) operating system to abstract virtual hardware (within the virtual machine) to provide the type of environment expect by an application. For example, a standard application expects to run on the abstraction of virtual memory. However, a virtual machine typically provides an abstraction of physical memory with page tables, the mechanisms used by an operating system to create virtual memory. Likewise, an application expects to access a file system, whereas a virtual machine only provides the abstraction of disk blocks. Finally, where an application expects the abstraction of threads of execution, a virtual machine provides instead the hardware abstractions of processors, timers, and interrupts, out of which an operating system creates the abstraction of threads.