我正在开发一个类似 Ideone 的系统,其中不受信任的用户代码必须在沙盒模式下运行。
为此,我一直在寻找ptrace
第一层保护的可能性。然而,经过几次实验后,似乎:
- 我可以在调用之前拦截系统调用并修改输入参数。
- 我可以在调用系统调用后拦截它并更改返回值。
- 但是,似乎根本没有办法阻止调用发生(除了杀死整个应用程序)。
我想拦截某些系统调用并返回一个虚假的结果代码,而不会实际发生调用。有没有办法实现这个?
Please keep in mind that your sandbox can only be secure if the code it runs is not multi-threaded. You'll also have to take great care to prevent the sand-boxed code from forking as well.
See, for example, the following discussion of a paper about the issues by Robert Watson:
Exploiting races in system call wrappers
The paper is linked to in that article, but I'll offer the link here directly as well:
"Exploiting Concurrency Vulnerabilities in System Call Wrappers"
The better approach still seems to be as is recommended by Watson: integrate the security framework entirely into the kernel and take care in its use to avoid concurrency issues. Linux and NetBSD and Mac OS X and other security-oriented systems already provide such frameworks and so all that's necessary if using those systems is to implement your policies within those existing frameworks. I.e. don't even try to implement your security policies in system call wrappers or other system call interposition mechanisms.
您可以通过增加IP(指令指针)来跳转执行系统调用的指令,这样调用将不会被执行,您可以像往常一样设置返回值。
编辑:
有一个名为pinktrace的 ptrace 包装器,它可以让您的工作更轻松,这里还有更多信息:
https://security.stackexchange.com/questions/8484/wrapping-system-call-in-reliable-and-secure-way