Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/craigmulligan/sandy

A tiny "sandbox" to run untrusted code 🏖️
https://github.com/craigmulligan/sandy

cli golang ptrace

Last synced: about 2 months ago
JSON representation

A tiny "sandbox" to run untrusted code 🏖️

Host: GitHub
URL: https://github.com/craigmulligan/sandy
Owner: craigmulligan
Archived: true
Created: 2020-01-06T20:32:30.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2020-01-19T10:43:45.000Z (almost 5 years ago)
Last Synced: 2024-10-13T10:02:06.819Z (3 months ago)
Topics: cli, golang, ptrace
Language: Go
Homepage:
Size: 6.01 MB
Stars: 339
Watchers: 6
Forks: 8
Open Issues: 3
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Sandy

> A tiny sandbox to run untrusted code. 🏖️

Sandy uses Ptrace to hook into READ syscalls, giving you the option to accept or deny syscalls before they are executed.

**WARNING**: While sandy is able to intercept READ syscalls there are a variety of ways to get around this. Full details can be found in the [hackernews thread](https://news.ycombinator.com/item?id=22025986). Some of which can be patched to catch simple attacks, but you should use sandy with the expectation that it is better than nothing but it is not true isolation.

## Usage

```
Usage of ./sandy:

sandy [FLAGS] command

flags:
-h Print Usage.
-n value
A glob pattern for automatically blocking file reads.
-y value
A glob pattern for automatically allowing file reads.
```

## Use cases

### You want to install anything

```shell
> sandy -n "/etc/password.txt" npm install sketchy-module

BLOCKED READ on /etc/password.txt
```

```shell
> sandy -n "/etc/password.txt" bash <(curl https://danger.zone/install.sh)

BLOCKED READ on /etc/password.txt
```

### You are interested in what file reads you favourite program makes.

Sure you could use strace, but it references file descriptors sandy makes the this much easier at a glance by printing the absolute path of the fd.

```
> sandy ls
Wanting to READ /usr/lib/x86_64-linux-gnu/libselinux.so.1 [y/n]
```

### You _don't_ want to buy your friends beer

A friend at work knows that you are security conscious and that you keep a `/free-beer.bounty` file in home directory. With the promise of a round of drinks and office wide humiliation Dave tries to trick you with a malicious script under the guise of being a helpful colleague.

You run there script with sandy and catch him red handed.

```shell
> sandy -n *.bounty bash ./dickhead-daves-script.sh

BLOCKED READ on /free-beer.bounty
```

**NOTE**: It's definitely a better idea to encrypt all your sensitive data, sandy should probably only be used when that is inconvenient or impractical.

**NOTE**: I haven't made any effort for cross-x compatibility so it currently only works on linux. I'd happily accept patches to improve portability.