How to create a lightweight C code sandbox?

by

Since the C standard is much too broad to be allowed, you would need to go the other way around: specify the minimum subset of C which you need, and try to implement that. Even ANSI C is already too complicated and allows unwanted behaviour.

The aspect of C which is most problematic are the pointers: the C language requires pointer arithmitic, and those are not checked. For example:

char a[100];
printf("%p %p\n", a[10], 10[a]);

will both print the same address. Since a[10] == 10[a] == *(10 + a) == *(a + 10).

All these pointer accesses cannot be checked at compile time. That’s the same complexity as asking the compiler for ‘all bugs in a program’ which would require solving the halting problem.

Since you want this function to be able to run in the same process (potentially in a different thread) you share memory between your application and the ‘safe’ module since that’s the whole point of having a thread: share data for faster access. However, this also means that both threads can read and write the same memory.

And since you cannot prove compile time where pointers end up, you have to do that at runtime. Which means that code like ‘a[10]’ has to be translated to something like ‘get_byte(a + 10)’ at which point I wouldn’t call it C anymore.

Google Native Client

So if that’s true, how does google do it then? Well, in contrast to the requirements here (cross-platform (including embedded systems)), Google concentrates on x86, which has in additional to paging with page protections also segment registers. Which allows it to create a sandbox where another thread does not share the same memory in the same way: the sandbox is by segmentation limited to changing only its own memory range. Furthermore:

  • a list of safe x86 assembly constructs is assembled
  • gcc is changed to emit those safe constructs
  • this list is constructed in a way that is verifiable.
  • after loading a module, this verification is done

So this is platform specific and is not a ‘simple’ solution, although a working one. Read more at their research paper.

Conclusion

So whatever route you go, you need to start out with something new which is verifiable and
only then you can start by adapting an existing a compiler or generating a new one. However, trying to mimic ANSI C requires one to think about the pointer problem. Google modelled their sandbox not on ANSI C but on a subset of x86, which allowed them to use existing compilers to a great extend with the disadvantage of being tied to x86.

More Related Contents:

  1. Lex program input doesn't terminate [closed]
  2. which is faster assigning a number to the variable or changing the value of that variable either by adding or subtracting some number?
  3. Storing value of unsigned int variable in char array in C [closed]
  4. C program goes into infinite loop with scanf [duplicate]
  5. Validating input with isdigit for a factorial program
  6. Simple C scanf does not work? [duplicate]
  7. Difference between char *pp and (char*) p?
  8. Pointers in C: when to use the ampersand and the asterisk?
  9. Creating a daemon in Linux
  10. printf format specifiers for uint32_t and size_t
  11. “error: assignment to expression with array type error” when I assign a struct field (C)
  12. Mixing C functions in an Objective-C class
  13. Why do I need to use type** to point to type*?
  14. What causes the Broken Pipe Error?
  15. Why do I get a C malloc assertion failure?
  16. Implement generic swap macro in C [duplicate]
  17. strtok function thread safety
  18. What is the difference between a segmentation fault and a stack overflow?
  19. Why is printf with a single argument (without conversion specifiers) deprecated?
  20. Is void a data type in C?
  21. Set environment variables in C
  22. Getting terminal size in c for windows?
  23. Stabilizing the standard library qsort?
  24. Deep Analysis of Const Qualifier in C
  25. Determine if a C string is a valid int in C
  26. Store data in array from input [duplicate]
  27. Avoiding the main (entry point) in a C program
  28. Function pointer as an argument
  29. An interesting C linked list idiom
  30. Duplicated output using printf() and fork() in C

Leave a Comment