Microsoft unveils code for 'high-security' Sandbox

02 Feb 2009

Microsoft last week released the source code for its Web Sandbox virtualisation technology, offering Web developers a new method for protecting the contents of a web page from malicious exploits and code injections.

The project has been released under the Apache 2.0 license, a source no doubt familiar to Microsoft, as the company began sponsoring the Apache Software Foundation to the tune of $100,000 annually last July.

The Sandbox technology is designed to isolate the different parts of a web page from each other via virtualisation, thus enhancing security. Additionally, it will work with most browsers – not just Microsoft's.

Microsoft released a community technology preview of Web Sandbox at its Professional Developers Conference (PDC) in Los Angeles in late October. However, more visible projects – for instance, Windows 7 and Windows Azure - got much more attention at the PDC, and Web Sandbox was lost in the noise.

While the Apache Software Foundation isn't sponsoring or endorsing Sandbox - Microsoft was careful to point out that the project is not sanctioned or sponsored by Apache, and it is just using the software license  - the move is nevertheless the second time Apache and Microsoft are tying up this year. Microsoft announced its intentions to donate code to Apache's Stonehenge project on 19 January.

"Modern web pages are made up of pieces that may be served from different locations - maps, visit counters, affiliate programmes that run scripts on your page, gadgets built by outside developers, and more," says a statement on the Live Labs Web Sandbox page.

With so much going on the scenes, Live Labs developers were looking for a way to isolate processes that should not be allowed to communicate directly, if at all, with each other. The key is to virtualise each component to more tightly control what it can do to other components or what they could do to it. Thus the term 'sandbox', the statement adds.

Although Microsoft is urging developers to put the Web Sandbox through its paces and try to break through its security, and thus help strengthen its protection, officials are not recommending that anyone build production Web sites with it yet. It's still under development.

Microsoft started up Live Labs almost exactly three years ago as a move "to enable rapid innovations of Internet technologies," according to the organisation's charter.

Web Sandbox features technology for mashing up code while maintaining process isolation, quality of service protection, and security. It is intended to address a problem in which Web gadgets, mashup components, advertisements, and other third-party content on Web sites either run full trust alongside content or are isolated inside of IFrames. This results in many Web applications being intrinsically insecure, with unpredictable service quality.

Web Sandbox builds upon Microsoft's experience with DHTML, Windows, Windows Live Web-based gadgets, and the Microsoft BrowserShield project, which leverages JavaScript virtualisation through rewriting.