System Integrity Protection (SIP) is a simple mechanism for protecting system integrity while executing untrusted programs. It was developed in collaboration with @colinmonteil and @saltermine as a final project for our Software Security course.
SIP should NOT be used to protect real-world systems.
SIP implements a simplified version of the dual-sandboxing architecture described by Wai-Kit Sze and R.Sekar in A Portable User-Level Approach for System-wide Integrity Protection. A description of the differences between our system and the one proposed by Sze and Sekar can be found here.
System Integrity Protection (SIP) has been tested (albeit in a limited fashion) on Ubuntu LTS 16.04.
To use SIP, simply...
git clone https://github.com/bporcelli/system-integrity-protection/cd system-integrity-protection/installsudo install.sh
After installing SIP, you can use the runt command to execute untrusted programs, e.g. runt rm -rf *.
To uninstall SIP, cd into the install directory and run the command sudo uninstall.sh.