16

How does Google App Engine sandbox work?

What would I have to do to create my own such sandbox (to safely allow my clients to run their apps on my engine without giving them the ability to format my disk drive)? Is it just class loader magic, byte manipulation or something?

Ryan A.
  • 411
  • 4
  • 13
Shahbaz
  • 10,395
  • 21
  • 54
  • 83
  • 1
    i removed gas tag because i don't think it stands for google application sandbox, and i don't think gnu assembler is related to this question. – Peter Recore Aug 04 '09 at 03:45
  • Sorry, I might have mistyped something, I created this question through a keyboardless portable device. – Shahbaz Aug 04 '09 at 04:04

3 Answers3

9

You would probably need a combination of a restrictive classloader and a thorough understanding of the Java Security Architecture. You would probably run your JVM with a very strict SecurityManager specified.

Peter Recore
  • 14,037
  • 4
  • 42
  • 62
  • 1
    Important note - SecurityManager does NOT allow you to restrict heap memory usage or CPU usage. You have no other choice than to spawn separate processes for each such task/script. – Zorkus Oct 27 '11 at 06:26
2

In the Java case, I think it's mostly done by restricting the available libraries. Since Java doesn't have pointer concept, and you can't upload natively compiled code (only JVM bytecode), you can't break out of the sandbox. Add some tight process scheduling, and you're done!

I guess The hardest part is to pick the libraries, to make it useful while staying safe.

In the Python case, they had to modify the VM itself, because it wasn't designed with safety in mind. Fortunately, they have Guido himself to do it.

Javier
  • 60,510
  • 8
  • 78
  • 126
0

to safely allow my clients to run their apps on my engine without giving them the ability to format my disk drive

This can be easily achieved using the Java Security Manager. Refer this answer for an example.

Community
  • 1
  • 1
instantsetsuna
  • 9,183
  • 8
  • 25
  • 28