1# Sandboxing PFFFT library 2 3This library was sandboxed as part of Google's summer 2020 internship program 4([blog post](https://security.googleblog.com/2020/12/improving-open-source-security-during.html)). 5 6Build System: CMake 7OS: Linux 8 9### How to use from an existing Project 10 11If your project does not include Sandboxed API as a dependency yet, add the 12following lines to the main `CMakeLists.txt`: 13 14```cmake 15include(FetchContent) 16 17FetchContent_Declare(sandboxed-api 18 GIT_REPOSITORY https://github.com/google/sandboxed-api 19 GIT_TAG main # Or pin a specific commit/tag 20) 21FetchContent_MakeAvailable(sandboxed-api) # CMake 3.14 or higher 22 23add_sapi_subdirectory(contrib/pffft) 24``` 25 26The `add_sapi_subdirectory()` macro sets up the source and binary directories 27for the sandboxed jsonnet targets. 28 29Afterwards your project's code can link to `sapi_contrib::pffft` and use the 30generated header `pffft_sapi.sapi.h`. An example sandbox policy can be found 31in `main_pffft_sandboxed.cc`. 32 33### For testing: 34`cd build`, then `./pffft_sandboxed` 35 36### For debug: 37display custom info with 38`./pffft_sandboxed --logtostderr` 39 40## ***About the project*** 41 42PFFFT library is concerned with 1D Fast-Fourier Transformations finding a 43compromise between accuracy and speed. It deals with real and complex 44vectors, both cases being illustrated in the testing part (`test_pffft.c` 45for initially and original version, `main_pffft_sandboxed.cc` for our 46currently implemented sandboxed version). 47The original files can be found at: https://bitbucket.org/jpommier/pffft/src.* 48 49The purpose of sandboxing is to limit the permissions and capabilities of 50library’s methods, in order to secure the usage of them. 51After obtaining the sandbox, the functions will be called through an 52Sandbox API (being called `api` in the current test) and so, the 53operations, system calls or namspaces access may be controlled. 54From both `pffft.h` and `fftpack.h` headers, useful methods are added to 55sapi library builded with CMake. There is also a need to link math library 56as the transformations made require mathematical operators. 57Regarding the testing of the methods, one main is doing this job by 58iterating through a set of values, that represents the accuracy of 59transformations and print the speed for each value and type of 60transformation. More specifically, the input length is the target for 61accuracy (named as `n`) and it stands for the number of data points from 62the series that calculate the result of transformation. It is also 63important to mention that the `complex` variable stands for a boolean value 64that tells the type of transformation (0 for REAL and 1 for COMPLEX) and 65it is taken into account while testing. 66In the end, the performance of PFFFT library it is outlined by the output. 67There are two output formats available, from which you can choose through 68`--output_format=` command-line flag. 69Without using this type of argument when running, the output format is set 70by default.* 71 72#### CMake observations resume: 73 74* linking pffft and fftpack (which contains necessary functions for pffft) 75* set math library 76 77#### Sandboxed main observations resume: 78 79* containing two testing parts (fft / pffft benchmarks) 80* showing the performance of the transformations implies 81 testing them through various FFT dimenstions. 82 Variable n, the input length, will take specific values 83 meaning the number of points to which it is set the calculus 84 (more details of mathematical purpose of n - https://en.wikipedia.org/wiki/Cooley%E2%80%93Tukey_FFT_algorithm). 85* output shows speed depending on the input length 86* use `--output_format=0` or `--output_format=1` arguments to choose between output formats. 87 `0` is for a detailed output, while `1` is only displaying each transformation process speed. 88 89### Bugs history 901. [Solved] pffft benchmark bug: "Sandbox not active" 91 92 n = 64, status OK, `pffft_transform` generates error 93 n > 64, status not OK 94 Problem on initialising `absl::StatusOr<PFFFT_Setup *> s;` the memory that stays 95 for s is not the same with the address passed in `pffft_transform` function. 96 (`sapi::v::GenericPtr` - to be changed) 97 98 Temporary solution: change the generated files to accept 99 `uintptr_t` instead of `PFFFT_Setup` 100 101 Solution: using `sapi::v::RemotePtr` instead of `sapi::v::GenericPtr` 102 to access the memory of object `s` 103 1042. [Unresolved] compiling bug: "No space left on device" 105 106 The building process creates some `embed` files that use lots of 107 memory, trying to write them on `/tmp`. 108 109 Temporary solution: clean /tmp directory by `sudo rm -rf /tmp/*` 110