-
Notifications
You must be signed in to change notification settings - Fork 2
/
README
64 lines (46 loc) · 2.08 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
Sandboxing-related stuff, Proof-of-concept for ejudge and not only
==================================================================
Demos to test on
================
* aplusb, read two numbers from file, write sum to other, c++.
* return-minus-1-c, return -1, c.
* return-1-cpp, return +1, c++.
* return-0-noglibc, return 0, no system calls performed, asm.
* hello, Guess what, c.
* hello32, Same, but uses 32 bit ABI.
* malloc, just eats a large bite of memory, c.
* million-of-mmaps, guess what it does, c.
Requirements
============
* Linux kernel and gnu libc, recent enough.
* procfs enabled in kernel (for kernel-module-assisted sandboxing).
* ptrace enabled in kernel (for ptrace-based sandboxing).
* At the moment only x86_64 architecture supported.
Old research (Ptrace-based sanboxing).
======================================
Ptrace is mechanism used by debuggers to supervise program execution and modify it in runtime
Research Results:
+ Sandboxing via it is pretty much possible
+ It is completely user space (uses only external kernel api)
- Requires linux
- Pretty tricky in implementation.
- requires to implement architecture related code (so we only implemented x86_64).
- Can be slow, while not affecting user space execution, sys call are slowed down up to 70 times(!)
Available demos:
* newdetect, program similar to strace, but not too pretty, more or less complete implementation of ptrace protocol for x86_64.
* trace_simple, minimalistiс (and incomplete) ptrace protocol implementation, mostly for benchmarking.
Next-gen sandboxing via kernel module
=====================================
We decided to write kernel module to make sandboxing really fast, it is W.I.P.
How to reportbug
================
Please include in your report:
* Linux kernel version
* Gnu libc version
* Your architecture (example: x86_64, x86, Sparc, ...)
* strace and newdetect logs on demo programs (aplusb, return-0-noglibc, return-minus-1-c will be enough).
Building
========
Use "./build all" from project root.
You may also want try "./build --help"
For deeper building explanations see doc/building.txt