Secure sandboxing system for untrusted code execution

Related tags

Security tools sandbox code-execution
Overview

Godbox

Secure sandboxing system for untrusted code execution.

It uses isolate which uses specific functionnalities of the Linux kernel, thus godbox not able to run properly outside of Linux.

Installation

Docker Compose

version: "3"

services:
  godbox:
    image: quantumsheep/godbox:2
    privileged: true
    ports:
      - 8080:8080

Docker

docker run -it -d --privileged -p 8080:8080 quantumsheep/godbox:2

Usage

POST /run

Properties

Name Type Description
phases* Phase[] Execution phases (check examples bellow)
files* string Base64-encoded zip file containing the files used in the phases
environment Record Environment variables used in all phases
sandbox_settings SandboxSettings Override default sandbox limitation settings 
interface SandboxSettings {
  run_time_limit?: number = 5;
  extra_time_limit?: number = 0;
  wall_time_limit?: number = 10;
  stack_size_limit?: number = 128000;
  process_count_limit?: number = 120;
  memory_limit?: number = 512000;
  storage_limit?: number = 10240;
}

interface Phase {
  name?: string;
  
  // Multi-line bash script 
  script: string;

  // Environment variables
  environment?: Record<string, string>;

  // Override default sandbox limitation settings
  sandbox_settings?: SandboxSettings;

  // Enable profiling (WIP)
  profiling?: boolean = false;
}

Example

The files should be passed as a base64 zip archive.

The folowing demonstration uses the folowing file architecture:

.
└── src
    └── main.c

Encoded using command zip -q -r - * | base64 (could have been a library, it doesn't matter while it keeps beeing files -> zip -> base64).

{
  "phases": [
    {
      "name": "Compilation",
      "script": "/usr/local/gcc-11.1.0/bin/gcc src/main.c -o out",
      "sandbox_settings": {
        "run_time_limit": 20,
        "wall_time_limit": 40
      }
    },
    {
      "name": "Execution",
      "script": "./out"
    }
  ],
  "environment": {
    "ENABLE_AWESOME_SHEEP": "true"
  },
  "files": "UEsDBAoAAAAAAJe1pVIAAAAAAAAAAAAAAAAEABwAc3JjL1VUCQADvgOTYNQDk2B1eAsAAQT1AQAABBQAAABQSwMEFAAIAAgABbalUgAAAAAAAAAATQAAAAoAHABzcmMvbWFpbi5jVVQJAAOKBJNgjASTYHV4CwABBPUBAAAEFAAAAFPOzEvOKU1JVbApLknJzNfLsOPiyswrUchNzMzT0OSq5lIAgoLSkmINJY/UnJx8HYXw/KKcFEUlTWsusFxRaklpUZ6CgTVXLRcAUEsHCMUkHr9KAAAATQAAAFBLAQIeAwoAAAAAAJe1pVIAAAAAAAAAAAAAAAAEABgAAAAAAAAAEADtQQAAAABzcmMvVVQFAAO+A5NgdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAIAAgABbalUsUkHr9KAAAATQAAAAoAGAAAAAAAAQAAAKSBPgAAAHNyYy9tYWluLmNVVAUAA4oEk2B1eAsAAQT1AQAABBQAAABQSwUGAAAAAAIAAgCaAAAA3AAAAAAA"
}

Output

{
  "phases": [
    {
      "name": "Compilation",
      "status": 0,
      "stdout": "",
      "stderr": "OK (0.041 sec real, 0.048 sec wall)\n"
    },
    {
      "name": "Execution",
      "status": 0,
      "stdout": "Hello, World!\n",
      "stderr": "OK (0.001 sec real, 0.005 sec wall)\n"
    }
  ]
}
You might also like...
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
A private network system that uses WireGuard under the hood.
A private network system that uses WireGuard under the hood.

innernet A private network system that uses WireGuard under the hood. See the announcement blog post for a longer-winded explanation. innernet is simi

Tonari, Inc 4.1k Jan 6, 2023
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. 📖 Table o

Mufeed VH 1.1k Jan 6, 2023
Cross-platform async library for system information fetching 🦀
Cross-platform async library for system information fetching 🦀

heim Cross-platform library for system information fetching heim is an ongoing attempt to create the best tool for system information fetching (ex., C

null 782 Jan 2, 2023
Bottlerocket - An operating system designed for hosting containers

Bottlerocket OS Welcome to Bottlerocket! Bottlerocket is a free and open-source Linux-based operating system meant for hosting containers. If you’re r

null 7k Dec 31, 2022
Crate for calling NT System Calls easily

ntcall-rs Easily call NT System Calls from rust. All System Call ID’s are dumped at compile-time. To get started just import the function you would li

joshuа 7 Sep 14, 2022
cert_installer - a utility that adds a CA certificate to Android's System Trust Store

cert_installer is a utility that adds a CA certificate to Android's System Trust Store by overwriting the /system/etc/security/cacerts directory with a tmpfs mount. Changes made to the System Trust Store is not persistant across reboots.

Terry Chia 5 Apr 11, 2022
Rust implementation of the H3 geospatial indexing system.

h3o Rust implementation of the H3 geospatial indexing system. Design This is not a binding of the reference implementation, but a reimplementation fro

Hydronium Labs 196 Jan 31, 2023
How-to: Sanitize your Rust code!

rust-san How-to: Sanitize your Rust code! Intro How to use the sanitizers? Examples AddressSanitizer Out of bounds access Use after free LeakSanitizer

Jorge Aparicio 359 Dec 22, 2022
Releases(2.5.0)
Owner
Nathanael Demacon
(ノ◕ヮ◕)ノ*:・゚✧
Nathanael Demacon
GitHub
Symbolic execution of LLVM IR with an engine written in Rust

haybale: Symbolic execution of LLVM IR, written in Rust haybale is a general-purpose symbolic execution engine written in Rust. It operates on LLVM IR

UCSD PLSysSec 404 Jan 1, 2023
Secure drive wipe

Lethe A secure, free, cross-platform and open-source drive wiping utility. Should work with any HDD, SSD (read limitations) and flash drives. The usua

Konstantin Alexandroff 70 Dec 19, 2022
Secure multithreaded packet sniffer

sniffglue sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Projec

null 914 Dec 30, 2022
Secure transport for running MPC protocols backed by Signal

MPC over Signal Overview This library provides a high-level interface for connecting to Signal Server and using it to exchange messages with other con

[ZenGo X] 42 Jan 4, 2023
Cross-platform Secure TUI Secret Locker

SafeCloset keeps your secrets in password protected files. SafeCloset is designed to be convenient and avoid common weaknesses like external editing or temporary files written on disk.

Canop 63 Dec 26, 2022
Secure and fast microVMs for serverless computing.

Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads. Read more about the Firecracker Charter

firecracker-microvm 20.3k Jan 1, 2023
Secure storage for cryptographic secrets in Rust

secrets secrets is a library to help Rust programmers safely held cryptographic secrets in memory. It is mostly an ergonomic wrapper around the memory

Stephen Touset 165 Dec 22, 2022
Use Touch ID / Secure Enclave for SSH Authentication!

SeKey About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave

SeKey 2.3k Dec 26, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
A cryptographically verifiable code review system for the cargo (Rust) package manager.

image credit cargo-crev A cryptographically verifiable code review system for the cargo (Rust) package manager. Introduction Crev is a language and ec

crev - Code REView system 1.8k Jan 5, 2023