当前位置:theitroad>windows 将进程放入沙箱中,使其危害最小

windows 将进程放入沙箱中,使其危害最小

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/135802/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-15 11:18:47  来源:igfitidea点击:

Put a process in a sandbox where it can do least harm

windowslinuxsecuritylanguage-agnosticmacos

提问by Florian B?sch

I'm looking for the concept to spawn a processsuch that:

我正在寻找产生这样一个过程的概念:

  • it has only access to certain libraries/APIs
  • it cannot acess the file system or only specific parts
  • it can do least harm should malicious code run in it
  • 它只能访问某些库/API
  • 它无法访问文件系统或只能访问特定部分
  • 如果恶意代码在其中运行,它可以造成最小的伤害

This concept is known as sandbox or jail.

这个概念被称为沙箱或监狱。

It is required to do this for each major Operating system (Windows, MacOSX and Linux)and the question is conceptual (as in what to do, which APIs to use and and what to observe) rather then language specific.

它需要做的每个主要操作系统(Windows,MacOSX上和Linux) ,问题是概念(如在做什么,要使用的API和和需注意的事项),而不是特定语言。

answer requirements

回答要求

I reallywant to accept an answer and give you 20 points for that. I cannot accept my own answer, and I don't have it yet anyway. So if you reallywant your answer to be accepted, please observe:

真的很想接受一个答案,并为此给你 20 分。我不能接受我自己的答案,反正我还没有。因此,如果您真的希望您的答案被接受,请注意:

  • The answer has to be specific and complete
  • With specific I mean that it is more then a pointer to some resource on the internet. It has to summarize what the resource says about the topic at least.
  • It may or may not contain example code, but if it does please write it in C
  • I cannot accept an answer that is 2/3 complete even if the 2/3 that are there are perfect.
  • 答案必须具体且完整
  • 具体来说,我的意思是它不仅仅是指向互联网上某些资源的指针。它必须至少总结资源关于该主题的内容。
  • 它可能包含也可能不包含示例代码,但如果包含请用 C 语言编写
  • 即使那里的 2/3 是完美的,我也不能接受 2/3 完整的答案。

this question FAQ

这个问题

  • Is this homework? No.
  • Why do you ask this like a homework question? If you ask a specific question and you want to get a specific answer, and you know how that answer should look like, even though you don't know theanswer, that's the style of question you get.
  • If you know how it should look like, why do you ask? 1) because I don't know all the answer 2) because on the internet there's no single place that contains all the details to this question in one place. Please also read the stackoverflow FAQ
  • Why is the main part of your question how to answer this question? Because nobody reads the FAQ.
  • 这是作业吗?不。
  • 你为什么像家庭作业一样问这个问题?如果你问一个具体问题,你希望得到一个明确的答案,你知道这个问题的答案应该怎么样子,即使你不知道答案,这就是问题的你的风格。
  • 如果你知道它应该是什么样子,你为什么要问?1) 因为我不知道所有的答案 2) 因为在互联网上没有一个地方可以在一个地方包含这个问题的所有细节。另请阅读 stackoverflow 常见问题
  • 为什么你的问题的主要部分是如何回答这个问题?因为没有人阅读常见问题解答。

回答by Trance Diviner

Mac OS X has a sandbox facility code-named Seatbelt. The public API for it is documented in the sandbox(7), sandbox_init(3), and related manual pages. The public API is somewhat limited, but the facility itself is very powerful. While the public API only lets you choose from some pre-defined sandboxes (e.g. “All sockets-based networking is prohibited”), you can also use the more powerful underlying implementation which allows you to specify exactly what operating system resources are available via a Scheme-like language. For example, here is an excerpt of the sandbox used for portmap:

Mac OS X 有一个代号为安全带的沙箱工具。它的公共 API 记录在 sandbox(7)、sandbox_init(3) 和相关手册页中。公共 API 有一定的局限性,但该工具本身非常强大。虽然公共 API 只允许您从一些预定义的沙箱中进行选择(例如“禁止所有基于套接字的网络”),但您还可以使用更强大的底层实现,它允许您通过类似计划的语言。例如,这里是用于 portmap 的沙箱的摘录:

(allow process-exec (regex #"^/usr/sbin/portmap$"))
(allow file-read-data file-read-metadata (regex
    #"^/etc"
    #"^/usr/lib/.*\.dylib$"
    #"^/var"
    #"^/private/var/db/dyld/"
    #"^/dev/urandom$"))
(allow file-write-data (regex
    #"^/dev/dtracehelper$"))

You can see many sandboxes used by the system in /usr/share/sandbox. It is easy to experiment with sandboxes by using the sandbox-exec(1) command.

在/usr/share/sandbox中可以看到系统使用的很多沙箱。使用 sandbox-exec(1) 命令可以很容易地试验沙箱。

For Windows, you may want to have a look at David LeBlanc's “Practical Sandboxing” talk given at Black Hat USA 2007. Windows has no built-in sandboxing technology per se, so the techniques described leverage an incomplete mechanism introduced with Windows 2000 called SAFER. By using restricted tokens, one can create a process that has limited access to operating system resources.

对于 Windows,您可能想看看David LeBlanc 在 Black Hat USA 2007 上发表的“Practical Sandboxing”演讲。Windows 本身没有内置沙盒技术,因此所描述的技术利用了 Windows 2000 中引入的称为 SAFER 的不完整机制。通过使用受限令牌,可以创建一个对操作系统资源具有有限访问权限的进程。

For Linux, you might investigate the complicated SELinux mechanism: SELinux home, a HOWTO. It is used by Red Hat, for example, to harden some system services in some of their products.

对于 Linux,您可能会研究复杂的 SELinux 机制: SELinux homeHOWTO。例如,Red Hat 使用它来强化其某些产品中的某些系统服务。

回答by Pawe? Hajdan

For Windows there is a sandbox in Google Chrome. You may want to investigate it. It uses liberal BSD-like license.

对于 Windows,Google Chrome 中有一个沙箱。您可能想对其进行调查。它使用类似 BSD 的自由许可证。

For Linux there would be good old chroot or more sophisticated http://plash.beasts.org/wiki/.

对于 Linux,会有很好的旧 chroot 或更复杂的http://plash.beasts.org/wiki/

OS X since Leopard has some SELinux-like protection available.

OS X 因为 Leopard 有一些类似 SELinux 的保护可用。

回答by dbr

The site codepad.prghas a good "About"page on how they safely allow the execution of any code snippets..

站点codepad.prg有一个很好的“关于”页面,介绍了他们如何安全地允许执行任何代码片段。

Code execution is handled by a supervisor based on geordi. The strategy is to run everything under ptrace, with many system calls disallowed or ignored. Compilers and final executables are both executed in a chroot jail, with strict resource limits. The supervisor is written in Haskell.

When your app is remote code execution, you have to expect security problems. Rather than rely on just the chroot and ptrace supervisor, I've taken some additional precautions:

  • The supervisor processes run on virtual machines, which are firewalled such that they are incapable of making outgoing connections.

  • The machines that run the virtual machines are also heavily firewalled, and restored from their source images periodically.

代码执行由基于geordi的主管处理。策略是在 ptrace 下运行所有​​内容,不允许或忽略许多系统调用。编译器和最终的可执行文件都在 chroot jail 中执行,具有严格的资源限制。主管是用 Haskell 编写的。

当您的应用程序是远程代码执行时,您必须预料到安全问题。我采取了一些额外的预防措施,而不是仅仅依赖 chroot 和 ptrace 主管:

  • 主管进程在虚拟机上运行,​​这些虚拟机有防火墙,因此它们无法进行传出连接。

  • 运行虚拟机的机器也受到严密的防火墙保护,并定期从其源映像中恢复。

回答by dj_segfault

If you really want a technique that will work with all these platforms, as opposed to a separate solution for each platform, then I think your only answer is to set up a virtual machine for each testing environment. You can restore back to a snapshot at any time.

如果您真的想要一种适用于所有这些平台的技术,而不是针对每个平台的单独解决方案,那么我认为您唯一的答案是为每个测试环境设置一个虚拟机。您可以随时恢复到快照。

Another big advantage of using virtualization is that you can have all of the testing environments with their guest operating systems all on the same box.

使用虚拟化的另一大优势是您可以将所有测试环境及其来宾操作系统都放在同一台机器上。

回答by Dan Udey

FreeBSD has specific concepts of jails, and Solaris has containers. Depending on what you're looking for, these may help.

FreeBSD 有特定的jails概念,而 Solaris 有容器。根据您正在寻找的内容,这些可能会有所帮助。

chroot jails can help to limit what an application can do (though any app with root privileges can escape a jail), and they're available on most UNIXen, including OS X.

chroot jails 可以帮助限制应用程序可以做什么(尽管任何具有 root 权限的应用程序都可以逃脱 jail),并且它们在大多数 UNIXen 上可用,包括 OS X。

As for Windows, I'm not sure. If there was an easy way to sandbox a Windows app, most of them would be a lot more secure by now, I'm sure.

至于Windows,我不确定。我敢肯定,如果有一种简单的方法可以对 Windows 应用程序进行沙箱处理,那么现在它们中的大多数都会更加安全。

回答by Anders

On windows (2000 and later) you can use Job objects to restrict processes.

在 Windows(2000 及更高版本)上,您可以使用 Job 对象来限制进程。

回答by Torsten Marek

For Linux, there is AppArmor. Unfortunately, the project is somewhat on hiatus.
Another sandboxing-alternative is VServer, which uses virtualization.

对于 Linux,有AppArmor。不幸的是,该项目在某种程度上处于中断状态。
另一个沙盒替代方案是VServer,它使用虚拟化。

回答by NothingLikeGuru

Generally any virtual private server will do:

通常任何虚拟专用服务器都可以:

Linux VServer http://linux-vserver.org/Welcome_to_Linux-VServer.org

Linux VServer http://linux-vserver.org/Welcome_to_Linux-VServer.org

Parallels Virtuozzo Containers http://www.parallels.com/products/pvc/

Parallels Virtuozzo 容器 http://www.parallels.com/products/pvc/

and as was mentioned FreeBSD and Solaris has own implementations.

如前所述,FreeBSD 和 Solaris 有自己的实现。

Oh. actually I've noticed you're asking it to work on ANY OS. Well, that might be complicated a bit as the I think less effort is just to reuse some VM that can support some level of sandboxing like:

哦。实际上我注意到你要求它在任何操作系统上工作。嗯,这可能有点复杂,因为我认为只需重用一些可以支持某种级别的沙箱的虚拟机,例如:

  • Java
  • .NET
  • 爪哇
  • 。网

回答by TokenMacGuy

I'm not an expert on the topic, but i think the standard answer for linux is to define a SeLinux policy with the right capabilities for the process.

我不是该主题的专家,但我认为 linux 的标准答案是定义具有正确功能的 SeLinux 策略。

相关推荐

windows 如何使用 Perl 使批处理文件像简单的 grep 一样工作?

windows 如何使用 Perl 使批处理文件像简单的 grep 一样工作?

windows 非托管 C++ 中的默认打印机

windows 非托管 C++ 中的默认打印机

在 Windows 上同时监控多个日志文件(通过 ssh)?

在 Windows 上同时监控多个日志文件(通过 ssh)?

windows 在带有 SVN 修订号的 MFC 应用程序中以编程方式更新 FILEVERSION

windows 在带有 SVN 修订号的 MFC 应用程序中以编程方式更新 FILEVERSION

相关推荐
最近更新
标签