Definition
A sandbox isolates program execution:
\text{Untrusted code} \xrightarrow{\text{sandbox}} \text{Contained χ-mode changes}
In SCU terms: A sandbox constrains χ-mode state transitions to a bounded region—preventing untrusted code from affecting host information states.
χ-Mode Containment
The sandbox creates boundaries:
| Host | Sandbox Boundary | Sandbox |
|---|---|---|
| Protected χ-modes | Restricted access | Isolated χ-modes |
Code inside can only modify sandbox χ-modes.
How Sandboxing Works
| Mechanism | χ-Mode Protection |
|---|---|
| Memory isolation | Separate χ-mode address space |
| Resource limits | Constrained χ-mode access |
| Privilege reduction | Minimal χ-mode permissions |
| Monitoring | Observe χ-mode behavior |
Applications
| Use Case | What's Protected |
|---|---|
| Web browser | Host from web χ-modes |
| Malware analysis | Analyst from malicious χ-modes |
| Mobile apps | System from app χ-modes |
| Containers | Host from container χ-modes |
Sandbox Architecture
\text{Untrusted} \leftrightarrow \text{Policy enforcement} \leftrightarrow \text{Host}
Policy determines which χ-mode transitions are permitted.
Limitations
| Limitation | Problem |
|---|---|
| Escape vulnerabilities | χ-modes leak through flaws |
| Performance overhead | Mediation costs |
| Compatibility | Restricted χ-mode access |
| Incomplete isolation | Shared resources leak χ-modes |
Sandbox Escapes
Vulnerabilities allow breaking boundaries:
\text{Sandbox} \xrightarrow{\text{exploit}} \text{Host χ-mode access}
Defense requires defense-in-depth.
The Key Insight
Sandboxes contain χ-mode state changes.
Isolation through χ-mode boundaries:
- Untrusted code executes in sandbox
- Boundaries constrain χ-mode transitions
- Host χ-modes remain protected
- Damage is contained
When we sandbox code, we're creating χ-mode boundaries that isolate untrusted execution—ensuring that malicious information state changes cannot escape to affect the host system.