[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing Code [Security Critical]

[Thread Prev] | [Thread Next]

[Date Prev] | [Date Next]

Subject: Sandboxing Code [Security Critical]
From: Ori Bernstein <ori@xxxxxxxxxxxxxx>
Date: Wed, 24 Sep 2014 05:49:22 -0400
To: myrddin-dev@xxxxxxxxxxxxxx

Greetings gentle list readers. I request a code review.

In an insomniac 2 nights of coding, I have started putting
together a sandbox for Myrddin code, with the intent of
creating something like http://play.golang.org/

The goal is to allow arbitrary users on the internet to submit
small chunks of arbitrary code, and have it run in a restricted
environment safely. The threat model is that the input can
completely pwn the compiler, and the generated output is
arbitrarily malicious.

The sandbox is here: http://git.eigenstate.org/ori/myrbox.git

The general idea of code flow:

    Master process starts
        - Opens /dev/urandom for random directory id generation
        - sets some limits on CPU, memory, etc to avoid forkbombs
        - Installs a BPF filter for seccomp.
        - Forks a child process and sleeps 500ms
            - Child starts a new process group with setsid()
            - Child chroots into a scratch dir and drops more
              privileges.
            - Creates a compile scratch directory and hardlinks in
              all of the required binaries.
            - Reads the POST params and writes them to a file
            - Forks
                - Subprocess chroots again into the build dir
                - Installs a stricter seccomp filter
                - Starts the compiler and builds the source.
            - Hardlinks the output binary into the run directory
              (which is empty; the a.out that we make is statically
              linked).
            - Forks
                - Subprocess chroots into the run dir
                - Subprocess installs extremely strict seccomp filter
                  (at the moment, only exec, exit, mmap, and write are
                  allowed, meaning that you can only write to stdout,
                  and allocate some memory).
                - Starts a.out
            - Cleanup
        - After 500ms have passed, the entire process tree is killed
          harshly.

TODO:
    - Directory cleanup
    - Checksum all binaries before/after to check for malicious
      modifications.
    - More paranoia.
    - Remove hardcoded paths.
    - Document.
    - Make portable to systems other than Linux.
    - Harden more against denial of service attacks

Building and running:
    - Redefine 'Scratch' to something appropriate for your machine.
    - Copy the following files into your the template directory (or
      whatever versions are most appropriate for your system):

        lib/myr/std
        lib/myr/regex
        lib/myr/libregex.a
        lib/myr/_myrrt.o
        lib/myr/libstd.a
        lib/myr/libcryptohash.a
        lib/myr/date
        lib/myr/cryptohash
        lib/myr/bio
        lib/myr/libbio.a
        lib/myr/libdate.a
        lib64/libdl.so.2
        lib64/libz.so.1
        lib64/libopcodes-2.24.51-system.20140903.so
        lib64/ld-linux-x86-64.so.2
        lib64/libbfd-2.24.51-system.20140903.so
        lib64/libc.so.6
        ld
        6m
        as
        myrbuild

    - Set the capability for chrooting:

        sudo setcap cap_sys_chroot+ep sandbox

    - And run ./sandbox

If you manage to find a security hole or attack, let me know! And
if you can point out how to tighten the restricitons, that would be
awesome.

-- 
    Ori Bernstein

Follow-Ups:
Re: Sandboxing Code [Security Critical]	Daniel Cegiełka <daniel.cegielka@xxxxxxxxx>

Next by Date: Re: Sandboxing Code [Security Critical]
Next by thread: Re: Sandboxing Code [Security Critical]
Index(es):
- Main
- Thread