Sandboxing Code [Security Critical]
[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
- Subject: Sandboxing Code [Security Critical]
- From: Ori Bernstein <ori@xxxxxxxxxxxxxx>
- Date: Wed, 24 Sep 2014 05:49:22 -0400
- To: myrddin-dev@xxxxxxxxxxxxxx
Greetings gentle list readers. I request a code review. In an insomniac 2 nights of coding, I have started putting together a sandbox for Myrddin code, with the intent of creating something like http://play.golang.org/ The goal is to allow arbitrary users on the internet to submit small chunks of arbitrary code, and have it run in a restricted environment safely. The threat model is that the input can completely pwn the compiler, and the generated output is arbitrarily malicious. The sandbox is here: http://git.eigenstate.org/ori/myrbox.git The general idea of code flow: Master process starts - Opens /dev/urandom for random directory id generation - sets some limits on CPU, memory, etc to avoid forkbombs - Installs a BPF filter for seccomp. - Forks a child process and sleeps 500ms - Child starts a new process group with setsid() - Child chroots into a scratch dir and drops more privileges. - Creates a compile scratch directory and hardlinks in all of the required binaries. - Reads the POST params and writes them to a file - Forks - Subprocess chroots again into the build dir - Installs a stricter seccomp filter - Starts the compiler and builds the source. - Hardlinks the output binary into the run directory (which is empty; the a.out that we make is statically linked). - Forks - Subprocess chroots into the run dir - Subprocess installs extremely strict seccomp filter (at the moment, only exec, exit, mmap, and write are allowed, meaning that you can only write to stdout, and allocate some memory). - Starts a.out - Cleanup - After 500ms have passed, the entire process tree is killed harshly. TODO: - Directory cleanup - Checksum all binaries before/after to check for malicious modifications. - More paranoia. - Remove hardcoded paths. - Document. - Make portable to systems other than Linux. - Harden more against denial of service attacks Building and running: - Redefine 'Scratch' to something appropriate for your machine. - Copy the following files into your the template directory (or whatever versions are most appropriate for your system): lib/myr/std lib/myr/regex lib/myr/libregex.a lib/myr/_myrrt.o lib/myr/libstd.a lib/myr/libcryptohash.a lib/myr/date lib/myr/cryptohash lib/myr/bio lib/myr/libbio.a lib/myr/libdate.a lib64/libdl.so.2 lib64/libz.so.1 lib64/libopcodes-2.24.51-system.20140903.so lib64/ld-linux-x86-64.so.2 lib64/libbfd-2.24.51-system.20140903.so lib64/libc.so.6 ld 6m as myrbuild - Set the capability for chrooting: sudo setcap cap_sys_chroot+ep sandbox - And run ./sandbox If you manage to find a security hole or attack, let me know! And if you can point out how to tighten the restricitons, that would be awesome. -- Ori Bernstein
Re: Sandboxing Code [Security Critical] | Daniel Cegiełka <daniel.cegielka@xxxxxxxxx> |
- Next by Date: Re: Sandboxing Code [Security Critical]
- Next by thread: Re: Sandboxing Code [Security Critical]
- Index(es):