Unix/Linux Go Back    


Programming Post questions about C, C++, Java, SQL, and other programming languages here.

Sandboxing

Programming


Closed    
 
Thread Tools Search this Thread Display Modes
    #8  
Old Unix and Linux 01-28-2016   -   Original Discussion by cman
jim mcnamara's Unix or Linux Image
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 13 December 2017, 7:46 AM EST
Location: NM
Posts: 11,249
Thanks: 577
Thanked 1,121 Times in 1,033 Posts
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
Sponsored Links
    #9  
Old Unix and Linux 01-28-2016   -   Original Discussion by cman
jgt's Unix or Linux Image
jgt jgt is offline Forum Advisor  
Registered User
 
Join Date: Apr 2007
Last Activity: 13 December 2017, 7:58 AM EST
Location: 44.21.48N 80.50.15W
Posts: 2,014
Thanks: 2
Thanked 275 Times in 257 Posts
Typically when setting up a user with a restricted shell, the user's profile sets the PATH variable to $HOME/bin.
The administrator then creates soft links in $HOME/bin to any programs the user is allowed to execute.
Sponsored Links
    #10  
Old Unix and Linux 01-28-2016   -   Original Discussion by cman
cman's Unix or Linux Image
cman cman is offline
Registered User
 
Join Date: Jan 2016
Last Activity: 5 September 2016, 11:29 PM EDT
Posts: 10
Thanks: 0
Thanked 2 Times in 2 Posts
Quote:
Well, in a sense you can. Oversimplified:

Create a network that is physically disconnected from everything. You need a DNS server ( 1.1.1.2 which gives the answers to all inquiries as 1.1.1.0, a box called internet (1.1.1.0), a box called test (1.1.1.3).

These can be virtuals on a single server. But. Treat the whole server as poison so - There cannot be any network connection out of the box. Ever.

The US National labs do this to test potential malware. You run the bad guy on test. You run your program on internet to see what traffic you get aimed for where, for example. You then indepedently check "where" against known lists like Tor access points, bad sites in general. There is a blacklist that is updated daily, I believe.

I've oversimplified this a lot. As an example, you need to be able to munge any actual ip request like 8.8.8.8 -> 1.1.1.0. The labs work with dozens of virtuals simulating various sites out in the wild.

This is also done by companies who specialize in security software. I saw a demo by folks from Sandia Labs and a security vendor a while back. Very interesting. The vendor sells the system. Duh.

Once done testing you wipe everything and restore from tape or whatever. The "whatever" cannot ever be seen by the nasty system except after a complete wipe.
The labs also reflash the bios and do some other cleansing.
Sounds complicated.Linux I've been reading about a function called "unshare" from "sched.h" ( I'm not allowed to add hyper text links yet ) that claims to be able to limit a programs access to the network , etc. , but I'm not sure. Anyone know about this library function?
    #11  
Old Unix and Linux 01-28-2016   -   Original Discussion by cman
jim mcnamara's Unix or Linux Image
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 13 December 2017, 7:46 AM EST
Location: NM
Posts: 11,249
Thanks: 577
Thanked 1,121 Times in 1,033 Posts
Looks to me like you would need driver code...

unshare(2) - Linux manual page

If you persist you may yet find a way. Let us know.
Sponsored Links
    #12  
Old Unix and Linux 01-28-2016   -   Original Discussion by cman
cman's Unix or Linux Image
cman cman is offline
Registered User
 
Join Date: Jan 2016
Last Activity: 5 September 2016, 11:29 PM EDT
Posts: 10
Thanks: 0
Thanked 2 Times in 2 Posts
I've been messing with this example from a website associated with the book I'm reading:

Code:
http://man7.org/tlpi/code/online/dist/namespaces/unshare.c.html

( Sorry if I'm not allow to sneak the link in like this )

When the code is run as root I found that the "evince" editor doesn't seem to be able to "connect out" when using a "pdf" file with hypertext links. This might work....
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes



All times are GMT -4. The time now is 12:57 PM.