VM sandboxing- what happens?
How exactly does VM sandbox? Surely it is still using the same hardware resources and same underlying OS? I dont get why multiple VMs on an OS is safe but multiple applications/processes can be unsafe?
What is so special about the VM architecture?
The sandbox acts as a proxy. Instead of the application or OS being run directly on the CPU, the sandbox can see what the application wants to do, and intercept the instructions to make them do something else. This can be used to prevent it from doing things that it shouldn't or interfering with other applications.
For example, let's say program A wants to create a file called document.txt
Normally, this file would be created directly on the harddrive. But what if program B also wants to use document.txt
for something else?
Inside of a sandbox, the harddrive doesn't really exist. All that is there is an interface which pretends to be a harddrive. The application can read from it, and the application can write to it, and from the application's point of view, it seems like it's the only program using document.txt
.
But because the sandbox can see and intercept everything that an application does, the data that program A writes to document.txt
is stored safely by the sandbox in a special file that is reserved only for program A. When program A reads from document.txt
, the sandbox feeds it the data from program A's special file.
A VM is similar, but on a lower level and a larger scale. Where an application sandbox changes the interfaces an application uses for interacting with the host, a VM is capable of sandboxing an entire OS, which expects to have all of it's own hardware. This requires virtualizing a graphics card, memory, CPU, hard drives, USB devices, networking, everything. However, because the VM gets to monitor and intercept everything that the OS tries to do, it can impose and enforce artificial limits which prevent conflicts.
An easier way to think about it is like this:
Normally, Windows tells the computer what to do. With Windows inside a VM as a "guest operating system", Guest-Windows tells the VM what to do, and if the VM thinks it's OK, then the VM will turn around and tell the computer to do the same thing. If the VM doesn't like what Guest-Windows tried to do, it'll block it. Because of the way this is implemented, Guest-Windows doesn't know for sure if it's running in a VM or not, and because the VM always has complete control, Guest-Windows must live inside the rules imposed by the VM.