Sandboxing for secure app development: Adobe Reader’s 'protected view'


2. Restricted job objects

To prevent malicious code inside a sandbox from tampering with system resources and parts of the operating system, a sandbox process is tied into a Windows job object. Windows job objects allow a group of processes to be managed as a single unit to which additional restrictions that can be imposed. Within its lifetime, a process assigned to a job cannot leave the job, and is subject to its limitations.

The Adobe Reader sandbox process is placed in a job object with the following restrictions:

ActiveProcess - ActiveProcess limit of 1

Desktop Limited - Inability to create or switch to desktops

Display Settings - Inability to call ChangeDisplaySettings

Exit Windows - Inability to exit windows via ExitWindows(Ex)

USER Handles - Inability to use USER handles owned by processes not associated with the same job

System Parameters - Inability to change system parameters via the SystemParametersInfo function

Administrator Access – Prevents any process in the job from using a token that specifies the local administrators group

>>Go back to the main article<<

View All Photo Stories
Data Center
Data Management