Project 8: The “Jailbreak” Sandbox Escape

A program that creates a very restrictive “sandbox” for a small piece of C code using seccomp-bpf, which filters the system calls the code is allowed to make (e.g., it can only use read, write, exit). The sandboxed code contains a hidden buffer overflow vulnerability. Your goal is to exploit the overflow to craft a ROP (Return-Oriented Programming) chain that opens a file and prints its contents (open, read, write), bypassing the sandbox policy.

Quick Reference

Attribute Value
Primary Language C
Alternative Languages C++
Difficulty Level 5: Master
Time Estimate 1 month+
Knowledge Area Exploit Chaining / Sandboxing / Systems Programming
Tooling seccomp-bpf (Linux), ptrace
Prerequisites Project 2 (Stack Smashing), strong understanding of assembly and Linux syscalls.

What You Will Build

A program that creates a very restrictive “sandbox” for a small piece of C code using seccomp-bpf, which filters the system calls the code is allowed to make (e.g., it can only use read, write, exit). The sandboxed code contains a hidden buffer overflow vulnerability. Your goal is to exploit the overflow to craft a ROP (Return-Oriented Programming) chain that opens a file and prints its contents (open, read, write), bypassing the sandbox policy.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Building a seccomp filter → maps to learning the BPF assembly-like language for kernel filters
  • Finding ROP gadgets in the binary → maps to using tools like ROPgadget to find useful instruction sequences
  • Crafting a ROP chain to make system calls → maps to setting up registers (RDI, RSI, RDX…) and calling the syscall instruction
  • Chaining multiple syscalls (open -> read -> write) → maps to advanced exploit chaining

Key Concepts

  • Seccomp-bpf: A powerful Linux sandboxing mechanism. Search for tutorials on using libseccomp or raw BPF filters.
  • Return-Oriented Programming (ROP): The definitive technique for bypassing non-executable memory (NX/DEP).
  • syscall Calling Convention: Understanding how to set up registers for Linux system calls.

Real-World Outcome

$ ./sandboxed_program
Enter your data: <very_long_and_complex_rop_chain_payload>
FLAG{y0u_h4v3_3sc4p3d_th3_s4ndb0x}

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_C_SECURE_CODING_DEEP_DIVE.md
  • “Linux System Programming” by Robert Love