What is it?

S4G is an open source user level sandbox designed for grid technologies. It offers a secure execution environment for untrusted applications. Efficient and lightweight, it does not require to modify your linux kernel, to insert a specific module nor to have special administrator rights.

It has originally been designed for XtremWeb, an open source desktop grid project but can be used for other purposes than grid computing.


What is new?

How does it work?

Using the ptrace library, S4G monitors every system calls of the sandboxed application. Each time one of these functions is called, the sandbox allows, denies or filters it. The filtering process consists in parsing the system call arguments, analyses it to allow or deny the call. When a syscall is allowed, the execution continues as normal and the sandbox will wait until the next system call. If it is denied, the execution of the application will be stopped.

The monitorization system is designed to prevent attacks from the sandboxed application such as volatile memory changes, signal based attacks or process detachment.

Currently, s4g supports only linux ELF binaries. If your kernel allows them, the execution of other binary types won't be sandboxed.

Where can I download it?

The latest versions of S4G are available here.

If you prefer to download the unstable version, use subvesion as explained here.

S4G is an open source project, you are allowed to copy, modify and distribute it according to the GPL Licence.

How can I compile it?

S4G requires:

How can I launch it?

To sandbox an application, just add "s4g" in front of your command.

A problem, who shall I contact ?

The project has two mailing lists. If you have a problem using s4g, please contact s4g-users. If you want to suggest a feature, to send a patch or if you want details about s4g implementation, contact s4g-devel. Full details on these mailing lists are available on the INRIA Gforge lists web site.

Who is the author ?

S4G has been developed by Tangui Morlier. He is working in Franck Cappello's INRIA Grand Large team as an Associate Engineer.

For any question related to S4G, feel free to send him an email.

What is next?

We are planning to add in the next versions the following features:

Links

Source of inspiration and other sandbox projects:

Thanks

The author would like to thank the following people for their help: