Codius + Rust = ❤

Greetings! This is my first writeup for the Codius team, so I'll briefly introduce myself: I'm Torrie Fischer, and I'm currently the engineer hacking away at Codius' sandboxing technology. Our sandbox has gone through a number of iterations, each time getting better, faster, stronger, and more secure. I've come from a strong background in Free Software, originally starting out as a KDE developer specialising in multimedia.

Our current sandbox is built on two core technologies: seccomp and Rust. Seccomp is an API in the Linux kernel that provides some primitives for building more elaborate sandboxes. It works by intercepting sycalls and notifying an exterior sandbox host process through the long-standing ptrace() API. Elaborating on the specifics of how we use seccomp will be a later blog post, but for now I'd like to elaborate a bit on our decision to use the Rust language for our sandbox.

Sandbox Goals

Codius as a whole has a number of goals, and a handful of them apply directly to the sandbox:

  • Execute arbitrary programs as contracts with minimal change
  • Upload your contract as a complete package, including any static resources, files, etc in addition to the executable bits
  • Protect the host from whatever a contract might try
  • Prevent any contract from unintentionally interacting with another contract
  • Protect contracts from unwanted interactions of another contract
  • Completely isolate a contract's execution environment from the outside world
  • Provide the exact same execution environment anywhere on the 'net for any given contract on any given host
  • Everything is disposable
  • Lightweight
  • Easy to audit
  • Defensive against malicious contracts
  • Predictable executions
  • Idempotent executions
  • Good open source citizenry

A lot of these goals are meant to address our threat model, which Steven gave a great writeup on.

Within the Codius stack, Rust sits somewhere in the middle:

By using Rust, we're eliminating whole classes of attack vectors:

  • Static analysis ensures a complete absense of dangling pointers
  • Runtime checking of array boundaries
  • unsafe{} blocks quickly identify code for intense auditing
  • immutable-by-default ensures that the sandbox environment doesn't change from human typos in code unless we're explicit about it
  • Borrow checker ensures memory consistency in any execution state

Currently, Codius requires a small bit of C++ glue to provide a NodeJS friendly API which is in turn used to provide an npm module. Future iterations will remove the C++ code and replace it with some advanced Rust compiler plugins that export the node API in Rust code, or usage of node-ffi.

rust-seccomp and rust-ptrace are two rust crates that we're developing to support others in the Rust community who are keen on building sandboxing environments. The two crates will be seeing releases very soon.