Is virtualization basically "easier" sandboxing ? Where the system calls are intercepted and rules are set out whether to allow the system call to go through or not. I believe system calls are traced to find out which application is making the calls via process tracing.
If the answer is yes to all of the above then what does it mean "easier" sandboxing can someone give me an example of how virtualization is "easier" sandboxing ?
Thank you
Sandboxing is a high-level concept that can be implemented in several ways.
Virtualization in practice is a specific type of sandboxing - usually by emulating of "the system", i.e., the CPU and the related hardware.
So there is a large overlap between sandboxing and virtualization; as well as virtualization and emulation. Yet they are different in design intent and/or technique.
Sandboxing is the effect you want. You could achieve it in many ways - either by building around your system (protecting it), or around your runtime environment (restricting it). Either way, it is important to know the problem in its entirety - and what it is an unknown program that you are trying to sandbox, it is simpler to use Virtualization (as in VMs) since it has the broadest scope of isolation and software is freely available.
e.g., to implement a behavior-based (dynamic analysis) of JavaScript, security devices need a sandboxed environment to run the incoming JS and observe "what it changes" (file system, registry, etc.). Either the security device vendor can use a sandbox (probably needs fewer resources when running; but would take more resources to develop) or use an existing environment such as a stripped down dynamically provisioned (and deprovisioned) VM in combination with in-browser sandbox.
Some (most?) "anti-APT" devices that boast this capability choose the latter because it is easier to develop and deploy. i.e., It cuts down on R&D costs (initial & ongoing) as well as time to market - while at the same time layout out the broadest possible net (scope) to limit the impact of evasive malware while still giving maximum detection ability.
