1、Windows提供的安全机制

      Chrome和IE都是利用Windows系统提供的安全机制来实现沙箱的。

      Windows提供的安全机制有

1. 受限的Token
2. Job机制
3. 窗口站隔离
4. 桌面隔离
5. 一致性级别（Integrity Level）

2、IE SANDBOX

IE的SANDBOX仅仅使用了系统提供的 一致性级别（Integrity Level）机制。

IE的主进程的Integrity Level为Medium

在IE的渲染进程中，其Integrity Level为low。

由于WINDOWS在Vista与Vista之后才引入Integrity Level，所以在Vista之前的系统上，IE是没有沙盒的。

3、Chrome SandBox

Chrome的SANDBOX使用了Windows系统提供的所有安全机制。

1. 受限的token

    Regular Groups

Logon SID : mandatory
All other SIDs : deny only, mandatory

Restricted Groups

S-1-0-0 : mandatory

Privileges

None

2、受限的Job

将chrome的target进程加入到受限的Job中，可以利用Job对象提供的接口，对进程进行相应的限制设置。

·?JOB_OBJECT_LIMIT_ACTIVE_PROCESS

Limit the number of processes in the job, if the limit is one, then no child

processes can be created.

·?JOB_OBJECT_UILIMIT_DESKTOP

Prevent job processes from creating or switching to desktops.

·?JOB_OBJECT_UILIMIT_DISPLAYSETTINGS

Prevent processes from tampering with the user's display settings.

·?JOB_OBJECT_UILIMIT_EXITWINDOWS

Prevent a process from logging a user off or initiating system shutdown.

·?JOB_OBJECT_UILIMIT_GLOBALATOMS

Prevent access to the Global Atom Table.

·?JOB_OBJECT_UILIMIT_HANDLES

Prevent access to USER handles belonging to processes in other jobs.

·?JOB_OBJECT_UILIMIT_READCLIPBOARD

Prevent read access to the clipboard.

·?JOB_OBJECT_UILIMIT_WRITECLIPBOARD

Prevent write access to the clipboard

·?JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS

Prevent write access to system parameters such

    3、窗口站隔离（Window Station Isolation）

Each process is assigned to a Window Station which contains one or more Desktop objects, a

Global Atom Table, USER objects, a clipboard and various settings. By assigning a brokerprocess and its target process to separate Window Stations, the two processes can be furtherisolated from one another, since they no longer share these resources.

As described above, Job object restrictions can be used to implement approximately equivalent levels of isolation.

    4、Desktop Isolation

Each thread is assigned to a desktop and each thread on a Desktop is capable of sending Windows Messages to any other thread on the same Desktop. Threads can also install hooks in processes which have threads on the same Desktop, which causes a user specified DLL to be loaded into other processes. For these reasons processes with threads on a specific Desktop were regarded to be in the same security context.

When a more privileged process had a thread on a Desktop, other processes would be able to inject code into that privileged process and elevate privilege, either though installing hooks, or through "Shatter Attacks". To fix this problem, Microsoft introduced UIPI restrictions. On Vista and later, processes sharing a Desktop are also isolated by Mandatory Integrity Control, so that lower integrity processes can not inject code into higher integrity processes such as administrator-elevated processes and native NT services.

   5、Mandatory Integrity Control

4、IE和Chrome SandBox控制粒度比较

图片参考链接：

http://www.theregister.co.uk/2011/12/09/chrome_ie_firefox_security_bakeoff/

  5、参考资源

http://www.chromium.org/developers/design-documents/sandbox