VM sandboxing- what happens?

computer-architecture virtual-machine sandbox

How exactly does VM sandbox? Surely it is still using the same hardware resources and same underlying OS? I dont get why multiple VMs on an OS is safe but multiple applications/processes can be unsafe?

What is so special about the VM architecture?


The sandbox acts as a proxy. Instead of the application or OS being run directly on the CPU, the sandbox can see what the application wants to do, and intercept the instructions to make them do something else. This can be used to prevent it from doing things that it shouldn't or interfering with other applications.

For example, let's say program A wants to create a file called document.txt

Normally, this file would be created directly on the harddrive. But what if program B also wants to use document.txt for something else?

Inside of a sandbox, the harddrive doesn't really exist. All that is there is an interface which pretends to be a harddrive. The application can read from it, and the application can write to it, and from the application's point of view, it seems like it's the only program using document.txt.

But because the sandbox can see and intercept everything that an application does, the data that program A writes to document.txt is stored safely by the sandbox in a special file that is reserved only for program A. When program A reads from document.txt, the sandbox feeds it the data from program A's special file.

A VM is similar, but on a lower level and a larger scale. Where an application sandbox changes the interfaces an application uses for interacting with the host, a VM is capable of sandboxing an entire OS, which expects to have all of it's own hardware. This requires virtualizing a graphics card, memory, CPU, hard drives, USB devices, networking, everything. However, because the VM gets to monitor and intercept everything that the OS tries to do, it can impose and enforce artificial limits which prevent conflicts.

An easier way to think about it is like this:

Normally, Windows tells the computer what to do. With Windows inside a VM as a "guest operating system", Guest-Windows tells the VM what to do, and if the VM thinks it's OK, then the VM will turn around and tell the computer to do the same thing. If the VM doesn't like what Guest-Windows tried to do, it'll block it. Because of the way this is implemented, Guest-Windows doesn't know for sure if it's running in a VM or not, and because the VM always has complete control, Guest-Windows must live inside the rules imposed by the VM.

Related

DOS moving specific .xml file extension [duplicate]
Win 7 - Hidden properties of power management and weird performance
Install WinXP without CD/pendrive
Printing to wireless printer disconnects netbook from router
Does the nine point circle generalise to some theorem about n-spheres and n-simplices?
Topology of a cone of $\mathbb R\mathbb P^2$.
Positive integers $k = p_{1}^{r_{1}} \cdots p_{n}^{r_{n}} > 1$ satisfying $\sum_{i = 1}^{n} p_{i}^{-r_{i}} < 1$
Books that develop interest & critical thinking among high school students
Supremum length of space curves contained in the open unit ball having always less than unity curvature
Unique characterization of convex polygons
Is a completion of an algebraically closed field with respect to a norm also algebraically closed?
Is there experimental evidence that people ever play mixed Nash equilibrium in real games?