Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect an online judge against malicious code?

Tags:

security

In the site Ideone a user uploads code to be run on a remote server. This is similar to the functions of an online judge.

The problem is that users might upload code that attempts to 'hack' the system. I understand that in C and C++ it's easy to disable a certain set of system calls (patch a few .dll's), but I'm not so sure about other languages.

How would you protect your system if you were to support higher level languages (Erlang, Haskell) on the online judge?

like image 461
Lucky Avatar asked Apr 01 '10 16:04

Lucky


2 Answers

Use Ideone API

like image 169
kuszi Avatar answered Oct 17 '22 15:10

kuszi


Run in a sandbox as a non-privileged user. That's not absolutely foolproof, but it makes the bar for doing lasting damage or serious compromise very high. It also does not depend on possible options or modifications to the language run-time in question. If you are dealing with a fully compiled language (that is, no run-time interpreter), you can do this as well.

For example, take Erlang. Set up a chroot jail that contains only what you need to run Erlang. Add a non-privileged user account and home directory. Bring in the code to be run, verify all file/directory permissions, change to the non-privileged UID and run the code.

You can find more detailed instructions on setting up jails in the Wikipedia article referenced above. Procedures and requirements are slightly different for different OSes.

like image 3
mpez0 Avatar answered Oct 17 '22 16:10

mpez0