Sandboxing for secure app development: Adobe Reader’s 'protected view'

By

Disha Agarwal, Contributor

2/4

2. Restricted job objects

To prevent malicious code inside a sandbox from tampering with system resources and parts of the operating system, a sandbox process is tied into a Windows job object. Windows job objects allow a group of processes to be managed as a single unit to which additional restrictions that can be imposed. Within its lifetime, a process assigned to a job cannot leave the job, and is subject to its limitations.

The Adobe Reader sandbox process is placed in a job object with the following restrictions:

• ActiveProcess - ActiveProcess limit of 1

• Desktop Limited - Inability to create or switch to desktops

• Display Settings - Inability to call ChangeDisplaySettings

• Exit Windows - Inability to exit windows via ExitWindows(Ex)

• USER Handles - Inability to use USER handles owned by processes not associated with the same job

• System Parameters - Inability to change system parameters via the SystemParametersInfo function

• Administrator Access – Prevents any process in the job from using a token that specifies the local administrators group

>>Go back to the main article<<

View All Photo Stories

CIO

Ally's generative AI strategy eyes multiple LLMs, AI agents
The digital bank plans to privately host multiple LLMs on its GenAI platform, explore autonomous agent technology and evaluate ...
States act on privacy laws as Congress considers new bill
The American Privacy Rights Act introduced this week aims to establish a national privacy standard that would preempt state ...
CHIPS and Science Act funds TSMC, Intel projects
The Biden administration has awarded billions through the CHIPS and Science Act to five companies to invest in building and ...

CISA: Akira ransomware extorted $42M from 250-plus victims
The Akira ransomware gang, which utilizes sophisticated hybrid encryption techniques and multiple ransomware variants, targeted ...
Cisco discloses high-severity vulnerability, PoC available
The security vendor released fixes for a vulnerability that affects Cisco Integrated Management Controller, which is used by ...
3 Keycloak authorization strategies to secure app access
Keycloak, an open source IAM tool, offers authorization methods, including RBAC, GBAC and OAuth 2.0, that limit what users can ...

Is network automation adoption necessary?
Automation is not a one-size-fits-all strategy for every network problem. Enterprises must examine their network's needs to ...
How SD-WAN for home offices supports remote work
The market maturation of SD-WAN is leading companies to consider extending the technology to remote workers. Companies should ask...
The role of generative AI in networking
As networks grow more complex, generative AI emerges as a tool that can help network teams with a wide range of tasks, such as ...

Infrastructure for machine learning, AI requirements, examples
Infrastructure for machine learning, deep learning and AI has component and configuration requirements. Compare hardware and how ...
Dell partners with Intel, releases file storage for Azure
With the recent Intel and Azure partnerships, Dell continues to expand its on-premises options for AI while expanding its Apex ...
How to install and run Podman on Rocky Linux
Rocky Linux can run and install Podman, an open source Linux tool and competitor to Docker that uses containers to find, run and ...

Data Management

Collibra launches AI Governance, unveils GenAI capabilities
The vendor's AI Governance suite enables users to ensure the quality and security of AI models while new GenAI features let them ...
Coalesce raises $50M to expand data transformation platform
The startup's new funding is a vote of confidence from investors given how difficult it has been for technology vendors to secure...
Aerospike raises $114M to fuel database innovation for GenAI
The vendor will use the funding to develop added vector search and storage capabilities as well as graph technology, both of ...

Close