Want to learn about Sandboxing [closed] - security

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I want to learn more about sandboxing. Not just about it. I want to learn such that I will be able to write a simple sandbox.
Surprisingly, there isn't any information available anywhere. Even the Wikipedia article is not good.
Can any one please suggest me good material. I know that its very advanced level concept. So, what are the prerequisites for learning & mastering it.

read about API hooking, for example sandboxie hooks Windows kernel to filter all api calls to filesystem and redirects it results to sandbox, you could hook APIs and filter it, pass only valid parameters, return errors for invalid calls
for API hooking you will find plenty materials on the net, try on codeproject.com

Google's Chromium uses sandboxing and has several documents about it:
http://dev.chromium.org/developers/design-documents/sandbox
http://code.google.com/p/chromium/wiki/LinuxSandboxing

You might also look at jails in FreeBSD. These are the FreeBSD equivalent of sandboxes.
The source code for jail is available (though you'll have to understand the rest of the FreeBSD code as well.)

A simple sandbox would simply be an environment in which you let 'something' execute, but restrict what it can do.
Typically, this "something" is an already-existing language, like Java, or JavaScript, or C#, or native code. Java has 'sandboxing' apis for applets and so on, and .NET has various 'trust' levels, JavaScript has the bounds placed on it by the interpreters (browsers).
So it's a little weird to "write" your own sandbox unless you also have a language you want to sandbox.
Do you have such a language? What do you want to learn about, specifically?

This is very dependent on what do you want to sandbox. If it is a full-blown system with multiple interfaces/languages available, you really do not want to re-invent the wheel, but run a virtual machine in VirtualBox, QEmu or some other alternative
In any case, a sandbox IS, at least on some level a virtualization of the system you are 'supposed to be' running...
If you need to sandbox applications for a single (interpreted) language, modifying the interpreter sound like a sensible approach.

The answer will likely be language specific. Unfortunately most languages don't have built-in sandboxing capabilities. But functional languages tend to be powerful enough that one can be built from scratch without extending the language.
In Tcl the basic mechanism is to create slave interpreters:
interp create -safe sandbox
interp eval sandbox $set_up_code
set result [interp eval sandbox $unsafe_code]

I wrote an overview of the ways of sandboxing within Linux the other day, which links to a lot of references for the different techniques. Similar methods are applicable in other operating systems. I hope it is helpful - I couldn't find much comprehensively documented either.

Related

Linux desktop app development [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
Recently I made the switch from windows to linux (arch). As a student majoring computer science I have quite some programming experience (mainly java so not really platform dependant).
Now I want to create some simple desktop applications for my linux machine. For some small projects I made for personal use on windows I used C#.net. Now I want to do something similar in linux.
I did some research and I guess my main toolkit choices for GUIs are QT and GTK but since I'm using GNOME I'm guessing the best choice is GTK?
What are some good options to get started with?
PS: Something I had in mind for a first little project was a simple download manager, basically a GUI on top of wget since I couldn't really find one that I liked.
(I could use java on linux too but I'd prefer something more "native")
Well if you want something fast and easy I'd recommand the use of Qt, since it comes with a graphical editor
C++ is really powerful and you can do a lot of crazy stuff, but you also have to write a lot and scratch your head sometimes. A really good alternative is Python to get things running faster. Qt has binding for Python too, Pyside and PyQt
In most modern Linux distributions, it is trivially easy to install and maintain the entire Qt tool chain. Coming from C#, you are also more likely to find C++ a bit more familiar.
On the other hand, your proposed project might be a bit more instructive should you decide to go the C/GTK route. After all, wget is written in C, and, being Open Source, is freely available to incorporate into your projects. To learn good programming, IMHO, it is more important to expose yourself to code that's stood the test of time and is being actively maintained than to fool around with desktop decorations. Heck, if you discover something interesting, you can drop an email to Hrvoje Niksic himself. Now there is a feature that's not available even with the $5,000 Vis Studio Premium.
Also, both Qt and GTK have great UI designers, so that really shouldn't influence your choice. So, really my answer would be, why not try both?

best resources for long-term projects in node.js [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Until now I've been developing in PHP. Now I'm about to begin a couple of new projects, and I think node.js would be perfect for them. I read some general (internet-oriented) guides on the language, and I can understand them with no problem, but then it seems to become all extremely messy when it comes to put it all together in a real development situation (trough the usage of the many, many available frameworks).
The best guides that I could find looked really dated when I tried to follow them.
Therefore I came to ask in person if you could provide me with some recent and vaguely complete tutorials/resources on how to develop applications (both server side and client side) entirely in javascript.
I usually tend to work only in long term (and medium to large scale) projects and therefore I would like to keep the libraries to a minimum. But I'm also not a hackery type: I like to be able to focus on the logic of the programs, and usage of frameworks is totally accepted. I just wouldn't like to be overloaded with functions that I'm never going to use (or could easily implement myself).
Thanks a lot for your help!
Node.js is built from the ground up on the idea of having a lightweight core that can be extended with any number of libraries (i.e. node core vs. userland). Thus if you use node, you will - endogenically - end up using a lot of little libraries (or libraries that bundle a lot of libraries).
The brilliance here is that you get to choose yourself what kind of stack suits best the specific situation at hand. Node's package manager (npm) is superior in this fashion -- it let's you manage very heterogenous stacks with ease.
If you come from a more opinionated environment like PHP (or rails), the amount of different frameworks and libraries can be overwhelming at first. Node.js does not enforce you to use any specific stacks or conventions, which gives you more flexibility to do whatever you like. In fact you shouldn't even think of node.js as a framework -- it's a JavaScript runtime environment on top of which you can build web servers (and web frameworks).
if you are looking for popular ways people apply node.js, a good starting point is checking out how popular (and dependent on) are various packages in npm (see https://npmjs.org/). Based on the popularity (and dependence counts) of packages, one could recommend using the following kind of stack:
Use express.js (based on connect.js) as your web application framework
Write server-side markup with jade
Use request, async and underscore as helper libraries
Use mocha for writing tests
Optionally write your application in CoffeeScript
Use MongoDB as your database (and optionally redis for like sessions)
Please note this stack is just based on what kind of library choices are popular among npm users -- it doesn't tell you what kind of stack would best suit your specific situtation.

ColdFusion Security [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?
I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/
Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion
Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.
I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.
Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/
Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.
I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297
CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.
You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html

Which language to choose for a Jabber bot? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'll be writing an XMPP (Jabber) bot, and I need to decide in which language should I write it. Currently I'm considering Python, Java, and PHP.
Since I'm expecting the bot to be running most of the time (i.e. 23.5/7), are there some specific arguments for or against using one of these languages? (e.g. not "$x sucks", but "$y has good daemon library" or "$z leaks memory")
The bot's purpose will mostly be responding to user input.
If none of these languages seem suitable to you, what would you recommend?
I would say Python with the Twisted framework. Twisted is amazing framework for asynchronous networking and most of the time it already has the support for the protocol you are looking for. There's a slight learning curve because of the reactor pattern but once overcome you can do amazing things with the littlest amount of code. As for the IRC protocol twisted already has it, so while I'm not an expert on IRC bots, I would definitely recommend Python and Twisted.
BTW, this is the first one that came up with google: Python IRC bot using Twisted
If you want to service for multiple users at the same time(probably you want), PHP may not be a good choice, since it does not support(or experimentally support) threading, you have to fork a copy of your application for each user.
I recommend Java for this purpose. Sun describes Java as "simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic.".
In my opinion with exception of time critical jobs Java best suits for client-server architecture.
Of the options you posted, I would have to suggest Java. PHP, for one, simply isn't going to do what you want it to; it's meant to be a web scripting language, not an anything-else scripting language. Python is capable of doing what you want, but I think Java will provide more out-of-the-box support for the functionality you're trying to achieve.
Personally I'd start with the ejabberd codebase and work from there -- for a headless network server agent, Erlang would be the language/platform I'd reach for first, unless there were compelling arguments for another technology. Immutable data and actor-based concurrency pushes all the normal housekeeping code down into the platform, leaving you free to concentrate on the bits that are really what your app is about.
Wrote some years ago bot for IRC using delphi. It is much better than interpreter languages - eats less memory, works much faster, and you can be sure that it will have great reserve of speed if you will need add more and more features in future - parsing users phrases, process them. For example my bot particularly logged all chat and performed quick search by user request (user just wrote !search word/phrase - bot performed search and sent to user results as short quotations, so user could select one of quotations and get more posts around it from log). It is almost unimplementable using for example php because it is too slow.
If bot is proposed to work under *nix - just use c/c++ :)
If you want to use only languages enumerated in your post - then only Java to my mind. Read above why.
Python Jabberbot
This is a fairly easy way to create a jabberbot with python.

Good resources on security, hacking etc? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am interested in learning about how hackers find and exploit vulnerabilities. Specifically about windows hacking and web hacking i.e. I’m NOT interested in linux/unix stuff.
Are there any good websites with technical articles about specifically how to find, exploit and block vulnerabilities with code samples and tools used.
I can do a quick search and there are a load of sites but i'm looking for something with a little more quality geared towards an audience with a programming and web background.
Even a good book but only if it's windows/web specific
Thanks a lot
Smashing the Stack for Fun and Profit is the classic Phrack article on writing buffer overflow exploits.
A good starting point for a web developper would be the Open Web Application Security Project (OWASP). They have a lot of ressources on the subject of Web Application Security and on some on application security in general. You can get some of the wisdom of that side in book form.
Try Simpson Garfinkel's book on web security first.
I highly recommend:
Hacking: The Art of Exploitation
Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook
I liked the Web Security Testing Cookbook. Some non-Windows stuff in there. The focus is on testing and using tools to find problems.
Subscribe to Schneier on Security. It's a great security blog.
For web hacking I recommend reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (very good book with lots of examples. It also shows you the tools which will get you started).
Also for web hacking I recommend completing and understanding all the challenges you can solve by downloading the WebGoat
See the top 100 network security tools list at http://sectools.org/.
Don't get me wrong but if you really want to understand security stuff, Linux is really the way to go. There, you'll really learn the fundamental, i.e. things that is important everywhere (encryption, ASM, programming, protocols, [etc]). However, on Linux, you'll be able to read real code and use/find real exploit (and of course, send bug fix). You'll also find a lot more documentation and a really nice community.
I know I'm biased toward Linux and you'll probably think I completely missed your question. However, I know friends of mine who asked me the same question and I told them what I've just told you.
Once you know the base, you can easily find the documentation you want (reading RFC, learning new languages, architectures, tools, source code, etc..) This is by far better then to know a procedure to execute an exploit without understanding why it exists.
One last thing, the best hacker does't find exploit by guessing.. they have a perfect understanding on the underlying structure and see something wrong. Then, some exploit it, other send a patch to fix it - this is not the right place to argue about it - however, they are both experts in this domain.
I think what you'll need would be to join some hackers community which would provide many missions where you'd have to find the exploits yourself....
understand that if you have learn hacking you'd have to hack something......
www.enigmagroup.org would be an useful one...
www.securitytube.net from here you can get videos on almost every security related issue...

Resources