Sandboxing vs. Virtualisation

Question

Maybe I am missing something but isn't sandboxing and virtualisation exactly the same concept, ie., separating the memory space for applications running in parallel. So I am wondering why they are having different names, are there maybe differences in the way they are employed?

Many thanks, Simon

Answer 1

These concepts address different problems: When we virtualize, we are hiding physical limitations of the machine. Sandboxing, on the other hand, sets artificial limits on access across a machine. Consider memory as a representative analogy.

Virtualization of memory is to allow every program to access every address in a 32- or 64-bit space, even when there isn't that much physical RAM.

Sandboxing of memory is to prevent one program from seeing another's data, even though they might occupy neigboring cells in memory.

The two concepts are certainly related in the common implementation of virtual memory. However, this is a convenient artifact of the implementation, since the hardware page table is only accessible by the kernel.

Consider how to implement them separately, on an x86 machine: You could isolate programs' memory using page tables without ever swapping to disk (sandboxing without virtualization). Alternatively, you could implement full virtual memory, but also give application-level access to the hardware page table so they could see whatever they wanted (virtualization without sandboxing).