Sandboxing for secure app development: Adobe Reader’s 'protected view'
To prevent malicious code inside a sandbox from tampering with system resources and parts of the operating system, a sandbox process is tied into a Windows job object. Windows job objects allow a group of processes to be managed as a single unit to which additional restrictions that can be imposed. Within its lifetime, a process assigned to a job cannot leave the job, and is subject to its limitations.
The Adobe Reader sandbox process is placed in a job object with the following restrictions:
• ActiveProcess - ActiveProcess limit of 1
• Desktop Limited - Inability to create or switch to desktops
• Display Settings - Inability to call ChangeDisplaySettings
• Exit Windows - Inability to exit windows via ExitWindows(Ex)
• USER Handles - Inability to use USER handles owned by processes not associated with the same job
• System Parameters - Inability to change system parameters via the SystemParametersInfo function
• Administrator Access – Prevents any process in the job from using a token that specifies the local administrators group
>>Go back to the main article<<