Department of Electrical Engineering and Computer Science
Syracuse University

Chroot Sandbox Vulnerability Lab

Lab Overview

The learning objective of this lab is for students to substantiate an essential security engineering principle, the compartmentalization principle, by studying and evaluating the chroot mechanism implemented in Unix operating systems. The basic idea of compartmentalization is to minimize the amount of damage that can be done to a system by breaking up the system into as few units as possible while still isolating code that has security privileges. This same principle explains why submarines are built with many different chambers, each separately sealed. This principle is also illustrated by the Sandbox mechanism in computer systems.

Sandbox can provide a restricted environment for us to run programs that are not completely trustworthy. For example, if the program is downloaded from an untrusted source, running the program in an unrestricted environment can expose the system to potential risks. If these programs can be executed in a restricted environment, even if the programs behave maliciously (the programs might contain malicious contents or they might be compromised by attackers during the execution), their damage is confined within the restricted environment. Almost all the Unix systems have a simple built-in sandbox mechanism, called chroot.

In this lab, students need to figure out how chroot works, why it works, and why it should only be used by root. Moreover, students will see the vulnerabilities of this type of sandbox.

Lab Description and Tasks (pdf)

    For instructors: if you prefer to modify the lab description to suit your own courses, you can download the source files (Latex) from here.

Time for This Lab: 1 week

Files needed by this lab

The su program in our pre-built Ubuntu VM image cannot run in the chroot prison. We need to install a different version of su first for this lab. Please download the coreutils-7.6.tar.gz, and run the following command:
  • tar xzvf coreutils-7.6.tar.gz
  • cd coreutils-7.6
  • ./configure
  • make
  • cd src
  • sudo cp ./su /bin/mysu
  • sudo chown root /bin/mysu
  • sudo chmod 4755 /bin/mysu
After running the above command, you will have a new version of su, called mysu in the /bin directory.

Helpful Documents

Student Feedbacks

To help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2007. The survey results depicted in the following are aggregate results over several years.
  • Survey Questionnaires (doc, pdf)
  • Survey Results (not available)

Updated on 3/2/2006