• Stars
    star
    155
  • Rank 240,864 (Top 5 %)
  • Language
    C
  • Created over 12 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

really simple sandboxing of untrusted C programs using Linux SECCOMP

EasySandbox

An easy way to sandbox untrusted C and C++ programs on Linux. Allows them only to allocate memory (up to a fixed amount), read and write via stdin, stdout, and stderr, and exit. Sandboxing is done using SECCOMP.

The intended use is being able to safely execute student code submissions for the CloudCoder programming exercise system, although it could be useful in other contexts.

You can run

make runtests

to run the test programs. If you see "All tests passed!", then EasySandbox is working on your system.

EasySandbox is distributed under the MIT license.

If you have questions about EasySandbox, send me an email. If you have improvements that you would like to share, send me a pull request on GitHub.

Using EasySandbox

Run the make command to build the EasySandbox shared library.

Run the program you want to sandbox, using the LD_PRELOAD environment variable to load the EasySandbox shared library before the untrusted executable is executed:

LD_PRELOAD=/path/to/EasySandbox.so ./untrustedExe

EasySandbox defines its own implementation of malloc and free, to ensure that the program will not need to call sbrk or mmap to allocate memory while in SECCOMP mode. The heap is a fixed size, and cannot grow while the program is running. You can control the size of the heap by setting the EASYSANDBOX_HEAPSIZE environment variable to the size of the heap in bytes. The default heap size is 8MB.

Note: EasySandbox uses __libc_start_main to hook into the startup process. If the untrusted executable defines its own entry point (rather than the normal Linux/glibc one), it could execute untrusted code. In my intended application (compiling and executing student code submissions), I control the compilation process, and I believe that as long as gcc/g++ is invoked without the -nostdlib option, any attempt by the untrusted code to define an entry point (_start function) will result in a linker error, because the name _start will conflict with the real _start function defined in crt1.o.

Important: A program that calls dlopen might be able to bypass EasySandbox's __libc_start_main: see this issue. Make sure that untrusted code is not linked with -ldl.

Limitations

When you execute a program using EasySandbox, it will print the message

<<entering SECCOMP mode>>

followed by a newline character to both stdout and stderr. The reason is that the first call to print to an output stream causes glibc to invoke fstat, which is not permitted when in SECCOMP mode. So, the EasySandbox shared library must print some output to stdout and stderr before entering SECCOMP mode in order for these streams to be usable. It is fairly easy to filter out this output as a post-processing step.

Similarly, reading from stdin also triggers a call to fstat. The EasySandbox shared library works around this by putting the stdin file descriptor into nonblocking mode, attempting to read a single character using the fgetc function, and then using ungetc function to put the character back if one was read. This should not cause any problems for programs that use C library functions to read from stdin, but programs that use the read system call to read from the stdin file descriptor may not be able to read the first byte of input.

The EasySandbox shared library implements its own exit function, because glibc's invokes the exit_group system call, which is not allowed by SECCOMP. The behavior of this custom exit function attempts to emulate glibc's: it runs atexit functions, which includes destructors for static C++ objects.

EasySandbox is not intended to be used for multithreaded programs. SECCOMP will surely kill any process that attempts to create an additional thread, since creating a thread would require an invocation of the clone system call, which isn't allowed by SECCOMP.

EasySandbox is designed to work with glibc, and may or may not work with other libc variants. It is entirely possible that future changes to glibc could break EasySandbox.

More Repositories

1

GALasm

Very slightly modified version of Alessandro Zummo's GALasm 2.1, for programming GAL devices
HTML
188
star
2

AceGWT

Integrating the Ace Editor with GWT
JavaScript
87
star
3

Daemon

Support for starting, stopping, and controlling Java daemon processes on Unix/Linux
Java
29
star
4

CloudCoder

A web-based programming exercise system.
JavaScript
29
star
5

eeprog

28C64/28C256 EEPROM programmer using Arduino Nano
C
20
star
6

asm48

Cross assembler for the Intel 8048 microcontroller family
C
17
star
7

DIY8bit

Files and resources for DIY 8 bit computer video series
Assembly
14
star
8

hd6303

HD6303 microcomputer project
Assembly
13
star
9

carpi

Raspberry Pi car entertainment device/system
Eagle
13
star
10

ya68k2

a simple MC68008-based microcomputer
C
12
star
11

catparty

C parser written in Clojure/ClojureScript
Clojure
10
star
12

MiniVM

A toy virtual machine written in Ruby
Ruby
8
star
13

RandomStuff

supporting materials for Random Stuff youtube video series
C
6
star
14

HarbinRepairsAdapterRedux

Modified versions of Harbin Repairs adapter PCBs for Haswell Optiplex systems (7020, 9020, etc.)
4
star
15

geekos

Tiny OS kernel for 32 bit x86 (newest version, imported from Google Code)
C
4
star
16

nearly_c

Front-end for a subset of the C language
C++
3
star
17

Gervill4Beads

small library to integrate the Gervill software synthesizer with the Beads library
Java
3
star
18

Pizza

example GWT application
Java
3
star
19

easycpu

Easy 8-bit CPU using 74HC logic chips
Ruby
3
star
20

FunWithSound

library for making music using Processing and Beads
Java
3
star
21

freepoll

Open source polling software for iClicker devices
C++
3
star
22

CloudCoderWebsite

cloudcoder.org website
CSS
2
star
23

forkjoin

Terrible implementation of fork/join using C++ and pthreads
C++
2
star
24

coremon

Really simple graphical CPU core monitor for Linux
C
2
star
25

jsonparser

JSON parser (example bison/flex project)
C
2
star
26

JavaActors

a really simple actors framework for Java
Java
2
star
27

tctest

TCTest — a tiny unit test framework for C
C
2
star
28

BreadboardDAC

Breadboard VGA 3x4 bit resistor DAC (for 3.3V logic)
2
star
29

busmon3

Breadboard-friendly 16 bit hex display
C
1
star
30

SimpleMarmosetUploader

Upload projects to Marmoset from within Eclipse
Java
1
star
31

Pizza2

example GWT application
CSS
1
star
32

astdemo

demonstrate approaches to creating ASTs
C++
1
star
33

AmpProject

DIY audio amplifier using eBay LM1875 modules
OpenSCAD
1
star
34

cpu2

Just a fun project, nothing to see here
Java
1
star
35

MakeMusic

simple music creation environment using Gervill and Beads
Java
1
star
36

PygmyMarmoset

an assignment submission webapp for CS courses
Java
1
star
37

mondrian

Fake Mondrian generator using processing.js
Processing
1
star
38

pfxcalc

Simple calculator for evaluating prefix expressions
C++
1
star
39

i82c55a_test

Testing 82C55A I/O chip using Arduino
C++
1
star
40

FontEditor

A simple editor for an 8x8 bitmap font
Java
1
star