Programming

Post questions about C, C++, Java, SQL, and other programming languages here.

Sandboxing

👤 Login to reply

 
Thread Tools Search this Thread Display Modes
    #8  
Old 01-28-2016
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 19 July 2018, 6:26 PM EDT
Location: NM
Posts: 11,441
Thanks: 638
Thanked 1,176 Times in 1,082 Posts
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
Sponsored Links
    #9  
Old 01-28-2016
jgt's Unix or Linux Image
jgt jgt is offline Forum Advisor  
Registered User
 
Join Date: Apr 2007
Last Activity: 19 July 2018, 3:11 PM EDT
Location: 44.21.48N 80.50.15W
Posts: 2,080
Thanks: 2
Thanked 296 Times in 271 Posts
Typically when setting up a user with a restricted shell, the user's profile sets the PATH variable to $HOME/bin.
The administrator then creates soft links in $HOME/bin to any programs the user is allowed to execute.
Sponsored Links
    #10  
Old 01-28-2016
cman cman is offline
Registered User
 
Join Date: Jan 2016
Last Activity: 5 September 2016, 11:29 PM EDT
Posts: 10
Thanks: 0
Thanked 2 Times in 2 Posts
Quote:
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
Sounds complicated. I've been reading about a function called "unshare" from "sched.h" ( I'm not allowed to add hyper text links yet ) that claims to be able to limit a programs access to the network , etc. , but I'm not sure. Anyone know about this library function?
    #11  
Old 01-28-2016
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 19 July 2018, 6:26 PM EDT
Location: NM
Posts: 11,441
Thanks: 638
Thanked 1,176 Times in 1,082 Posts
Looks to me like you would need driver code...

unshare(2) - Linux manual page

If you persist you may yet find a way. Let us know.
Sponsored Links
    #12  
Old 01-28-2016
cman cman is offline
Registered User
 
Join Date: Jan 2016
Last Activity: 5 September 2016, 11:29 PM EDT
Posts: 10
Thanks: 0
Thanked 2 Times in 2 Posts
I've been messing with this example from a website associated with the book I'm reading:
Code:
http://man7.org/tlpi/code/online/dist/namespaces/unshare.c.html

( Sorry if I'm not allow to sneak the link in like this )

When the code is run as root I found that the "evince" editor doesn't seem to be able to "connect out" when using a "pdf" file with hypertext links. This might work....
Sponsored Links
👤 Login to reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes



All times are GMT -4. The time now is 06:49 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?