sandbox
A nifty javascript sandbox for node.js
Sandbox - A nifty javascript sandbox for node.js
I am looking for recommendations for a browser based regex sandbox to practice some proof of concept expressions.
Source: (StackOverflow)
I am currently investigating how to implement a sandbox (similar to Google's NaCl project ) where I can run untrusted x86 code (restricted instruction set) in such a way that it cannot harm the rest of my process.
Unlike with NaCl, the untrusted code will not run in a separate process but the same process as the host application. So, one crucial step is to get Windows' structured exception handling right in order to catch errors (like invalid memory access or div by 0) and gracefully terminate the sandbox before Windows kills my host application. (NaCl doesn't face these issues. The sandbox is a separate process and simply gets killed in case of an error.)
Furthermore, the sandboxed code should not use the host applications stack but run on some separate "stack" which is allocated by myself.
Exactly this combination (exception handling in presence of a custom allocated stack) is twisting my mind. I have checked the language implementations of Go and Factor which do similar things and with this help got something running.
But there are still some open questions and uncertainties. So I thought I'll use the fantastic knowledge of Stack Overflow to get some opinions :-)
The following is a working code snippet cut down to the core issues:
code.cpp
#include <Windows.h>
extern "C" void Sandbox();
// just a low level helper to print "msg"
extern "C" void Write(const char* msg)
{
WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),
msg, (DWORD)strlen(msg), NULL, NULL);
}
// should be called first on error and continue exception handling
LONG __stdcall GlobalExceptionHandler(_EXCEPTION_POINTERS*)
{
Write("GEH ");
return EXCEPTION_CONTINUE_SEARCH;
}
// should be called afterwards on error and terminate the process
// of course this is just a stub to simplify the issue
// in real world it would just terminate the sandbox
extern "C" EXCEPTION_DISPOSITION __stdcall FrameExceptionHandler(
PEXCEPTION_RECORD, ULONG64, PCONTEXT, PVOID)
{
Write("FEH ");
ExitProcess(42);
}
void main()
{
AddVectoredExceptionHandler(1, GlobalExceptionHandler);
Sandbox();
// never reach this...
ExitProcess(23);
}
code.asm
EXTERN FrameExceptionHandler:PROC
EXTERN malloc:PROC
.code
Handler:
jmp FrameExceptionHandler
Sandbox PROC FRAME : Handler
; function prologue compliant with Windows x86_64 calling conventions
; saves rsp to the "frame-pointer" r15
push r15
.PUSHREG r15
sub rsp, 20h
.ALLOCSTACK(20h)
mov r15, rsp
.SETFRAME r15, 0h
.ENDPROLOG
; set rsp to the top of a "heap allocated stack" of size 0x10000 bytes
mov rcx, 10000h
call malloc
lea rsp, [rax+10000h]
; got this from implementation of the Go language runtime:
; while unwinding the stack, Windows sanity checks the values of
; RSP to be within stack-bounds. Of course RSP is set to our
; "heap allocated stack" and not within the bounds of what Windows
; thinks should be the stack.
; Fix this by adjusting StackBase and StackEnd in the TIB (thread
; information block), so that basically the stack is unbounded:
; StackBase = 0xffffffffffffffff, StackEnd = 0x0000000000000000
mov rcx, 0FFFFFFFFFFFFFFFFh
mov gs:[008h], rcx
mov rcx, 0
mov gs:[010h], rcx
; trigger an access error by reading invalid memory
mov rax, 0DEADBEEFh
mov rax, [rax]
; function epilogue - will never get here
mov rax, 0
add rsp, 28h
ret
Sandbox ENDP
end
Running this will print "GEH FEH " and then gracefully exit with code 42.
Does anyone have more insight in this set StackBase & StackEnd "hack"?
I tried to narrow the stack limits to something like:
mov gs:[008h], rsp
mov gs:[010h], rax ; rax is the address returned by malloc
But it does not work. It prints "GEH " and then crashes due to unhandled exceptions.
FrameExceptionHandler() will never be executed.
I also tried more relaxed boundaries that include the "heap allocated stack" as well as the stack allocated by Windows. But it doesn't help.
Another question is, whether you know any other traps I can run into. For example I noticed that Windows does not like it if RSP is uneven (I guess because you can never get to an uneven RSP by doing 2/4/8 byte PUSHes and POPs on a 16-byte aligned stack pointer).
Thanks,
Jonas
Source: (StackOverflow)
I get a Flex 3 sandbox error #2048 after connecting to a Socket on a Java (1.5) server. The server code is all mine, i.e. not running under Apache. Flash Player 10.0 r32.
The sequence is as follows...
1 Java server starts, listens on port 843 for policy file request and on port 45455 for my other requests.
2 Flex client served by Apache (although I get the same result if I run it from the file system), socket connection made on host:45455.
3 Flash Player requests policy file from port 843. This is the standard behaviour with the new security settings looking for a master file. It happens regardless of whether a different policy file has been specified.
4 I serve the following XML from Java through port 843:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
</cross-domain-policy>
5 The player writes the following into the debug policy log...
OK: Root-level SWF loaded: http://localhost/bst/BasicSocketTest.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at xmlsocket://192.168.2.3:45455 by requestor from http://localhost/bst/BasicSocketTest.swf
OK: Policy file accepted: xmlsocket://192.168.2.3:843
OK: Request for resource at xmlsocket://192.168.2.3:45455 by requestor from http://localhost/bst/BasicSocketTest.swf is permitted due to policy file at xmlsocket://192.168.2.3:843
6 I send a text message from the client to the server on port 45455 using writeUTFBytes() and flush() (this is my own home-baked message protocol, and is correctly processed at each end)
REG/REGISTER;simon;Si
7 Java server thread listening on port 45455 responds with
REG:0/REGISTER:SUCCESS;simon;Si
8 The Flex client receives a ProgressEvent and the event listener I bound to the socket gets called. I process the message (write it to a text box on the screen)
9 The Flash player throws a 2048 sandbox error and the socket is disconnected! This is after the message is received and processed successfully. In fact it is about 12 seconds after. Nothing else works through the socket.
I have tried explicitly loading a policy file with a call to Security.loadPolicyFile() in the Flex client, but the reality of the new player security is that it is basically ignored. The steps are that the policy request will not get sent until a socket i/o operation occurs. At that point the player always goes to port 843 first looking for a master policy file. If it finds one, and it is permissive, it goes no further.
I have tried a variety of alternative ways of terminating the policy file and policy file contents, including deliberate errors just to see if the Flash Player is awake.
I can see no reason why I would have a 2048 being thrown. I accurately serve a socket policy file on the designated master security port, which the player itself logs as correct. The socket then successfully sends and receives a message from the server the contents of which are available to my code.
Does anyone have any clue why this may be happening? Flash Player bug?
P.S. Please don't tell me to use BlazeDS or LCDS or Granite, or something else as a server, I'm looking for a solution to this problem, not a redesign. And please don't ask me to use an XMLSocket instead - I tried that and get exactly the same result. I have chosen my architecture carefully and deliberately and I want a binary socket.
EDIT
In response to James Ward's request in his comment, here is the entire error message:
Error #2048: Security sandbox violation: http://localhost/bst/BasicSocketTest.swf cannot load data from 192.168.2.3:45455.
I have a stripped down test client which has a handler for each socket event and outputs a message to the screen. This is what it shows:
RequestPolicy: 192.168.2.3:843
Create Socket: 192.168.2.3:45455
Connect: [Event type="connect" bubbles=false cancelable=false eventPhase=2]
Sending: REG/REGISTER;simon.palmer@gmail.com;Si
Receiving: REG:0/REGISTER:SUCCESS;simon.palmer@gmail.com;Si/
Close: [Event type="close" bubbles=false cancelable=false eventPhase=2]
Error #2048: Security sandbox violation: http://localhost/bst/BasicSocketTest.swf cannot load data from 192.168.2.3:45455.
The close event is fired immediately after successfully receiving a response from the server, however the Error #2048 does not appear until about 20 seconds later. If I try and send a further message after close, but before the error, the Flash Player throws an invalid socket exception.
I have logged a bug at Adobe about this.
I can provide full source code of both client and server if anyone is interested.
Source: (StackOverflow)
I want to execute a php-script from php that will use different constants and different versions of classes that are already defined.
Is there a sandbox php_module where i could just:
sandbox('script.php'); // run in a new php environment
instead of
include('script.php'); // run in the same environment
Or is proc_open() the only option?
PS: The script isn't accessible through the web, so fopen('http://host/script.php') is not an option.
Source: (StackOverflow)
How can you run GUI apps in a docker container?
Are there any images that set up vncserver or something so that you can - for example - add an extra speedbump sandbox around say Firefox?
Source: (StackOverflow)
There's been some discussion on the cap-talk mailing list around whether Lua and Javascript support the object-capability model, with the conclusion that because of support for restricting the environment to called functions through setfenv, and the possibility of unforgeable references to immutable objects, the OCM could be implemented.
Have we seen how this works out? I'm interested in removing exploits from an existing application with very useful, generous scripting support in Lua that unfortunately allows full shell access in all kinds of cases. Some shell access is needed: the object-capability model seems like a good way to manage things. But I worry about how convincing a case I can make that this approach will actually be verifiably secure in the sure-to-be messy practice.
Some links:
- Older SO question: How can I create a secure Lua sandbox?
- Background at erights.org: From Objects To Capabilities
- Lua wiki: SandBoxes and ReadOnlyTables - shows
setfenv in action; shows basic idea behind tables that can, under the right circumstances, be made read only
Source: (StackOverflow)
Part of our java application needs to run javascript that is written by non-developers. These non-developers are using javascript for data formatting. (Simple logic and string concatenation mostly).
My question is how can I setup the execution of these scripts to make sure scripting errors don't have a major negative impact on the rest of the application.
- Need to guard against infinite loops
- Guard against spawning new threads.
- Limit access to services and environment
- File system (Example: If a disgruntled script writer decided to delete files)
- Database (Same thing delete database records)
Basically I need to setup the javascript scope to only include exactly what they need and no more.
Source: (StackOverflow)
With the recent revamp of the PayPal developer site, I have encountered many problems trying to test my site with PayPal integration.
Issue 1:
I am not able to check out from out site which it should bring me to sandbox.paypal.com, it return me the common error of "Please login to use the PayPal sandbox feature". I have confirmed that I am logged in to the developer site at developer.paypal.com.
Issue 2:
Under Applications > Sandbox accounts, in one of the account, I am redirected to the live site at www.paypal.com by clicking on "Sandbox site". It should bring me to sandbox.paypal.com so I can login to the sandbox account. Currently this is not possible.
Issue 3:
I realised that I am logged out from developer.paypal.com when I go to www.paypal.com. Some kind of cookie issue?
Above all issues, I have tried troubleshooting by using a different browser, clearing cookies and cache.
Source: (StackOverflow)
I'm attempting to provide a script-only solution for reading the contents of a file on a client machine through a browser.
I have a solution that works with Firefox and Internet Explorer. It's not pretty, but I'm only trying things at the moment:
function getFileContents() {
var fileForUpload = document.forms[0].fileForUpload;
var fileName = fileForUpload.value;
if (fileForUpload.files) {
var fileContents = fileForUpload.files.item(0).getAsBinary();
document.forms[0].fileContents.innerHTML = fileContents;
} else {
// try the IE method
var fileContents = ieReadFile(fileName);
document.forms[0].fileContents.innerHTML = fileContents;
}
}
function ieReadFile(filename)
{
try
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
var fh = fso.OpenTextFile(filename, 1);
var contents = fh.ReadAll();
fh.Close();
return contents;
}
catch (Exception)
{
return "Cannot open file :(";
}
}
I can call getFileContents() and it will write the contents into the fileContents text area.
Is there a way to do this in other browsers?
I'm most concerned with Safari and Chrome at the moment, but I'm open to suggestions for any other browser.
Edit: In response to the question, "Why do you want to do this?":
Basically, I want to hash the file contents together with a one-time-password on the client side so I can send this information back as a verification.
Source: (StackOverflow)
I use In App Payment to sell ingame consumables.
After successfull payment I forward the payment receipt to my backend, which validates the receipt with the iTunes payment backend.
This works flawlessly in the sandbox environment.
Now I submitted my app so it can be approved by the Apple guys and be published in the App Store. Of course I made sure that my backend will be validating the payment receipts with the production environment of the itunes backend, because I expected the Apple guys to test the app in production mode.
However, the app was rejected. As a reason I was told that the purchase of my consumables does not work (refused by my backend because of an invalid receipt).
After checking my logs I see 3 attempted purchases. I decoded the receipts that were used and see, that all of these are "environment" = "Sandbox".
Does this mean that Apple tests submitted apps in sandbox mode? That would be crazy! Am I supposed to allow sandbox payment in my production environment or what?
Any facts about this?
Source: (StackOverflow)
I'd like to build a C pre-processor / compiler that allows functions to be collected from local and online sources. ie:
#fetch MP3FileBuilder http://scripts.com/MP3Builder.gz
#fetch IpodDeviceReader http://apple.com/modules/MP3Builder.gz
void mymodule_main() {
MP3FileBuilder(&some_data);
}
That's the easy part.
The hard part is I need a reliable way to "sandbox" the imported code from direct or unrestricted access to disk or system resources (including memory allocation and the stack). I want a way to safely run small snippets of untrusted C code (modules) without the overhead of putting them in separate process, VM or interpreter (a separate thread would be acceptable though).
REQUIREMENTS
- I'd need to put quotas on its access to data and resources including CPU time.
- I will block direct access to the standard libraries
- I want to stop malicious code that creates endless recursion
- I want to limit static and dynamic allocation to specific limits
- I want to catch all exceptions the module may raise (like divide by 0).
- Modules may only interact with other modules via core interfaces
- Modules may only interact with the system (I/O etc..) via core interfaces
- Modules must allow bit ops, maths, arrays, enums, loops and branching.
- Modules cannot use ASM
- I want to limit pointer and array access to memory reserved for the module (via a custom safe_malloc())
- Must support ANSI C or a subset (see below)
- The system must be lightweight and cross-platform (including embedded systems).
- The system must be GPL or LGPL compatible.
I'm happy to settle for a subset of C. I don't need things like templates or classes. I'm primarily interested in the things high-level languages don't do well like fast maths, bit operations, and the searching and processing of binary data.
It is not the intention that existing C code can be reused without modification to create a module. The intention is that modules would be required to conform to a set of rules and limitations designed to limit the module to basic logic and transformation operations (like a video transcode or compression operations for example).
The theoretical input to such a compiler/pre-processor would be a single ANSI C file (or safe subset) with a module_main function, NO includes or pre-processor directives, no ASM, It would allow loops, branching, function calls, pointer maths (restricted to a range allocated to the module), bit-shifting, bitfields, casts, enums, arrays, ints, floats, strings and maths. Anything else is optional.
EXAMPLE IMPLEMENTATION
Here's a pseudo-code snippet to explain this better. Here a module exceeds it's memory allocation quota and also creates infinite recursion.
buffer* transcodeToAVI_main( &in_buffer ) {
int buffer[1000000000]; // allocation exceeding quota
while(true) {} // infinite loop
return buffer;
}
Here's a transformed version where our preprocessor has added watchpoints to check for memory usage and recursion and wrapped the whole thing in an exception handler.
buffer* transcodeToAVI_main( &in_buffer ) {
try {
core_funcStart(__FILE__,__FUNC__); // tell core we're executing this function
buffer = core_newArray(1000000000, __FILE__, __FUNC__); // memory allocation from quota
while(true) {
core_checkLoop(__FILE__, __FUNC__, __LINE__) && break; // break loop on recursion limit
}
core_moduleEnd(__FILE__,__FUNC__);
} catch {
core_exceptionHandler(__FILE__, __FUNC__);
}
return buffer;
}
I realise performing these checks impact the module performance but I suspect it will still outperform high-level or VM languages for the tasks it is intended to solve. I'm not trying to stop modules doing dangerous things outright, I'm just trying to force those dangerous things to happen in a controlled way (like via user feedback). ie: "Module X has exceeded it's memory allocation, continue or abort?".
UPDATE
The best I've got so far is to use a custom compiler (Like a hacked TCC) with bounds checking and some custom function and looping code to catch recursions. I'd still like to hear thoughts on what else I need to check for or what solutions are out there. I imagine that removing ASM and checking pointers before use solves a lot of the concerns expressed in previous answers below. I added a bounty to pry some more feedback out of the SO community.
For the bounty I'm looking for:
- Details of potential exploits against the theoretical system defined above
- Possible optimisations over checking pointers on each access
- Experimental open-source implementations of the concepts (like Google Native Client)
- Solutions that support a wide range of OS and devices (no OS/hardware based solutions)
- Solutions that support the most C operations, or even C++ (if that's possible)
Extra credit for a method that can work with GCC (ie, a pre-processor or small GCC patch).
I'll also give consideration to anyone who can conclusively prove what I'm attempting cannot be done at all. You will need to be pretty convincing though because none of the objections so far have really nailed the technical aspects of why they think it's impossible. In the defence of those who said no this question was originally posed as a way to safely run C++. I have now scaled back the requirement to a limited subset of C.
My understanding of C could be classed as "intermediate", my understanding of PC hardware is maybe a step below "advanced". Try to coach your answers for that level if you can. Since I'm no C expert I'll be going largely based on votes given to an answer as well as how closely the answer comes to my requirements. You can assist by providing sufficient evidence for your claims (respondents) and by voting (everyone else). I'll assign an answer once the bounty countdown reaches 6 hours.
Finally, I believe solving this problem would be a major step towards maintaining C's relevance in an increasingly networked and paranoid world. As other languages close the gap performance-wise and computing power grows it will be harder and harder to justify the added risk of C development (as it is now with ASM). I believe your answers will have a much greater relevance than scoring a few SO points so please contribute what you can, even if the bounty has expired.
Source: (StackOverflow)
I need to compile and run user-submitted scripts on my site, similar to what codepad and ideone do. How can I sandbox these programs so that malicious users don't take down my server?
Specifically, I want to lock them inside an empty directory and prevent them from reading or writing anywhere outside of that, from consuming too much memory or CPU, or from doing anything else malicious.
I will need to communicate with these programs via pipes (over stdin/stdout) from outside the sandbox.
Source: (StackOverflow)
I recently watched a good video with regards to a modular javascript architecture including a sandbox. I was wondering if there is anything that's been implemented in the wild?
Is the framework downloadable or an implementation of it ?
The videos were great but they were only THEORY and no code was available
Any help really appreciated.
Regards
Original video is here http://cryptochaos.com/highly-recommended-scalable-javascript-applic
Source: (StackOverflow)