Lind is a single process sandbox that provides an option to safely execute programs and control its resource (network, file, memory, cpu, etc.) usage at the process granularity. Lind executes applications in an isolated environment from the rest of the applications in the system, and thus limits the damage of bugs or security flaws in the application.

What Does the Name Lind Mean?

In Old Norse, Old High German and Old English a “lind” is a shield constructed with two layers of linden wood. Linden wood shields are lightweight, and do not split easily, an appropriate metaphor for a sandboxing system which employs two technologies.

How is Lind different from other Sandboxing and Software Fault Isolation techniques?

Most existing sandboxing techniques like Microsoft's Drawbridge, Apple's Sandbox and Docker project require some kernel modifications which reduces the portability of applications. In comparison, Lind completely exists in the user space without requiring any kernel changes, thereby increasing the portability of the solution.

There are different granularities of isolation. Object based isolation in a programming language might not isolate CPU or file system between each object. A purpose built virtual machine on the other hand offers perfect isolation, but is expensive and inefficient. Lind is a tradeoff of the two extremes. It is designed to run compiled binary applications on many platforms, while monitoring and controlling the resource usage of a process through flexible polices, allowing a per-application policy approach to building systems.

Because Lind relies on Google Native Client and Seattle Repy, each having a very small trusted computing base (TCB), the resulting trusted computing base of Lind is very small. Because of a small TCB, we can be more confident of the absense of security bugs in Lind itself.

How is Lind implemented?

We constructed a prototype architecture for the Lind sandbox to satisfy the isolation and performance requirements. Efficient computation and providing a broad array of system services are the two goals of the Lind sandbox. For computation, Lind leverages Google Native Client (NaCl) execution environment. NaCl allows the efficient execution of legacy code in the form of x86 and ARM binaries that are built with a lightly modified compiler tool chain. For operating system access, Lind provides a subset of the POSIX API which is sufficient for many programs. The POSIX API, which itself is difficult to secure, is constructed using the Seattle Repy sandbox which provides performance isolation and safety.

A Short Overview of NaCl Sandbox

A native application is one that is compiled for a specific hardware platform. NaCl runs one untrusted program and one trusted OS gateway in the same process. It makes use of a modified version of the GNU GCC compiler to produce verifiable native code for x86, x86-64 and ARM architectures. Because of the restricted subset of native instructions NaCl uses, it can formally verify that the program can never violate the sandbox. You can go through Native Client: A Sandbox for Portable, Untrusted x86 Native Code paper to obtain more details on how NaCl works.

A Short Overview of Seattle Repy

Restricted Python (Repy) uses a restricted subset of the Python language and provides its own system API. Repy is widely used on tens of thousands of laptops, desktops, smartphones, and tablets as part of the Seattle project. Repy has a simple system API that uses novel techniques to limit its trusted computing base. The Repy API allows private per-application file access, TCP and UDP sockets, threading and locking. These services are provided in Repy version 2 which has a simple API of 34 calls, particularly small when compared with the 311 system calls in Linux 2.6 x86-64. Repy uses a policy file to describe rate limiting and API restrictions for each program. The Repy sandbox provides performance isolation in addition to other security protections.

I am interested in Lind, where to start?

  • Want to try out Lind?
    Follow the instructions at Installing Lind to setup the environment. Currently Lind works on Ubuntu 14.04 LTS 64-bit machines.
  • Want to grab the code?
    Lind source code can be accessed from our Github repository at Lind-Project. Refer to Lind Source Code for understanding the code components.
Last modified 4 years ago Last modified on Mar 25, 2015 9:00:55 AM