help icon indicating copy to clipboard operation
help copied to clipboard
verified publisher icon libuv

Sandbox mode to run untrusted code?

Open wysisoft opened this issue 5 years ago • 4 comments

I am very interested in sandboxing NodeJS at the libuv level to prevent untrusted code from doing any harm to the OS. Does this seem feasible? Am I the first person to try this at the libuv level?

wysisoft avatar Jun 23 '20 02:06 wysisoft

What are you hoping to sandbox off? Not everything that Node.js does goes through libuv, e.g., process.setuid().

bnoordhuis avatar Jun 23 '20 09:06 bnoordhuis

I want to run nodejs as a memory and cpu only application, and then allow communication to another process on the same localhost. Nothing else. No spawning processes, no FS, no other networking, no console (possible?), ideally no creating other threads, etc. I know some of this is possible in linux, but i'd love to see it in NodeJS as well.

wysisoft avatar Jun 23 '20 12:06 wysisoft

While you could replace libuv with a shim that delegates to another process, that's not an approach I'd recommend. Without OS-assisted process-level isolation, every bug in Node.js or the shim is a potential sandbox-escaping exploit.

If you're looking for a battle-tested, cross-platform sandboxing solution:

https://chromium.googlesource.com/chromium/src.git/+/master/sandbox (design doc)

bnoordhuis avatar Jun 23 '20 17:06 bnoordhuis

If anyone wanted to pursue this, here are some relevant research papers on the topic.

  1. De Groef et al. 2014 (I've probably broken a copyright law just now).
  2. Vasilakis et al. 2018

davisjam avatar Jul 02 '20 20:07 davisjam