General

What is Security through Isolation?
Isolated Execution refers to Security through Isolation by providing clean sandbox environments (Virtual Machines) where suspicious applications or files can be opened. If this file was a malware, then the affected environment will be the sandbox. Since the sandbox is disposable, next time that the sandbox is opened, the original clean image is utilized and any damage caused by the malware is removed.

What is a Sandbox Virtual Machine?
A sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in.
In Isolated Execution, the sandbox is provided in a Virtual Machine which contains a complete and clean operating system.

How do you use Virtualization Technology?
Isolated Execution is hypervisor agnostic, but the hypervisor configuration utilizes Virtualization Technology to allow for unmodified operating systems in the user environment as well as in the sandbox virtual machines.

Is Isolated Execution a complete product?
Isolated Execution is a reference implementation, so it is not a complete product.

What remains pending to create a product?
Isolated Execution provides the core functionality to delegate the execution of files in sandbox virtual machines; so depending on the usage you may want to resolve you may consider:

  • User Interface: currently the implementation uses different windows for different virtual machines, a better approach would be to provide all windows in a unified desktop.
  • Deltas between VMs: after verifying that the suspicious file opened was not harmful, a mechanism would be needed to migrate the file into the main environment.