How to protect an online judge against malicious code?

In the site Ideone a user uploads code to be run on a remote server. This is similar to the functions of an online judge.

The problem is that users might upload code that attempts to 'hack' the system. I understand that in C and C++ it's easy to disable a certain set of system calls (patch a few .dll's), but I'm not so sure about other languages.

How would you protect your system if you were to support higher level languages (E开发者_StackOverflowrlang, Haskell) on the online judge?

---

Use Ideone API

---

Run in a sandbox as a non-privileged user. That's not absolutely foolproof, but it makes the bar for doing lasting damage or serious compromise very high. It also does not depend on possible options or modifications to the language run-time in question. If you are dealing with a fully compiled language (that is, no run-time interpreter), you can do this as well.

For example, take Erlang. Set up a chroot jail that contains only what you need to run Erlang. Add a non-privileged user account and home directory. Bring in the code to be run, verify all file/directory permissions, change to the non-privileged UID and run the code.

You can find more detailed instructions on setting up jails in the Wikipedia article referenced above. Procedures and requirements are slightly different for different OSes.