I am trying to run a program compiled from C code from an unknown source. I want to make sure that the program does not harm my system in anyway. Like for instance, the program might have soemthing like system("rm -rf /") in the source, which is un-detectable, unless the code is thoroughly examined.
我正在尝试运行从未知来源的C代码编译的程序。无论如何,我想确保程序不会损害我的系统。例如,程序可能在源中具有类似系统(“rm -rf /”)的东西,这是不可检测的,除非彻底检查代码。
I thought of the following 2 ways
我想到了以下两种方式
- Run it inside a VM like VMWare
- 在像VMWare这样的VM中运行它
- Build a windows exe on linux and run on wine
- 在linux上构建一个windows exe并运行wine
Both are not very elegant solutions and I cannot automate them. and also, in case of 1, it can harm the VM.
两者都不是非常优雅的解决方案,我不能自动化它们。而且,如果是1,它可能会损害VM。
Any help would be appreciated.
任何帮助,将不胜感激。
I want to run the program in what we can call a "sandbox".
我想在我们称之为“沙箱”的程序中运行该程序。
9 个解决方案
#1
4
Geordi uses a combination of chroot and interception of syscalls to compile and then sandbox arbitrary code.
Geordi使用chroot和拦截系统调用的组合来编译然后沙箱任意代码。
#3
4
I wrote an overview of sandboxing methods on Linux (archived) here. You are best off using Linux containers (lxc) or selinux, in my view. You could use a virtualisation solution and automate it, but it is a lot more effort.
我在这里写了关于Linux(存档)的沙盒方法的概述。在我看来,你最好使用Linux容器(lxc)或selinux。您可以使用虚拟化解决方案并自动化它,但需要付出更多努力。
lxc will isolate your processes, filesystem and network, and you can set resource limits on the container. There are still risks of a kernel attack, but they are much reduced.
lxc将隔离您的进程,文件系统和网络,您可以在容器上设置资源限制。仍存在内核攻击的风险,但它们大大减少了。
#4
2
You can use something like schroot and chroot the program, but anything of sufficient nastiness will bust out of that.
你可以使用schroot和chroot这样的程序,但任何充足的肮脏都会破坏。
You best bet is probably a virtual machine (vmware or virtualbox) and taking a snapshot before compiling and running the program. That way you can roll back if something goes horribly wrong.
您最好的选择可能是虚拟机(vmware或虚拟机),并在编译和运行程序之前拍摄快照。这样你可以回滚,如果出现可怕的错误。
#5
1
Create an user that has write access only to non-critical directories. Run the program as that user. If you are also interested in privacy, consider also restricting its read rights.
创建仅对非关键目录具有写访问权限的用户。以该用户身份运行程序。如果您对隐私也感兴趣,请考虑限制其阅读权限。
#6
1
The wikipedia page for chroot may be a good start. It describes chroot and also provides links to a few, more thorough alternatives.
chroot的*页面可能是一个好的开始。它描述了chroot,并提供了一些更彻底的替代方案的链接。
#7
1
chroot is one possibility if you want to isolate it from everything else but still have an environment for it to run in.
chroot是一种可能性,如果你想将它与其他所有东西隔离,但仍有一个环境可供它运行。
http://en.wikipedia.org/wiki/chroot
http://en.wikipedia.org/wiki/chroot
https://help.ubuntu.com/community/BasicChroot
https://help.ubuntu.com/community/BasicChroot
#8
0
Run it on a non-networked computer that you will re-image once it's done. There is no safe way to run it on a machine and continue to trust that machine afterwards.
在非联网计算机上运行它,一旦完成,您将重新映像。没有安全的方法在机器上运行它并继续信任该机器。
#9
0
In addition of other answers, using strace or ltrace may help you to understand what the program is doing.
除了其他答案之外,使用strace或ltrace可以帮助您了解程序正在执行的操作。
#1
4
Geordi uses a combination of chroot and interception of syscalls to compile and then sandbox arbitrary code.
Geordi使用chroot和拦截系统调用的组合来编译然后沙箱任意代码。
#2
#3
4
I wrote an overview of sandboxing methods on Linux (archived) here. You are best off using Linux containers (lxc) or selinux, in my view. You could use a virtualisation solution and automate it, but it is a lot more effort.
我在这里写了关于Linux(存档)的沙盒方法的概述。在我看来,你最好使用Linux容器(lxc)或selinux。您可以使用虚拟化解决方案并自动化它,但需要付出更多努力。
lxc will isolate your processes, filesystem and network, and you can set resource limits on the container. There are still risks of a kernel attack, but they are much reduced.
lxc将隔离您的进程,文件系统和网络,您可以在容器上设置资源限制。仍存在内核攻击的风险,但它们大大减少了。
#4
2
You can use something like schroot and chroot the program, but anything of sufficient nastiness will bust out of that.
你可以使用schroot和chroot这样的程序,但任何充足的肮脏都会破坏。
You best bet is probably a virtual machine (vmware or virtualbox) and taking a snapshot before compiling and running the program. That way you can roll back if something goes horribly wrong.
您最好的选择可能是虚拟机(vmware或虚拟机),并在编译和运行程序之前拍摄快照。这样你可以回滚,如果出现可怕的错误。
#5
1
Create an user that has write access only to non-critical directories. Run the program as that user. If you are also interested in privacy, consider also restricting its read rights.
创建仅对非关键目录具有写访问权限的用户。以该用户身份运行程序。如果您对隐私也感兴趣,请考虑限制其阅读权限。
#6
1
The wikipedia page for chroot may be a good start. It describes chroot and also provides links to a few, more thorough alternatives.
chroot的*页面可能是一个好的开始。它描述了chroot,并提供了一些更彻底的替代方案的链接。
#7
1
chroot is one possibility if you want to isolate it from everything else but still have an environment for it to run in.
chroot是一种可能性,如果你想将它与其他所有东西隔离,但仍有一个环境可供它运行。
http://en.wikipedia.org/wiki/chroot
http://en.wikipedia.org/wiki/chroot
https://help.ubuntu.com/community/BasicChroot
https://help.ubuntu.com/community/BasicChroot
#8
0
Run it on a non-networked computer that you will re-image once it's done. There is no safe way to run it on a machine and continue to trust that machine afterwards.
在非联网计算机上运行它,一旦完成,您将重新映像。没有安全的方法在机器上运行它并继续信任该机器。
#9
0
In addition of other answers, using strace or ltrace may help you to understand what the program is doing.
除了其他答案之外,使用strace或ltrace可以帮助您了解程序正在执行的操作。