This program makes it easy to do library sandboxing with LFI. It generates routines to initialize the library sandbox, and trampolines for calling functions from the library.
go build
See examples for some basic examples. See ./EXAMPLE.md for a
step-by-step guide to recreating the add example manually.
The process for creating a sandboxed library is the following:
- Compile your static library using the LFI compiler. This produces
libfoo.a. - Create a "LFI library" by compiling
libfoo.ato a static PIE and linking withboxrt(startup code that runs in the sandbox). Usually this command looks like$(LFICC) -Wl,--whole-archive libfoo.a -Wl,--no-whole-archive -Wl,--export-dynamic -lboxrt -static-pie -o libfoo.lfi. - Invoke
lfi-bind, passing itlibfoo.lfiand instructing it to generate an initialization filelib_init.cand trampoline filelib_trampolines.S. - Compile
lib_init.candlib_trampolines.Sinto your host application, allowing you to use the sandboxed library.
See the examples directory for real examples that you can try out.
Usage of ./lfi-bind:
-gen-init string
output file for initialization functions
-gen-trampolines string
output file for trampolines
-lib string
library name for function prefixes (default "lib")
-lib-path string
path to library executable at runtime
-lib-prefix string
prefix to put on library symbols
-symbols-prefix string
prefix used to match exported symbols
-symbols string
comma-separated list of exported symbols
-symbols-file string
list of symbols in a file, one line per symbol