9

I'm thinking about building a simple online service where people can solve programming exercises by submitting their solution, in form of source code, to my server where it is then interpreted/compiled and executed/tested.

By using the Java VM I could offer support for Java, Scala, Clojure, Ruby, Python and Javascript out of the box. But when I think about it in detail I'm afraid I don't know how to limit a script's resources and permissions.

I mean it should not be able to

  • write to disk
  • create more than X threads
  • run more than X seconds
  • use more than X MB memory
  • execute external applications
  • etc

How can I put each script in a sandbox?

From what I've read the SecurityManager doesn't seem to be able to do all that...

stephanos
  • 3,319
  • 7
  • 33
  • 47
  • 3
    Possible duplication to: [Sandbox against malicious code in a Java application](http://stackoverflow.com/questions/502218/sandbox-against-malicious-code-in-a-java-application) – edwardw Dec 10 '11 at 11:40
  • thanks for the comment! the answers over there look really good :) – stephanos Dec 10 '11 at 12:33
  • 3
    @stephanos: In addition to what can be done on the Java side (SecurityManager etc.), if your server is a Un*x-like system then you could also install Java in a user account (without being root) and put quota on that account, to make sure it shall not consume too much resources. In addition to that, if it were to me, I'd simply use a better sandbox: I'd virtualize a full OS and run the JVM inside a virtual machine. There's no way I'd take the risk of someone hacking into my server(s). Sure, it requires a bit more resource but hardware virtualization is now both performant and ubiquitous. – TacticalCoder Dec 10 '11 at 12:56

3 Answers3

2

Well, you can use some general security system to ensure safe code execution like AppArmor or SELinux. It works not only for java, python, etc. applications, but also for bash-scripts, binary executables and so on. Haven't worked at all with SELinux, but this is a simple example of AppArmor security profile which does everything you mentioned except "running more than X seconds" - this can be done by timeout mechanism (I'm a new user, so cannon post a second link here O_o..)

#include <tunables/global>

/path/to/executable {
  #include <abstractions/base>

  # http://linux.die.net/man/2/setrlimit

  # limit memory (address space)
  set rlimit as <= 150M,
  # limit core dump file http://linux.die.net/man/5/core
  set rlimit core <= 2M,
  # allow to create files only this size at max
  set rlimit fsize <= 1M,
  # limits number of threads (fork bomb won't go! :))
  set rlimit nproc <= 10,
  # program will have access to stuff defined in abstractions/base and 
  # to the file defined below. Nothing else.
  /path/to/file.txt rw,
}

What about putting each script in a sandbox - you can create several identical profiles for script1, script2 etc. This is also the way if you want different permissions for different excercises people will solve on your site.

And this is an example of using timeout:

$sudo apt-get install timeout
$timeout 3 ./binary #limits execution of ./binary to 3 seconds

I also want to recommend you limit compilation time for compiled proramming languages if you have any. For example, in C++ someone can write a tricky template or 

#include </dev/urandom>

That will cause cpu-intensive work at compile-time.

Ixanezis
  • 1,631
  • 13
  • 20
1

You can use the java scripting API. Many languages can be used as script, Java too. Also it does not require much programming to wrap a language with the scripting API. http://worldwizards.blogspot.com/2009/08/java-scripting-api-sandbox.html indicates how to provide sandboxing.

Joop Eggen
  • 107,315
  • 7
  • 83
  • 138
0

You have described a JVM port that is similar to the whitelisted classes enabled by the google app engine.

There is an excellent explanation of how you could sandbox a JVM here : How does google app engine sandbox work?

Community
  • 1
  • 1
jayunit100
  • 17,388
  • 22
  • 92
  • 167