PitchHut logo
A robust multi-layer sandbox for secure Linux code execution
Pitch

Z-Jail provides a lightweight, multi-layer sandbox that ensures secure and auditable native code execution on Linux. With features like namespaces, capability dropping, and an evidence-based verdict engine, it offers a solid defense against security threats while maintaining ease of use and performance.

Description

Z-Jail is a lightweight, multi-layer sandbox designed for secure execution of native code on Linux systems. It integrates seven independent defense layers, ensuring that there are no external dependencies and maintains a compact binary size of approximately 130 KiB.

Key Features:

  • Truthimatics Public Version: Incorporates an evidence-based verdict engine that evaluates the executed binary, providing a final verdict of DETERMINISTIC, REJECT, or UNCERTAIN, based on weighted observations.
  • Namespaces: Leverages five types of namespaces (mount, pid, net, ipc, and uts) for process isolation, allowing for enhanced security.
  • pivot_root: Utilizes a robust file system isolation method that securely detaches the host filesystem and prevents unauthorized access.
  • Capability Dropping: Effectively drops all capabilities to mitigate security risks, locking down unnecessary privileges.
  • Seccomp-BPF Filtering: Implements a stringent allow-list, restricting only 15 specific syscalls to maximize control over binary execution.
  • Audit Logging: Generates comprehensive JSON audit logs for every execution, detailing the sandbox environment and execution results.

Architecture Overview:

Z-Jail's architecture facilitates a unique flow for sandbox initialization and execution, ensuring a series of security measures are applied sequentially. The design includes decision points for setting resource limits, cleaning up file descriptors, disabling core dumps, managing privileges, and enforcing syscall restrictions.

Usage Examples:

To run a static binary in a secure environment:

sudo ./z_jail --root=./roots --seccomp-enforce -- ./bin/hello_static

For verifying binary integrity:

sudo ./z_jail --root=./roots --seccomp-enforce --self-hash=$(sha256sum z_jail | cut -c1-64) -- ./bin/program

Performance Metrics:

  • Mean Latency: ~8 milliseconds for sandbox setup.
  • Binary Size: Compact at approximately 130 KiB.
  • Resource Footprint: Peak Resident Set Size (RSS) of about 4 MiB, allowing efficient resource usage.

With enhanced security against threats such as arbitrary code execution, file descriptor leaks, and privilege escalation, Z-Jail serves as a reliable solution for CI pipelines, coding challenges, and evaluation environments. It stands out by balancing lightweight operation with robust security measures, filling a crucial gap in existing sandboxing solutions.

0 comments

No comments yet.

Sign in to be the first to comment.