A Classification of Malware Sandboxes and Their Architectures

The development of sandboxes has evolved in parallel with malware improvements, providing secure environments for the execution and analysis of malicious software. With the increasing number of sandboxes being developed, each offering distinct features, selecting the most suitable solution for specific needs has become increasingly complex. This paper aims to thoroughly understand sandbox technologies by introducing their foundational concepts and offering a detailed review of currently available solutions. We categorize sandboxes into four groups: the first two classes are readily available in current products on the market, and we compare them by evaluating some important characteristics we identify in this work. The second group of two sandboxes includes novel architectures we propose, for which solutions still need to be customized ad-hoc. To help users choose the right solution for them, we refine this categorization by defining three distinct use cases for these sandboxes. Their core features can improve the isolation and scalability of the last two new architectures.