-
Notifications
You must be signed in to change notification settings - Fork 2
Ptrace-based sandboxing and stracing efforts
License
cdkrot/ptrace-sandbox
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Sandboxing-related stuff, Proof-of-concept for ejudge and not only ================================================================== Demos to test on ================ * aplusb, read two numbers from file, write sum to other, c++. * return-minus-1-c, return -1, c. * return-1-cpp, return +1, c++. * return-0-noglibc, return 0, no system calls performed, asm. * hello, Guess what, c. * hello32, Same, but uses 32 bit ABI. * malloc, just eats a large bite of memory, c. * million-of-mmaps, guess what it does, c. Requirements ============ * Linux kernel and gnu libc, recent enough. * procfs enabled in kernel (for kernel-module-assisted sandboxing). * ptrace enabled in kernel (for ptrace-based sandboxing). * At the moment only x86_64 architecture supported. Old research (Ptrace-based sanboxing). ====================================== Ptrace is mechanism used by debuggers to supervise program execution and modify it in runtime Research Results: + Sandboxing via it is pretty much possible + It is completely user space (uses only external kernel api) - Requires linux - Pretty tricky in implementation. - requires to implement architecture related code (so we only implemented x86_64). - Can be slow, while not affecting user space execution, sys call are slowed down up to 70 times(!) Available demos: * newdetect, program similar to strace, but not too pretty, more or less complete implementation of ptrace protocol for x86_64. * trace_simple, minimalistiс (and incomplete) ptrace protocol implementation, mostly for benchmarking. Next-gen sandboxing via kernel module ===================================== We decided to write kernel module to make sandboxing really fast, it is W.I.P. How to reportbug ================ Please include in your report: * Linux kernel version * Gnu libc version * Your architecture (example: x86_64, x86, Sparc, ...) * strace and newdetect logs on demo programs (aplusb, return-0-noglibc, return-minus-1-c will be enough). Building ======== Use "./build all" from project root. You may also want try "./build --help" For deeper building explanations see doc/building.txt
About
Ptrace-based sandboxing and stracing efforts
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published