Secure sandboxing system for untrusted code execution

Related tags

sandbox code-execution
Overview

Godbox

Secure sandboxing system for untrusted code execution.

It uses isolate which uses specific functionnalities of the Linux kernel, thus godbox not able to run properly outside of Linux.

Installation

Docker Compose

version: "3"

services:
  godbox:
    image: quantumsheep/godbox:2
    privileged: true
    ports:
      - 8080:8080

Docker

docker run -it -d --privileged -p 8080:8080 quantumsheep/godbox:2

Usage

POST /run

Properties

Name Type Description
phases* Phase[] Execution phases (check examples bellow)
files* string Base64-encoded zip file containing the files used in the phases
environment Record Environment variables used in all phases
sandbox_settings SandboxSettings Override default sandbox limitation settings
interface SandboxSettings {
  run_time_limit?: number = 5;
  extra_time_limit?: number = 0;
  wall_time_limit?: number = 10;
  stack_size_limit?: number = 128000;
  process_count_limit?: number = 120;
  memory_limit?: number = 512000;
  storage_limit?: number = 10240;
}

interface Phase {
  name?: string;
  
  // Multi-line bash script 
  script: string;

  // Environment variables
  environment?: Record<string, string>;

  // Override default sandbox limitation settings
  sandbox_settings?: SandboxSettings;

  // Enable profiling (WIP)
  profiling?: boolean = false;
}

Example

The files should be passed as a base64 zip archive.

The folowing demonstration uses the folowing file architecture:

.
└── src
    └── main.c

Encoded using command zip -q -r - * | base64 (could have been a library, it doesn't matter while it keeps beeing files -> zip -> base64).

{
  "phases": [
    {
      "name": "Compilation",
      "script": "/usr/local/gcc-11.1.0/bin/gcc src/main.c -o out",
      "sandbox_settings": {
        "run_time_limit": 20,
        "wall_time_limit": 40
      }
    },
    {
      "name": "Execution",
      "script": "./out"
    }
  ],
  "environment": {
    "ENABLE_AWESOME_SHEEP": "true"
  },
  "files": "UEsDBAoAAAAAAJe1pVIAAAAAAAAAAAAAAAAEABwAc3JjL1VUCQADvgOTYNQDk2B1eAsAAQT1AQAABBQAAABQSwMEFAAIAAgABbalUgAAAAAAAAAATQAAAAoAHABzcmMvbWFpbi5jVVQJAAOKBJNgjASTYHV4CwABBPUBAAAEFAAAAFPOzEvOKU1JVbApLknJzNfLsOPiyswrUchNzMzT0OSq5lIAgoLSkmINJY/UnJx8HYXw/KKcFEUlTWsusFxRaklpUZ6CgTVXLRcAUEsHCMUkHr9KAAAATQAAAFBLAQIeAwoAAAAAAJe1pVIAAAAAAAAAAAAAAAAEABgAAAAAAAAAEADtQQAAAABzcmMvVVQFAAO+A5NgdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAIAAgABbalUsUkHr9KAAAATQAAAAoAGAAAAAAAAQAAAKSBPgAAAHNyYy9tYWluLmNVVAUAA4oEk2B1eAsAAQT1AQAABBQAAABQSwUGAAAAAAIAAgCaAAAA3AAAAAAA"
}

Output

{
  "phases": [
    {
      "name": "Compilation",
      "status": 0,
      "stdout": "",
      "stderr": "OK (0.041 sec real, 0.048 sec wall)\n"
    },
    {
      "name": "Execution",
      "status": 0,
      "stdout": "Hello, World!\n",
      "stderr": "OK (0.001 sec real, 0.005 sec wall)\n"
    }
  ]
}
Releases(2.4.0)
Owner
Nathanael Demacon
(ノ◕ヮ◕)ノ*:・゚✧
Nathanael Demacon
Secure multithreaded packet sniffer

sniffglue sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Projec

null 686 Jun 5, 2021
Secure drive wipe

Lethe A secure, free, cross-platform and open-source drive wiping utility. Should work with any HDD, SSD (read limitations) and flash drives. The usua

Konstantin Alexandroff 31 Jun 3, 2021
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust ?? Releases ✨ Example Usage ✨ Contributing ✨ Documentation ?? ?? What the heck is a f

epi 1.6k Jun 15, 2021
Secure transport for running MPC protocols backed by Signal

MPC over Signal Overview This library provides a high-level interface for connecting to Signal Server and using it to exchange messages with other con

[ZenGo X] 22 May 27, 2021
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 72 Jun 15, 2021
Scriptable network authentication cracker

badtouch badtouch is a scriptable network authentication cracker. While the space for common service bruteforce is already very well saturated, you ma

null 271 Jun 11, 2021
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 395 Jun 3, 2021
A simple menu to keep all your most used one-liners and scripts in one place

Dama Desktop Agnostic Menu Aggregate This program aims to be a hackable, easy to use menu that can be paired to lightweight window managers in order t

null 39 Jun 1, 2021
🤖 The Modern Port Scanner 🤖

➡️ Discord | Installation Guide | Usage Guide ⬅️ The Modern Port Scanner. Fast, smart, effective. ?? Docker (Recommended) ??‍?? Kali / Debian ??️ Arch

null 4.1k Jun 13, 2021
A Comprehensive Web Fuzzer and Content Discovery Tool

rustbuster A Comprehensive Web Fuzzer and Content Discovery Tool Introduction Check the blog post: Introducing Rustbuster — A Comprehensive Web Fuzzer

Francesco Soncina 348 Jun 16, 2021
Semi-automatic OSINT framework and package manager

sn0int sn0int (pronounced /snoɪnt/) is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunter

null 884 Jun 12, 2021
spy on the DNS queries your computer is making

dnspeep dnspeep lets you spy on the DNS queries your computer is making. Here's some example output: $ sudo dnspeep query name

Julia Evans 1k Jun 15, 2021
Rust bindings for libinjection

libinjection-rs Rust bindings for libinjection. How to use Add libinjection to dependencies of Cargo.toml: libinjection = "0.2" Import crate: extern c

ArvanCloud 25 Apr 25, 2021
tcp connection hijacker, rust rewrite of shijack

rshijack tcp connection hijacker, rust rewrite of shijack from 2001. This was written for TAMUctf 2018, brick house 100. The target was a telnet serve

null 304 Jun 1, 2021