Skip to content

cdkrot/ptrace-sandbox

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sandboxing-related stuff, Proof-of-concept for ejudge and not only
==================================================================

Demos to test on
================

* aplusb, read two numbers from file, write sum to other, c++.
* return-minus-1-c, return -1, c.
* return-1-cpp, return +1, c++.
* return-0-noglibc, return 0, no system calls performed, asm.
* hello, Guess what, c.
* hello32, Same, but uses 32 bit ABI.
* malloc, just eats a large bite of memory, c.
* million-of-mmaps, guess what it does, c.

Requirements
============

* Linux kernel and gnu libc, recent enough.
* procfs enabled in kernel (for kernel-module-assisted sandboxing).
* ptrace enabled in kernel (for ptrace-based sandboxing).
* At the moment only x86_64 architecture supported.

Old research (Ptrace-based sanboxing).
======================================

Ptrace is mechanism used by debuggers to supervise program execution and modify it in runtime

Research Results:

+ Sandboxing via it is pretty much possible
+ It is completely user space (uses only external kernel api)
- Requires linux
- Pretty tricky in implementation.
- requires to implement architecture related code (so we only implemented x86_64).
- Can be slow, while not affecting user space execution, sys call are slowed down up to 70 times(!)

Available demos:

* newdetect, program similar to strace, but not too pretty, more or less complete implementation of ptrace protocol for x86_64.
* trace_simple, minimalistiс (and incomplete) ptrace protocol implementation, mostly for benchmarking.

Next-gen sandboxing via kernel module
=====================================

We decided to write kernel module to make sandboxing really fast, it is W.I.P.

How to reportbug
================

Please include in your report:

* Linux kernel version
* Gnu libc version
* Your architecture (example: x86_64, x86, Sparc, ...)
* strace and newdetect logs on demo programs (aplusb, return-0-noglibc, return-minus-1-c will be enough).

Building
========

Use "./build all" from project root.
You may also want try "./build --help"

For deeper building explanations see doc/building.txt

About

Ptrace-based sandboxing and stracing efforts

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published