Software isolation isn’t a punishment; it’s a way to make sure your shiny new program that you picked up off of the internet plays nicely with your system and isn’t riddled with malware. Thanks to the newly open sourced Sandboxed API, developers can test out new options without putting their system at risk.
Sandboxed API (SAPI) automatically generates sandboxes for C/C++ libraries. Security is not an afterthought with this project; each SAPI library utilizes a tightly defined security policy. While it’s only designed to handle part of a binary, the Sandboxed API can be used to try out a library or some other bit of code with an unknown security posture.
May 13 – 14: Building Reliable Systems
Russ Miles
May 16 – 17: Reactive and Asynchronous Java
Richard Warburton & Raoul-Gabriel Urma
May 16 – 17: Building Microservices
Sam Newman
Dig into new code in the Sandboxed API
Let’s be real, we get a lot of tools, libraries, and frameworks off of the internet, but nobody wants to accidentally infect their system with a security vulnerability. The Sandboxed API is here to help, with a security system designed by Google to help mitigate any issues you could run into. It’s resistant enough to attacks while still easy to use for developers of all levels.
Developers can create security policies for individual software libraries, making it possible to build reusable, secure implementations inside them without impacting the rest of the software.
Essentially, Sandboxed API separates whatever needs to be quarantined and its callers into two different OS processes: the host binary and the sandboxee. Any library calls are marshalled by an API object on the host side and sent via interprocess communication to the sandboxee, where a RPC stub unmarshals and forwards calls to the original library.
How Sandboxed API works. Source.
Sandboxed API provides the API object and the RPC stub. Developers need to have a sandbox policy, a set of systems calls that the underlying library is allowed to make, and the resources it is allowed to access. After it’s set up, a Sandboxed API library can be used in other projects.
While this tool is only available for software libraries or code written in C/C++ right now, other languages may become available in the future.
SEE ALSO: StackFoundation’s Sandbox automates your daily Docker chores
Getting the Sandboxed API
Have Bazel? It only takes a quick download to get the Sandboxed API installed:
sudo apt-get install python-typing python-clang-7 libclang-7-dev linux-libc-dev git clone github.com/google/sandboxed-api && cd sandboxed-api bazel test //sandboxed_api/examples/stringop:main_stringop
For everyone else, more information is available on GitHub. There’s also a helpful Getting Started Guide and a few examples here.
The post Safely play around with new software in Google’s open source Sandboxed API appeared first on JAXenter.
Source : JAXenter
