Google open-sources project for sandboxing C/C++ libraries on Linux

Support for other programming languages to be added in future releases.

Sandbox

Image: Google

Google has open-sourced today a project for sandboxing C and C++ libraries running on Linux systems. The project's name is the Sandboxed API, a tool that Google has been using internally for its data centers for years.

The Sandboxed API is now available on GitHub, together with the documentation needed to help other programmers sandbox their C and C++ libraries and protect them from malicious user input and exploits.

For ZDNet users unfamiliar with the term, "sandboxing" refers to running an app or source code inside a "sandbox."

In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources.

The idea behind sandboxing and sandboxes is to prevent bugs and exploit code from spreading from one process to another, or the underlying operating system and the kernel.

What is the Sandboxed API?

The Sandboxed API is a library that helps coders automate the process of porting their existing C and C++ code to run on top of Sandbox2, which is Google's custom-made sandbox environment for Linux operating systems.

Sandbox2 has also been open-sourced and included with the main Sandboxed API GitHub repository.

Google's Sandboxed API and Sandbox2 are not the first sandboxing tools to be open-sourced or made available online, and developers have other tools at their disposal if they ever wish to sandbox their code. However, they come with Google's seal of approval.

"Many popular software containment tools might not sufficiently isolate the rest of the OS, and those which do, might require time-consuming redefinition of security boundaries for each and every project that should be sandboxed," Christian Blichmann & Robert Swiecki, from Google's ISE Sandboxing team said.

The Sandboxed API project is meant to address both issues, by providing a tried and tested/trusted tool that is also easy to use.

Other programming languages to be supported

In a blog post today, Google said that future plans for the Sandboxed API project include supporting libraries written in other programming languages besides C and C++, but also porting Sandbox2 to other Unix-like operating systems like the BSDs (FreeBSD, OpenBSD) and macOS.

"A Windows port is a bigger undertaking and will require some more groundwork to be done," Blichmann and Swiecki said.

Most modern applications today run in a sandboxed environment, such as Google's Chrome browser, and more recently, Microsoft's Windows Defender --which became the first antivirus to do so last fall.

The Sandboxed API is also not the first Google security tool to be open-sourced online. The company open-sourced an internal tool named BrokenType last year for finding security bugs in font display (rasterization) components.

Google also open-sourced two fuzzers called Syzkaller and OSS-Fuzz, one for fuzzing OS kernel components, and the other for fuzzing more mundane and run-of-the-mill open source projects and libraries.

Related cyber-security coverage: