Helping people with computers... one answer at a time.

Sandboxes and Virtual Machines can help isolate you from certain types of threats. We'll look at what they are and how they might, or might not, help.

I've been very interested in your articles on what a website can learn about you when browsing, cookies, and passwords etc. I wonder if you would like to comment on the pros and cons of using a sandbox (I use Sandboxie). Does using one overcome some of the issues you have discussed?

I'm going to add virtual machines to the mix that this question opens up, since the answer is (roughly) the same.

And the answer is that age old trio: yes, maybe and no.

The problem is that while sandboxes and VM's can help, they can help only in some ways, and that help comes at a cost.

First, let's define what we're talking about.

A "sandbox" is software that allows you to run an application in such a way that it prevents the application from writing outside of the sandbox.

Normally, when you run a program like your browser, it makes changes to your system; registry settings, internet caches, browsing history and the like are all written to disk. On top of that, downloads including things like potentially unwanted spyware also arrive via the browser and install themselves onto your hard disk so that the next time you run the browser - or the next time you even just boot your system, that spyware is still there, doing its spyware thing.

When run in a sandbox, all those changes still appear to happen, except that they're never actually permanently placed on disk. When you exit the browser and its containing sandbox, all those changes disappear. History, cache, settings ... and spyware.

"Virtual machines are, in essence, a virtual 'entire PC in a window'."

All sounds great, right? Except ... what if you want your history, but not the spyware? What if you actually do want to make a change that persists from one run of the sandboxed browser to the next? That requires that the browser in some way be allowed to write outside of the sandbox.

Either it can't, or a hole needs to be poked into the sandbox to allow it. Unfortunately if a hole needs to be poked for one thing, it's possible that other things can leak through as well.

Virtual machines suffer similar limitations.

Virtual machines are, in essence, a virtual "entire PC in a window". When you start a virtual PC, for example, the first thing you see is a window open up in Windows that contains a virtual BIOS screen as it starts up and tries to boot. I use a virtual machine to run Ubuntu Linux in a window on my Windows XP laptop:

Ubuntu Linux in a window in Windows XP

The benefit of a virtual machine is that it can't directly modify the "real" Windows running on your machine. The virtual machine is assigned its own hard disk space, and that's what it treats as its virtual "entire hard disk". Any modifications you make within the machine - its settings for example - are stored on that virtual hard disk.

You can run a browser in a copy of an operating system running in a virtual machine and any settings it changes, any history it creates, and any spyware that it downloads affect only the virtual machine. If you keep a snapshot of an original virtual machine hard disk image then any time you find you want to discard all the settings, history and perhaps malware, all you need do is erase the current image and copy over the original to start again, clean.

But once again the limitations set in. While the setting changes you make are kept from run to run, if you do decide to start over that does mean that they're all lost. And if you want those changes to take effect in your "real" Windows installation, you're still faced with running the browser in the real Windows, not the VM.

But if you can train yourself to do casual, or risky browsing only in the VM, then it's a great solution to prevent malware from reaching your machine. In fact, I'd encourage you to install not Windows, but Linux in a virtual machine. Besides being free, it's immune to most Windows-based malware attacks.

But we didn't come here to talk about malware, really. The original question asked about the greater privacy issues that were raised in prior articles on what web sites can tell about you.

In short:

  • No mater what technique you use, VM or sandbox, your IP address remains unchanged. Websites will see your IP, as well as the date/time of your visit, and the type of browser you happened to use.

  • Using most sandboxes will effectively erase cookies each time you exit the browser, blocking any cookie tracking between session. Using a virtual machine, cookies are retained as long as you use the same VM, but as soon as you reset your VM to a clean state they're all also effectively erased. In either case, using a sandbox or VM for this purpose is overkill, since you can achieve the same results by ... deleting all cookies every time you exit your browser. (In fact, I think some browsers even have an option or an extension to do exactly that automatically.)

  • And of course, sites can and will have access to any information you actually tell them, regardless of how the browser is, or is not, isolated in a sandbox or VM.

Ultimately, the value of sandboxing or using a VM is not really privacy at all, but rather safety. Using these technologies can help isolate you from malware that you might accidentally download in your browser.

But, again, at a cost of some convenience and complexity.

Article C3518 - October 1, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Mike B
October 1, 2008 11:35 PM

Thanks. Your article is really helpful.

MrGroove
October 4, 2008 1:20 AM

Nice write-up. I would however argue that by using a VM it can help you from a privacy and security standpoint just being that if you keep your VM in "Disk Undo Mode". Like you said, each time you reset the box and the disk goes back to vanilla all the cookie tracking and other malware that is tracking you is gone. From a privacy standpoint, that is good. And from a security standpoint if the VM is not a member of your local domain or network (that is as long as your other machines have their firewall turned on to protect from the VM) your covered from a VM as well.

All in all, I think it's a good idea but I do agree. your not covering ALL your tracks because they still have your IP address and all the information from that SESSION as well.

Art
April 9, 2009 1:41 AM

You don't need sandbox or virtual machine to protect your privacy. Just use a good privacy keeper - History Killer Pro

Aleister Cromwell
August 18, 2010 10:58 PM

It was informative. I would like you to address the question of whether or not it can help you
maintain privacy when the host machine is compromised. A keylogger for example, is the keyboard still being logged in the host machine when you type in the VM - or a trojan (that isn't in antivirus databases yet) will the screenshots be taken in the VM? Can you disable host connectivity without impairing the VM? It's an odd question, but very relevant to those who are being stalked by the skilled - compromise is relatively constant and one needs to engineer solutions to maintain privacy...

Aleister Cromwell
August 19, 2010 12:43 AM


Zero Day? No I think this is a method been around for a while. I am relatively ignorant of it, but have been trying to use virtual machines and 'embedded linux' like andlinux - to deal with it.

Windows is not really secure at a machine language level.

There are all kinds of system processes acting in the background, there is something called lsass which can use an active debugger that modifies code in running applications.

Run the latest zone alarm and watch for 'code injections'

When a program crashes you can sometimes execute code in memory like a .jmp instruction. I keep having this error in almost every firewall I use, (every version too)

I think it is a division by zero type of error forced on the app.

EXCEPTION : Unknown at (0x00000000) Address 0x00000000

Who knows what's being run at that point.

ron
October 4, 2011 8:32 PM

Another benefit of VMs is that they can be changed more easily than an installed machine.

Browsers have to expose a great deal of information about your system configuration. Enough detail that your system can be uniquely identified. The technique itself is called fingerprinting. So if you are concerned enough to be worried about being identified, you can modify the VM configuration to generate a new "signature".

IP's can be hidden behind services like TOR.

joe s
April 3, 2012 10:44 AM

I'd like to instal Linux on a new higher speed/capacity machine with a VM running my old XP image as if I still had the old machine. This would allow me to run my old programs & drivers uninterrupted perpetually. Am I right? I would use either Matrium Reflect or Easius for the image. I couldn't find anything addressing this approach.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.