tags:

views:

82

answers:

3
+2  Q: 

C++ Sandboxing dynamic libraries

Hello all,

I'm wondering if its at all possible to sandbox a dynamically linked library via dlopen and friends. The aim is to recover from an error within the library without tearing down the hole application e.g SEGFAULT, etc...

Anyone had any experience in this area?

Cheers

+4  A: 

You can fork() before calling the library, then pass the result to your mother process. Let mother process wait for data from child, or report error if it crashes.

che  2010-07-17 13:41:33
Thank you for your time. I had considered this method however this is a fairly heavy handed approach and was hoping for a more elegant solution.
 2010-07-17 13:48:04
When you link library code, you share memory with it, which means that its errors can not only segfault, but also overwrite your memory with garbage. If you want to guard against that, process separation is really the best way to go.
che  2010-07-17 14:35:00
A fork is not the proper way to go since it creates a completely new context (even though it's essentially identical, it is still a copy) something as simple as increasing a usage count of the library you are liking is "different"
Elf King  2010-07-17 19:13:54
Of course if you have an application with some run-time context (or worse, threads) you should not fork and continue to run the whole thing. The child should `exec()` some minimal stub that will just get necessary data for library call, do the call, and pass the result.
che  2010-07-18 16:35:05
+1  A: 

OK well generally speaking exception handling is highly operating system dependent. I am going to make some assumptions and try to provide some generic guidance. Please know that this is by no means an exhaustive reply, but should serve as a place to start.

I will assume that:

  1. For the most part, you are interested in safeguarding against memory leaks.

  2. You are not interested in Windows (which is whole-other-ball-of-wax) since you mentioned dlopen (you would have said LoadLibrary otherwise)

  3. That you are aware of the nuances of linking against C++ symbols. If you are not read up on it at mini howto on dlopen c++

Generally speaking

There is no general solution to the described problem without involving specialized operating systems that provide data and code segment sand-boxing there are Trusted Systems and specialty operating system kernels that can do this, but i assume that you want to do this on a good old *nix or windows environment.

Compiler stuff further complicates issues (does your C++ compiler generate weak symbols by default? typically it would) This affects how exception handling happens in a try-catch.

Simple operating system exception handling that raises signals (SIGSEGV, SIGFPE etc.):

Under POSIX system supporting sigaction...

Let's say you want to protect against generic things like bad memory addressing. Trap the SIGSEG using sigaction before dlopening a library (to protect against .init functions) and then also do a signal check before calling a function within the library. Consider using SA_STACK to ensure that your handler jumps into a stack you have good control over, and SA_SIGINFO to ensure that your handler gets info about the source.

A good place to start on this is at the Signal handling on GNU libc manual

Under C++: use wrappers and with try-catch to catch soft exceptions

try { foo(); } catch() { // do something }

where foo is a weak symbol pointing to a function in your dll see c++ dlopen mini-howto for a lot more examples and details on loading classes etc.

If you have more specific needs, post them, i'll see if i can provide more info.

Cheers

Elf King  2010-07-17 14:22:46
A: 

How would you differentiate a segfault from your application and the dynamic library in question? Creating a separate process to fence off the library as che described seems like the best approach.

edit:

found this related question, pointing at a CERT advisory suggesting not to return from a SIGSEGV handler if you desire portability.

Sam Miller  2010-07-17 14:22:52
Using sigaction SA_SIGINFO you can determine the context under which the signal was sent which means you can actually figure out the function that raised the signal if you backtrace programatically, and figure out whether it was a function within the library or not, and since you are catching the signal, you can the resume properly. Performing a fork() is not a good way to determine resilience of a library ...
Elf King  2010-07-17 19:12:14

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS