Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Securely run code uploaded by users
8 points by tixocloud 69 days ago | hide | past | web | favorite | 11 comments
Hi,

Just wondering if anyone has expertise on how to securely run code uploaded or typed in by users. I am curious about how those online coding environments are able to work securely without the worry of the server environment being attacked.

A thought I had was using Docker as a means to run the code.

Thanks!




See blog post on golang playground:

https://blog.golang.org/playground

NodeJS also includes a sandbox in its standard lib. And there are more advanced versions out there:

https://github.com/patriksimek/vm2

Good luck and be careful ;)


Thanks - is there an equivalent for Python and R?


I'm trying to be very careful ;)


I wrote a pretty in depth blog on how I run Node.js code for my SaaS at https://medium.freecodecamp.org/running-untrusted-javascript...


This is close to perfect from what I had originally envisioned with a Docker container. Thank you! If you don't mind, may I ask some questions if I do get stuck? It's my first time working with Docker.


No problem, ask away. My email is info@checklyhq.com


I'm not an expert by any means but two things that come to mind are:

1. Run your users code outside of your secured network. If you have a network with a VPC, make sure you're not running users code within your VPC.

2. Restrict network access. If the code doesn't need to talk with the outside world, don't allow egress traffic.


It helps to define the types of possible attacks, there are thee generally;

1. Accessing and exploiting system resources like file system, network stack etc. Generally this can be mitigated by providing a method to whitelist api calls. Jvm security manager has this capability.

2. Exhaust memory by abusing heap allocation. Some os have the capability to limit memory usage per process. Some language run times can like jvm maxheap flag. Note this is per process, not per user request/script.

3. Hog the cpu, starving other process/requests/scripts. Again there are os level abilities to limit cpu per process, again not for individual request/script.

I don’t know of any language/runtime that covers these three areas, if you do, or if I missed anything, please share!


Possibly requiring state-actor level of expertise, but I'd be paranoid about escaping the container / vm and gaining elevated privileges ;)

Sandbox will in all probability be running alongside application code so the risk is an attacker gaining complete covert control!


I was once thinking of implementing such an online judge. Looking through the existing implementations, most restrict the syscalls available to the untrusted process, and run in a chroot.

On freebsd, you'd use something like capsicum. On linux, something like seccomp. Although, nowadays I imagine people would think of just running in a VM or a container.


Docker has apparmor and secco o profiles. Apart from the default, you can monitor for syscalls and build a custom, pet app profile. Couple that with proper mount perms, drop root user, monitor for outgoing connections and write proper firewall rules (cillium can be used to write bpf rules) and you are pretty secure. You need time, attention to detail and multiple iterations to distill the profiles for each layer.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: