0

I had asked some questions about developing an online judge sometime ago on stackoverflow and I found quite a few good answers to that. I've started working on developing one and I seem to have run into a major flaw in my code.

The user submitted source will be compiled on the server. This is done by exec()ing gcc in a forked process. Now I set a resource limit on the CPU time and on exceeding that, a SIGXCPU signal is sent to the process. All is fine till now. But suppose someone writes a malicious code that handles the SIGXCPU code itself, it would then continue running on the server and maybe open up a way for someone to take on remote control of the server.

So what am I missing here? There must be someway this can be prevented.

The basic prototype of the compiling module goes like this:


int main()
{
    int pid;
    int rv;

    if (!( pid=fork() ))
    {
        struct rlimit limit;
        getrlimit(RLIMIT_CPU, &limit);

        limit.rlim_cur = 1;

        setrlimit(RLIMIT_CPU, &limit);

       //execl() with gcc and source file name
    }
    else if(pid)
    {
        wait(&rv);
    }
    else
        printf("Error forking\n");

    return 0;
}

and if the source file contains something like 


void handler(int signum)
{
    if (signum == SIGXCPU)
        printf("Caught SIGXCPU signal\n");
}

int main()
{
signal(SIGXCPU, handler);
while(1);
return 0;
}

...this is big trouble

user108127
  • 486
  • 1
  • 5
  • 14
  • I wouldn't want to be validating what is essentially portable machine-code from external sources ... Good luck! – Aiden Bell Jun 25 '09 at 17:54
  • For other sandboxing tips see: http://stackoverflow.com/questions/1019707/sandboxing-in-linux – mark4o Jun 26 '09 at 01:47

2 Answers2

1

On linux, specifically, a user could do what you say. But linux will send sigkill to the process if the hard limit is reached(as opposed to the soft limit you've set), and that will terminate the process.

(Remember though, you really really need to run your stuff in a chrooted environment)

nos
  • 223,662
  • 58
  • 417
  • 506
  • I think I get the idea. I will chroot to the directory of my code and then set a hard limit. Correct me if I'm wrong. I think this will have some effect on the include paths though. – user108127 Jun 25 '09 at 18:30
  • It will. You should replicate a minimalistic environment, containing just what's neeeded to compile/run the stuff you want in the chrooted environment.(sort of a mini,mini linux installation containing only the compiler/headers and other small pieces in its own directory) – nos Jun 25 '09 at 18:59
1

Wow. Having thought about this daunting undertaking for all of about 7 minutes I apologize in advance for anything stupid I am about to say.

Is this going to be something like UVA Judge?

If the goal is to allow relatively simple programs to run without allowing malicious users destroying your system then it seems you need to be more proactive than this or you will be patching holes until the end of time.

At a minimum I think you would need to strip out user header files and substitute one of your own that contains the minimum functionality. Disallow assembler. Use a modified stdlib and/or kernel that no-ops or kills the process on any attempted syscall(), etc.

There is an awful lot to consider here.

Duck
  • 26,924
  • 5
  • 64
  • 92