Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Online c# interpreter security issues

Tags:

c#

security

interpretation

runtime-compilation

I am toying around with the idea of building an online C# interpreter, a bit like Codepad. Now there are obvious security issues:

  • Infinite loops
  • System.Diagnostics.Process.Start
  • Pretty much the whole System.IO namespace

My knowledge of C# isn't exactly insignificant, but I'm sure there are a lot that know much more about it, plus the stuff I didn't think about. What would you be careful about?

A few precisions, I plan on running this on a small Linux VPS using Mono.

like image 381
Alex Turpin Avatar asked Mar 01 '11 23:03

Alex Turpin

People also ask

Can we run C program online?

C Language online compiler Write, Run & Share C Language code online using OneCompiler's C online compiler for free. It's one of the robust, feature-rich online compilers for C language, running the latest C version which is C18. Getting started with the OneCompiler's C editor is really simple and pretty fast.

4 Answers

Use Mono's Compiler as service capability. It can be compiled to a Silverlight compatible DLL (client profile), and has been already, which you can checkout. That should address some of your concerns about IO.

like image 97
Mark H Avatar answered Oct 13 '22 20:10

Mark H

Reflection comes to mind, since you could go from GetType() to Assembly to just about anything you want.

like image 21
StriplingWarrior Avatar answered Oct 13 '22 18:10

StriplingWarrior

Actually user code can do anything. it would be hard to tackle special cases. In my opinion the best way to go is:

a) create sandbox appdomain with execution permission only. This ensures a lot of things like inability to mess with file system or make calls to native libraries.

b) create new process and start your appdomain in it.

Then monitor process tightly for memory and cpu consumption. If anything goes wrong - kill it. Note that it's the process you can kill, not appdomain. With appdomain you can try to unload it, but if malicious code running in finally clause then it wouldn't work.

There are still some (known to me) issues with this:

  • Be careful where you place user compiled assemblies. Actually even in least privileged appdomain user code will be able to load assemblies that are in the same directory and execute them.
  • I mentioned you should monitor process tightly. Code (running in finally clause) which spawns threads in infinite loop, where each thread does the same grabs memory extremely fast (at my observations). if an attacker decides to make dos attack with such code - who knows what happens:) Perhaps one way to leverage this is to start user process with low priority so that supervising threads have a chance of proper monitoring in a loaded system.

So all in all there is a risk anyway. i was toying around with this idea too and here is the current result: rundotnet

like image 25
ren Avatar answered Oct 13 '22 20:10

ren

Check out this link, and you will be able to learn somethings on online C# interpreters, try out some things and read the output exceptions to see how they made it.

http://rextester.com/NWDF62346

like image 20
Shimmy Weitzhandler Avatar answered Oct 13 '22 20:10

Shimmy Weitzhandler
Sign in to Comment

Related questions

Redundancy algorithm for reading noisy bitstream
Maximize application in system tray?
Custom TypeConverter with variable StandardValues
Asp.Net C# DllImport problem
Which is better? private static vs private
How to increase the POST size for an ASMX web service?
C# change dpi of an uploaded image
Is it possible to get container type in AutoFac
Datagrid MVVM Scroll into view
Entity framework code first class relationships
WebException.Response.GetResponseStream() limited to 65536 characters
Mono.Cecil something like Type.GetInterfaceMap?
Does Dictionary.Keys.List()[i] correspond to Dictionary.Values.ToList()[i]?
What is the point of using ints as enums
Can't catch exception caused by C dll called via PInvoke
Cache static class's Data in Silverlight
OOP design question on inheritance and operator overloading
Using different references in Visual Studio 2010 for different build platforms?
references to Func's of different types
Which exception should be thrown?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!