Malicious code in Online Judge [closed]

Navigation
0

I'm creating an online judge, such as Spoj, UVa and others. I have my web part, which was made in PHP, where it is possible to submit the codes and I have a Python server that receives the same ones, executes the code and returns the program result (AC, WA, TLE, RTE) . But what I need now is to handle the incoming codes, so it is not possible to run the OS command. I did not want to have to go through the whole code and check if there is any function that I do not allow, because that would be a lot of work, because with every new language I added in my OJ, I would have to find out what the malicious functions are. p>

Any ideas how to do this?

    
asked by anonymous 17.02.2015 / 15:04

1 answer

2

Predicting all the situations you are going to face is very difficult, the most practical thing is to create the code in order to allow certain situations and everything that is outside can not be executed.

Working with a black list is practically impractical, I suggest you work with a white list and / or an expression validator to validate the types of expressions that can be executed.

The list of reserved words of any language can be easily found on the internet.

In addition, you can also restrict some types of executions based on the configuration of your environment (do not run admin code, do not give permission to write to folders, etc.).

Another concern would be cross side scripting and Transversal Path (which would allow you to read your configuration files, for example), you can find a reference to these types of attacks here: link

Well, it's not an easy task to design software to perform specific actions, designing software to run software is much harder, if you had to choose a path, it would go by the lesser privilege rule, which basically says to design the code. way he rode with the least possible privilege.

A good general security book:

link

    
17.02.2015 / 17:04
Excerpt post wordpress make a component in a repeater get enabled = false