System Integrity Protection (SIP) is a simple mechanism for protecting system integrity while executing untrusted programs. It was developed in collaboration with @colinmonteil and @saltermine as a final project for our Software Security course.
SIP should NOT be used to protect real-world systems.
SIP implements a simplified version of the dual-sandboxing architecture described by Wai-Kit Sze and R.Sekar in A Portable User-Level Approach for System-wide Integrity Protection. A description of the differences between our system and the one proposed by Sze and Sekar can be found here.
System Integrity Protection (SIP) has been tested (albeit in a limited fashion) on Ubuntu LTS 16.04.
To use SIP, simply...
git clone https://github.com/bporcelli/system-integrity-protection/
cd system-integrity-protection/install
sudo install.sh
After installing SIP, you can use the runt
command to execute untrusted programs, e.g. runt rm -rf *
.
To uninstall SIP, cd into the install
directory and run the command sudo uninstall.sh
.