Sandbox once, use anywhere

Safely play around with new software in Google’s open source Sandboxed API

Jane Elizabeth
Sandboxed api
© Shutterstock / DreamBig

No one wants to accidentally infect their system with a security vulnerability. Now, developers can safely dig into new software with the Sandboxed API. Newly open sourced by Google, this data security tool helps ensure the safety of your system while still letting developers put new programs through their paces.

Software isolation isn’t a punishment; it’s a way to make sure your shiny new program that you picked up off of the internet plays nicely with your system and isn’t riddled with malware. Thanks to the newly open sourced Sandboxed API, developers can test out new options without putting their system at risk.

Sandboxed API (SAPI) automatically generates sandboxes for C/C++ libraries. Security is not an afterthought with this project; each SAPI library utilizes a tightly defined security policy. While it’s only designed to handle part of a binary, the Sandboxed API can be used to try out a library or some other bit of code with an unknown security posture.

Dig into new code in the Sandboxed API

Let’s be real, we get a lot of tools, libraries, and frameworks off of the internet, but nobody wants to accidentally infect their system with a security vulnerability. The Sandboxed API is here to help, with a security system designed by Google to help mitigate any issues you could run into. It’s resistant enough to attacks while still easy to use for developers of all levels.

Developers can create security policies for individual software libraries, making it possible to build reusable, secure implementations inside them without impacting the rest of the software.

Essentially, Sandboxed API separates whatever needs to be quarantined and its callers into two different OS processes: the host binary and the sandboxee. Any library calls are marshalled by an API object on the host side and sent via interprocess communication to the sandboxee, where a RPC stub unmarshals and forwards calls to the original library.

How Sandboxed API works. Source.

Sandboxed API provides the API object and the RPC stub. Developers need to have a sandbox policy, a set of systems calls that the underlying library is allowed to make, and the resources it is allowed to access. After it’s set up, a Sandboxed API library can be used in other projects.

While this tool is only available for software libraries or code written in C/C++ right now, other languages may become available in the future.

SEE ALSO: StackFoundation’s Sandbox automates your daily Docker chores

Getting the Sandboxed API

Have Bazel? It only takes a quick download to get the Sandboxed API installed:

sudo apt-get install python-typing python-clang-7 libclang-7-dev linux-libc-dev
git clone && cd sandboxed-api
bazel test //sandboxed_api/examples/stringop:main_stringop

For everyone else, more information is available on GitHub. There’s also a helpful Getting Started Guide and a few examples here.

Jane Elizabeth
Jane Elizabeth is an assistant editor for

Inline Feedbacks
View all comments