3 Protected Mode
Protected Mode (PM) was introduced with Reader 10.0 on Windows. It transparently protects users
against attacks by sandoxing application processes. Protected Mode is one of the most powerful features
in Reader's security arsenal. Note that several dot releases have NOT included a Reader update for
Windows because the application is not subject to many vulnerabilities when Protected Mode is enabled.
3.1 Overview
What is a "sandbox" and Protected Mode?
For application developers, sandboxing is a technique for creating a confined execution environment for
running untrusted programs. In the context of Adobe Reader, the "untrusted program" is any PDF and the
processes it invokes. When Reader sandboxing is enabled, Reader assumes all PDFs are potentially
malicious and confines any processing they invoke to the sandbox.
Sandboxes are typically used when data (such as documents or executable code) arrives from an
untrusted source. A sandbox limits, or reduces, the level of access its applications have. For example,
creating and executing files and modifying system information such as certain registry settings and other
control panel functions may be prohibited.
If a process P runs a child process Q in a sandbox, then Q's privileges would typically be restricted to a
subset of P's. For example, if P is running on a system, then P may be able to look at all processes on the
system. Q, however, will only be able to look at processes that are in the same sandbox as Q. Barring any
vulnerabilities in the sandbox mechanism itself, the scope of potential damage caused by a misbehaving
Q is reduced.
The Reader sandbox leverages the operating system's security controls, and processes execute under a
"principle of least privileges." Thus, processes that could be subject to an attacker's control run with
limited capabilities and must perform actions such as reading and writing through a separate, trusted
process. This design has two primary effects:
• All PDF processing such as PDF and image parsing, JavaScript execution, and 3D rendering
happens in the sandbox and are subject to its limits; for example, processes cannot access other
processes.
• Processes that need to perform some action outside the sandbox boundary must do so through a
trusted proxy called a "broker process."
Sandboxing is relatively new for most enterprise applications because it is difficult to implement in mature
software (e.g. millions of lines of code) that is already deployed across an almost limitless number of
environments. A few recently shipped products that demonstrate the sandboxing proof of concept include
Microsoft Office 2007 MOICE, Google Chrome's rendering engine, and Office 2010 Protected View. The
challenge is to enable sandboxing while keeping user workflows functional
and
without turning off features
on which users depend. The ultimate goal is to proactively provide a high level of protection rather than
just fixing bugs and vulnerabilities as they appear.
System requirements
Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored
to each environment. The current release includes support for the following:
• Adobe Reader 10.0.
• Windows 32 and 64 bit platforms, including XP. Much like Google's Chrome, Adobe's initial efforts
are focused on hardening its Windows products because there are more Windows users and
Windows applications with proven sandboxing implementations.
• Any supported browser. PDFs opened in a browser run inside the Reader sandboxed process
without any dependency on the browser or the browser's trust zones.
Application Security Guide
Section 3 Protected Mode
Section 3 Protected Mode
Page 9