Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable system() and exec() function in C and Pascal

Is there any way to disable system() and exec() function in C/C++ and Pascal, by using any compiler argument or modifying header/unit file? (It's a Windows)

I've tried using -Dsystem=NONEXIST for gcc and g++ but #include <cstdio> causes compile error.

EDIT: Of course I know they can use #undef system to bypass the defense, so I've tried to comment out the system function line in stdlib.h, but that doesn't work too.

EDIT2 (comment): It's a system, to which users submit their programs and the server compile and run it with different input data, then compare the program output with pre-calculated standard output to see if the program is correct. Now some users send code like system("shutdown -s -t 0"); to shutdown the server.

The server is running Windows system so I don't have any chroot environment. Also the server application is closed-source so I can do nothing to control how the program submitted by user is executed. What I can do is to modify the compiler commandline argument and modify header files.

like image 241
hexchain Avatar asked Jan 19 '23 09:01

hexchain


1 Answers

Well, you could try:

#define system DontEvenThinkAboutUsingThisFunction
#define exec   OrThisOneYouClown

in a header file but I'm pretty certain any code monkey worth their salt could bypass such a "protection".

I'd be interested in understanding why you thought this was necessary (there may be a better solution if we understood the problem better).

The only thing that comes to mind is that you want to provide some online compiler/runner akin to the Euler project. If that was the case, then you could search the code for the string system<whitespace>( as an option but, even then, a determined party could just:

#define InoccuousFunction system

to get around your defenses.

If that is the case, you might want to think about using something like chroot so that no-one can even get access to any dangerous binaries like shutdown (and that particular beast shouldn't really be runnable by a regular user anyway) - in other words, restrict their environment so that the only things they can even see are gcc and its kin.

You need to do proper sandboxing since, even if you somehow prevented them from running external programs, they may still be able to do dangerous things like overwite files or open up socket connections to their own box to send through the contents of your precious information.

like image 112
paxdiablo Avatar answered Jan 27 '23 19:01

paxdiablo