Quarantine for untrusted applications

There are many buggy applications out there, and there's very little that prevents one application to do very bad things to the user running it. Buffer overruns in applications are pretty common (see buffer overrun in pine, for example), and we do not want malicious incoming mail to delete user's files, do we?

What can we do with that? Fixing all applications is hard, as some of them are closed-source, and there's much too much open-sourced ones.

One possible solution is to design sandbox (or quarantine), and run untrusted applications inside sandbox. When sandbox is properly setup, buffer overrun in application is not that dangerous. It will still be able to harm data it is working with, but it can no longer broadcast your .ssh/identity to the world.

There are quite a few projects that are trying to deal with it:

Details about subterfugue solution

Problem with ptrace() is than in-memory arguments can change between sandbox checking them and kernel executing them. (See example near janus.) My solution looks like this:

I believe this is safe. It has few problems, through: /proc/self is symlink which depends on who is looking. /proc/XXX/fd/X is symlink which says it is pointing to some bogus place, but actually works if you try anyway.

Gnome sandbox

My "gnome sandbox" currently looks like this:

It has big advantage of gnome part (written in C) being cleanly separated from python part.


Pavel Machek
pavel@ucw.cz