RealTime IT News

Microsoft Puts 'Web Sandbox' Into Open Source

Using a commonly-used open source license, Microsoft on Tuesday released source code for a virtualization technology it developed that is meant to make websites safer from attack. At least, that's the hope.

The technology, named Web Sandbox, is designed to isolate the different parts of a Web page from each other via virtualization, thus enhancing security. Additionally, it will work with most browsers – not just Microsoft's (NASDAQ: MSFT).

Web Sandbox, a project of Microsoft's Live Labs, was released this week under the Apache License 2.0 license, although the company was careful to point out that the project is not sanctioned or sponsored by the Apache Software Foundation.

Microsoft released a community technology preview of Web Sandbox at its Professional Developers Conference (PDC) in Los Angeles in late October. However, more visible projects – for instance, Windows 7 and Windows Azure – got much more attention at the PDC. Web Sandbox was lost in the roar.

That doesn't mean that it's not important, however. "There's a need for more Web standards and interoperability [driven by] the fact that things like cross-site scripting attacks are becoming more common," Ray Valdes, vice president of Web services at Gartner, told InternetNews.com.

One issue behind the increase in vulnerability is that Web 2.0 sites are often composed of multiple components, combined into so-called 'mashups.'

"Modern Web pages are made up of pieces that may be served from different locations —maps, visit counters, affiliate programs that run scripts on your page, gadgets built by outside developers, and more," says a statement on the Live Labs Web Sandbox page.

With so much complexity going on behind the scenes, Live Labs developers were looking for a way to isolate processes that should not be allowed to communicate directly, if at all, with each other. The key is to virtualize each component to more tightly control what it can do to other components or what they could do to it. Thus the term 'sandbox.'

"The Sandbox is a framework that works on most modern browsers that support … the JavaScript standard, and provides the same features in all modern web browsers. No browser add-ons or changes are required to leverage this technology," said a blog posting on Microsoft's Port 25 open source community site.

Although Microsoft is urging developers to put the Web Sandbox through its paces and try to break through its security, officials are not recommending that anyone build production Web sites with it yet. It's still under development.

Still, Microsoft is pushing to get Web developers to try to break Web Sandbox's code in order to strengthen its protection.

That, says Gartner's Valdez, is laudable but not a big deal. "It can help the cause, so to speak, but I don't think it represents a major strategy shift for Microsoft," he added.

Microsoft started up Live Labs almost exactly three years ago as a move "to enable rapid innovations of Internet technologies," according to the organization's charter.

"Part of the Microsoft Live Labs core mission is to test the validity of new technologies and models with end users. Feedback from web developers and website users allows Live Labs to define, refine, and potentially implement appropriate security related changes in the web environment," a Live Labs spokesperson said in a statement e-mailed to InternetNews.com.