Lind is a single-process sandbox that provides an option to safely execute programs and control its resource (network, file, memory, cpu, etc.) usage at the process granularity. Lind executes applications in an isolated environment from the rest of the applications in the system, and thus limits the damage of bugs or security flaws in the application.
For high level documentation, please go to the main documentation for the project.
Base and pre-built docker images for the SDK toolchain can be fetched from
the Docker Hub Lind repository at securesystemslab/lind
with docker pull securesystemslab/lind
.
You can either make run
or start the container yourself using:
docker pull securesystemslab/lind
docker run --privileged --ipc=host --init --cap-add=SYS_PTRACE -it securesystemslab/lind /bin/bash
The --privileged
option is so that /proc is writable, the --ipc=host
option
is needed to avoid mounting /dev/shm with noexec
(NaCl needs to be able to
execute mmap()'d sections of /dev/shm) and the --cap-add=SYS_PTRACE
allows
debugging with applications that use ptrace() such as gdb.
Check out our scratch build wiki, here: Building Lind from Scratch
Security issues can be reported by emailing justincappos@gmail.com.
At a minimum, the report must contain the following:
- Description of the vulnerability.
- Steps to reproduce the issue.
Optionally, reports that are emailed can be encrypted with PGP. You should use PGP key fingerprint E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475A.
Please do not use the GitHub issue tracker to submit vulnerability reports. The issue tracker is intended for bug reports and to make feature requests.
Development of Lind occurs on the "develop" branch of this repository. Contributions can be made by submitting GitHub Pull Requests. Take a look at our development guidelines for detailed instructions. Submitted code should follow our style guidelines and must be unit tested.
Contributors must also indicate acceptance of the Developer Certificate of
Origin (DCO) by appending a Signed-off-by: Your Name <example@domain.com>
to each git commit message (see git commit --signoff
).
This project is managed by Prof. Justin Cappos and other members of the Secure Systems Lab at NYU.