search

Martins3 / Martins3.github.io

:book: Scratchpad about Linux, Compiler and Virtualization
https://martins3.github.io
GNU General Public License v2.0
62 stars 14 forks source link

dune : sandbox && ufirewall #20

Closed Martins3 closed 3 years ago

Martins3 commented 3 years ago

和 wedge 相同,必须添加上 -static 

CFLAGS  = -static -Wall -O2 -MD -I ../../ 
LDFLAGS = -static -O2 -L. -L ../../libdune -lsandbox -ldune -lpthread -T sandbox.ld
Martins3 commented 3 years ago

Memory belonging to the sandbox runtime is protected by setting the supervisor bit in appropriate page table entries. While we rely on the kernel to load the sandbox runtime, the untrusted binary must be loaded in userspace.

One risk is that it could contain maliciously crafted headers designed to exploit flaws in the ELF loader. We hardened our sandbox against this possibility by using two separate ELF loaders. First, the sandbox runtime uses a minimal ELF loader (part of libDune), that only supports static binaries, to load a second ELF loader into the untrusted environment. We choose to use ld-linux.so as our second ELF loader because it is already used as an integral and trusted component in Linux.

使用 minimal 将 ld-linux.so load ?

So far our sandbox has been applied primarily as a tool for filtering Linux system calls. However, it could potentially be used for other purposes, including providing a completely new system call interface. For system call filtering, a large concern is to prevent execution of any system call that could corrupt or disable the sandbox runtime. We protect against this hazard by validating each system call argument, checking to make sure performing the system call would not allow the untrusted binary to access or modify memory belonging to the sandbox runtime. We do not yet support all system calls, but we support enough to run most single-threaded Linux applications.

We implemented two policies on top of the sandbox. Firstly, we support a null policy that allows system calls to pass through but still validates arguments in order to protect the sandbox runtime. It is intended primarily to demonstrate raw performance overhead. Secondly, we support a userspace firewall. It uses system call interposition(插入) to inspect important network system calls, such as bind and connect, and prevents communication with undesirable parties as specified by a policy description. To further demonstrate the flexibility of our sandbox, we also implemented a checkpointing system that can serialize an application to disk and then restore execution at a later time. This includes saving memory, registers, and system call state (e.g., open file descriptors).

Martins3 commented 3 years ago 
RIP: 0010:vmcs_clear+0x3f/0x70 [dune]
[118042.459671] Call Trace:
[118042.459674]  vmx_get_cpu+0x1d4/0x2d0 [dune]
[118042.459676]  vmx_launch+0x18c/0x13a0 [dune]
[118042.459678]  dune_dev_ioctl+0x7c/0x1b0 [dune]
[118042.459681]  do_vfs_ioctl+0x407/0x670
[118042.459682]  ksys_ioctl+0x67/0x90
[118042.459683]  __x64_sys_ioctl+0x1a/0x20
[118042.459686]  do_syscall_64+0x57/0x190
[118042.459688]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

vmx_get_cpu 调用 vmcs_clear ,而 vmcs_clear 出现错误