RE: How to categorize 'desktop application firewalling'?

["Bill Stout" <bill.stout () greenborder com>]

One difference from a sandbox I forgot to mention: The GreenBorder
product uses resource virtualization whereas sandboxes use strict
permissions to block access to some local resources.  In other words, if
both spyware and a web game wants to update the registry, a temporary
copy of the registry is updated instead of blocked access and an
application crash.  Virtualization makes the product more transparent
and more palatable to the user.

So I suppose it's still sandboxing, but with virtualization added in
place of blocking.  It's the same but different.  ;)

Thanks,
Bill

-----Original Message-----
From: Bill Stout 
Sent: Thursday, July 14, 2005 11:47 AM
To: security-basics () securityfocus com
Subject: RE: How to categorize 'desktop application firewalling'?

Hi Adam and others;

After reading the wikipedia and other definitions, I believe you're
right.  

Definitions list four levels of sandboxing: Application (like Java), OS
(like chroot), Virtual Machine (VMware), and Capability Systems (HP
Polaris).

The closest definition that seems to fit is the Java model, but for
applications, not applets.  My favorite definition is here:
http://www.builderau.com.au/program/java/0,39024620,20269115,00.htm 
"What is a sandbox?
An application sandbox is a space in which programs can be run with less
access to system resources than would be available under normal
circumstances. Modern operating systems run all applications in a
sandbox of sorts, which prevents them from accessing and corrupting
memory outside of their allotted regions. Java execution sandboxes
operate at a much higher level than their operating system counterparts
but provide essentially the same role: They prevent applications from
making greater use of the system than is necessary."

Our marketing team feels that 'sandboxing' has some negative
connotations, and avoid associating with sandboxing.  However Java
sandboxing is proven, so I don't think sandboxing at a higher
application level is negative at all.

Thanks all for the public and private responses.

Bill


-----Original Message-----
From: Gaydosh, Adam [mailto:GaydoshA () ctc com] 
Sent: Wednesday, July 13, 2005 1:46 PM
To: Bill Stout; security-basics () securityfocus com
Subject: RE: How to categorize 'desktop application firewalling'?

This sounds like a sandbox to me, like how java applets are executed.  
http://en.wikipedia.org/wiki/Sandbox_%28security%29


> -----Original Message-----
> From: Bill Stout [mailto:bill.stout () greenborder com]
> Sent: Tuesday, July 12, 2005 4:49 PM
> To: security-basics () securityfocus com
> Subject: How to categorize 'desktop application firewalling'?
>
>
> [I posted this to firewalls as a firewalls question but the moderator
> asked me to post this in focus-virus, and focus-virus asked me to post
> to security-basics. - This illustrates the problem I'm trying 
> to solve.]
>
> I'm the IT department for our company, and I'm trying to figure out how
> to simply categorize and describe our software.  
>
>               Here's the complicated description:  Our software
> protects Windows local system resources and the local network from an
> application process accessing untrusted content.  It's like placing
> latex around the application that opens untrusted content.
>                
>               What it means is, processes launched in our protected
> environment do not have the ability to; modify the registry, files on
> disk or the local network.  It also adds confidentiality by blocking
> processes accessing Internet content from read access to 'My 
> Documents',
> local network shares, etc.  Nearly any process can be launched in this
> space, but it does it automatically for just IE and Outlook.  Currently
> the software automatically detects if IE or Outlook is attempting to
> access content from outside the defined network and re-launches an
> application process in the controlled space.
>
>               The result is that with the software installed, you can
> purposely attempt to install spyware or viruses through IE or Outlook
> and it doesn't infect the machine.
>
> All the above is really difficult to explain quickly, and we end up
> describing it as anti-virus/anti-spyware software, although we don't
> recommend throwing existing software out.  
>
> Would anyone have a simpler way of explaining something that firewalls
> desktop applications from local resources?  
>
> Thanks,
>
> Bill Stout
> IT dept
> GreenBorder, Inc.
> www.greenborder.com