Login or Register to Ask a Question and Join Our Community


Programming

Sandboxing

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Programming Sandboxing
# 8  
Old 01-28-2016
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
# 9  
Old 01-28-2016
Typically when setting up a user with a restricted shell, the user's profile sets the PATH variable to $HOME/bin.
The administrator then creates soft links in $HOME/bin to any programs the user is allowed to execute.
# 10  
Old 01-28-2016
Quote:
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
Sounds complicated.Smilie I've been reading about a function called "unshare" from "sched.h" ( I'm not allowed to add hyper text links yet ) that claims to be able to limit a programs access to the network , etc. , but I'm not sure. Anyone know about this library function?
# 11  
Old 01-28-2016
Looks to me like you would need driver code...

unshare(2) - Linux manual page

If you persist you may yet find a way. Let us know.
# 12  
Old 01-28-2016
I've been messing with this example from a website associated with the book I'm reading:
Code:
http://man7.org/tlpi/code/online/dist/namespaces/unshare.c.html

( Sorry if I'm not allow to sneak the link in like this )

When the code is run as root I found that the "evince" editor doesn't seem to be able to "connect out" when using a "pdf" file with hypertext links. This might work....
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question