Sandy

一个微小的沙盒来运行不受信任的代码。 🏖️

Sandy 使用 Ptrace 钩入 READ 系统调用，让你在系统调用执行之前选择接受或拒绝这些系统调用。

警告：虽然 sandy 能够拦截 READ 系统调用，但有多种方法可以绕过这一点。完整的细节可以在 hackernews thread 中找到。其中一些可以通过打补丁来捕获简单的攻击，但你应该在使用 sandy 时期望它聊胜于无，但它并不是真正的隔离。

用法

./sandy 的用法：

  sandy [FLAGS] 命令

  标志：
    -h 打印用法。
    -n 值
        用于自动阻断文件读取的 glob 模式。
    -y 值
        一个用于自动允许文件读取的 glob 模式。

使用案例

你想安装任何东西

> sandy -n "/etc/password.txt" npm install sketchy-module

  BLOCKED READ on /etc/password.txt

> sandy -n "/etc/password.txt" bash <(curl  https://danger.zone/install.sh)

  BLOCKED READ on /etc/password.txt

你对你最喜欢的程序进行哪些文件读取感兴趣。

当然你可以使用 strace，但它引用了文件描述符，通过打印fd的绝对路径，使这个问题更容易一目了然。

> sandy ls
Wanting to READ /usr/lib/x86_64-linux-gnu/libselinux.so.1 [y/n]

你不想给你的朋友买啤酒

工作中的一个朋友知道你有安全意识，并且知道你在主目录中保留了一个 /free-beer.bounty 文件。戴夫承诺会请你喝酒，并在办公室里羞辱你，他试图以帮助同事为幌子，用一个恶意脚本欺骗你。

你用 sandy 运行那个脚本，把他抓个正着。

> sandy -n *.bounty bash ./dickhead-daves-script.sh

  BLOCKED READ on /free-beer.bounty

注意：对你的所有敏感数据进行加密绝对是一个更好的主意，sandy 可能应该只在不方便或不实际的情况下使用。

注意：我没有做任何努力来实现跨平台的兼容性，所以它目前只在 linux 上工作。我很乐意接受补丁以提高可移植性。

Name With Owner	craigmulligan/sandy
Primary Language	Go
Program language	Go (Language Count: 2)
Platform
License:

Created At	2020-01-06 20:32:30
Pushed At	2020-01-19 10:43:45
Last Commit At	2020-01-17 23:57:33
Release Count	1
Last Release Name	0.1.0 (Posted on )
First Release Name	0.1.0 (Posted on )

Stargazers Count	338
Watchers Count	5
Fork Count	7
Commits Count	19
Has Issues Enabled
Issues Count	5
Issue Open Count	3
Pull Requests Count	2
Pull Requests Open Count	0
Pull Requests Close Count	0

Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

Sandy

A tiny sandbox to run untrusted code. 🏖️

Sandy uses Ptrace to hook into READ syscalls, giving you the option to accept or deny syscalls before they are executed.

WARNING: While sandy is able to intercept READ syscalls there are a variety of ways to get around this. Full details can be found in the hackernews thread. Some of which can be patched to catch simple attacks, but you should use sandy with the expectation that it is better than nothing but it is not true isolation.

Usage

Usage of ./sandy:

  sandy [FLAGS] command

  flags:
    -h	Print Usage.
    -n value
        A glob pattern for automatically blocking file reads.
    -y value
        A glob pattern for automatically allowing file reads.

Use cases

You want to install anything

> sandy -n "/etc/password.txt" npm install sketchy-module

  BLOCKED READ on /etc/password.txt

> sandy -n "/etc/password.txt" bash <(curl  https://danger.zone/install.sh)

  BLOCKED READ on /etc/password.txt

You are interested in what file reads you favourite program makes.

Sure you could use strace, but it references file descriptors sandy makes the this much easier at a glance by printing the absolute path of the fd.

> sandy ls
Wanting to READ /usr/lib/x86_64-linux-gnu/libselinux.so.1 [y/n]

You don't want to buy your friends beer

A friend at work knows that you are security conscious and that you keep a /free-beer.bounty file in home directory. With the promise of a round of drinks and office wide humiliation Dave tries to trick you with a malicious script under the guise of being a helpful colleague.

You run there script with sandy and catch him red handed.

> sandy -n *.bounty bash ./dickhead-daves-script.sh

  BLOCKED READ on /free-beer.bounty

NOTE: It's definitely a better idea to encrypt all your sensitive data, sandy should probably only be used when that is inconvenient or impractical.

NOTE: I haven't made any effort for cross-x compatibility so it currently only works on linux. I'd happily accept patches to improve portability.

sandy

Github stars Tracking Chart

Sandy

用法

使用案例

你想安装任何东西

你对你最喜欢的程序进行哪些文件读取感兴趣。

你不想给你的朋友买啤酒

Main metrics

Sandy

Usage

Use cases

You want to install anything

You are interested in what file reads you favourite program makes.

You don't want to buy your friends beer