Google announces to open source Sandboxed API, automatically generates sandboxes for C/C++ libraries

Recently, Google announces to open source the Sandboxed API. “The Sandboxed API project (SAPI) aims to make sandboxing of C/C++ libraries less burdensome: after initial setup of security policies and generation of library interfaces, an almost-identical stub API is generated (using a templated based programming variable hierarchy system), transparently forwarding calls using a custom RPC layer to the real library running inside a sandboxed environment.

Additionally, each SAPI library utilizes a tightly defined security policy, in contrast to typical sandboxed project, where security policies must cover total syscall/resource footprint of all utilized libraries.”

How it works

The Sandboxed API project allows to run code of libraries in a sandboxed environment, isolated with the help of Sandbox2.

Our goal is to provide developers with tools to prepare such libraries for the sandboxing process, as well as necessary APIs to communicate (i.e. make function calls and receive results) with such library.

All calls to the sandboxed library are passed over our custom RPC implementation to a sandboxed process, and the results are passed back to the caller.

The project also provides primitives for manual and automatic (based on custom pointer attributes) memory synchronization (arrays, structures) between the SAPI Libraries and the host code.

A high-level Transactions API provides monitoring of SAPI Libraries, and restarts them if they fail (e.g, due to security violations, crashes or resource exhaustion).

The Sandboxed API project is available on Github.