I am building a web based interface where people can 开发者_运维百科type in simple C code for solving algorithmic programming questions. I am using Ace editor where people can type in code and when the press the run button, the C code is sent to server, compiled and output sent back.
How do the accomplish the second part in a secure way. I mean given a C code file, compile it and execute it. I can't trust the code so how do i make sure its not malicious and will not harm my system. Also how to impose memory and time limits.
Is there any already existing system open source system available which I can modify to suit my needs? I didn't find anything in my search. Or some pointers on how i should proceed next?
edit: Found http://cs.sru.edu/~contest/rocktest/ and trying to understand their code but still looking for better options, preferably in php
Allow me to plug AppArmor, a simple mandatory access control mechanism that can make creating these sorts of sandboxes simple. Here is a profile I have in place to confine my xpdf PDF viewer:
#include <tunables/global>
/usr/bin/xpdf {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/X>
#include <abstractions/fonts>
/dev/tty rw,
owner /dev/pts/* rw,
/etc/papersize r,
/etc/xpdf/* r,
/bin/bash ix,
/usr/bin/xpdf r,
/usr/bin/xpdf.bin rmix,
/usr/share/xpdf/** r,
/usr/share/icons/** r,
owner /**.pdf r,
owner /tmp/* rw,
}
You could learn the basics of confining applications of your choice in half a day or so, and have profiles written for your server in another half day. (That xpdf profile took me about four minutes to write, but I know what I'm doing. We have deployed AppArmor on a leading online retailer's public-facing servers over the course of an afternoon, with similar results with other deployments.)
AppArmor also gives an easy interface for configuring run-time limits, such as how much memory a process is allowed to allocate:
rlimit as <= 100M, # limit address space to 100 megabytes
AppArmor would be easiest to use on Ubuntu, openSUSE, SLES, PLD, Mandriva, Pardis, or Annvix distributions, as the tools come pre-installed. But the core AppArmor functionality is in stock Linux kernels 2.6.36 and newer, and it is possible to install AppArmor on any Linux distribution.
Other similar tools include SElinux, TOMOYO, or SMACK. I think SMACK would be the next-easiest to deploy, but any of them could prevent malicious code from harming your system.
I recommend the Ideaone API: http://ideone.com/api
You'll have to execute the code in a sandboxed environment. There is a similar question on SO that might help.
You could also run some virtual machines to execute the code, but that's basically an example of sandboxing - just a bit heavy.
Run the code in a sandbox - a virtual machine.
In addition to that I would remove access to any sytem calls and only allow calls to the standard C libraries. Also, replace any unsafe library calls with your own calls that check the input and delegate safe inputs to the real functions (in particular for malloc you would want to put an upper bound on how much each program can allocate).
If you do the above, just one virtual machine should be enough for everyone's code.
I will be using uevalrun:
"The primary use case for uevalrun is evaluation of solution programs submitted by contestants of programming contests: uevalrun compiles the solution, runs it with the test input, compares its output against the expected output, and writes a status report."
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论