These are the functions implemented in advapi32.dll, kernel32.dll, user32.dll and others. These are the typical system calls you'd expect via sysenter to code in ntdll.dll i.e. In terms of the way Windows works, there are actually two levels of operation: Indeed, in isolation, a single system call might not be enough information. I agree with the answer that suggested the overall design of determining what is, and is not, a good system call may be difficult. Given these requirements you might already have a reasonable idea, what kind of design I had in mind, however I am open to any idea.ĮDIT: The goal is to provide an Application virtualization layer (see ), which the virtualized application can not break out of. Has a sandbox-design like this been documented?Īre there any important points that I overlooked? How would you implement a sandbox like this? However, it should be able to run inside a VM so if possible no hardware virtualization (VT-x or it's AMD equivalent). The target architecture is x86 - 64 bit support is not important, so use of segmentation is allowed. The sandbox would run on my own server, so tempering with the underling OS is acceptable and portability between different versions of Windows is not a hard requirement. Given these constraints it would also prefer if the sandbox would involve as little as possible kernel mode code (because of security and testability concerns), it would be as simple as possible (so no stunts like binary translation) and the sandboxed code would run reasonably fast. However, the sandbox code should have full access to the sandboxed code's address space. The untrusted code should not be a able to temper with the sandboxes code (including it's imported libraries) and data (it's stack and heap). The sandbox should additionally be able to hook high-level APIs if that is convenient. It is supposed to work like this: Any system call made by the untrusted code should first be intercepted by the sandbox code, so that it can be blocked or modified before it is passed to the system. However, it should also be able to run a large number of sandboxes on one physical machine, so an full blown VM is out of the question. Google Chrome's sandbox it has to provide additional isolation that the security mechanisms baked into Windows can not provide. I am thinking about the design for a sandbox, which is able to execute arbitrary unmodified, untrusted binaries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |