Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Some time ago I was searching for a sandbox solution to use in an automated assignment evaluation system for CS students. Much like everything else, there is a trade-off between the various properties:</p> <ul> <li>Isolation and access control granularity</li> <li>Performance and ease of installation/configuration</li> </ul> <p>I eventually decided on a multi-tiered architecture, based on Linux:</p> <ul> <li><p><strong>Level 0 - Virtualization:</strong></p> <p>By using one or more virtual machine snapshots for all assignments within a specific time range, it was possible to gain several advantages:</p> <ul> <li><p>Clear separation of sensitive from non-sensitive data.</p></li> <li><p>At the end of the period (e.g. once per day or after each session) the VM is shutdown and restarted from the snapshot, thus removing any remnants of malicious or rogue code.</p></li> <li><p>A first level of computer resource isolation: each VM has limited disk, CPU and memory resources and the host machine is not directly accessible.</p></li> <li><p>Straight-forward network filtering: By having the VM on an internal interface, the firewall on the host can selectively filter the network connections.</p> <p>For example, a VM intended for testing students of an introductory programming course could have all incoming and outgoing connections blocked, since students at that level would not have network programming assignments. At higher levels the corresponding VMs could e.g. have all outgoing connections blocked and allow incoming connection only from within the faculty.</p></li> </ul> <p>It would also make sense to have a separate VM for the Web-based submission system - one that could upload files to the evaluation VMs, but do little else.</p></li> <li><p><strong>Level 1 - Basic cperating-system contraints:</strong></p> <p>On a Unix OS that would contain the traditional access and resource control mechanisms:</p> <ul> <li><p>Each sandboxed program could be executed as a separate user, perhaps in a separate <code>chroot</code> jail.</p></li> <li><p>Strict user permissions, possibly with ACLs.</p></li> <li><p><code>ulimit</code> resource limits on processor time and memory usage.</p></li> <li><p>Execution under <code>nice</code> to reduce priority over more critical processes. On Linux you could also use <a href="http://linux.die.net/man/1/ionice" rel="nofollow noreferrer"><code>ionice</code></a> and <a href="http://cpulimit.sourceforge.net/" rel="nofollow noreferrer"><code>cpulimit</code></a> - I am not sure what equivalents exist on other systems.</p></li> <li><p>Disk quotas.</p></li> <li><p>Per-user connection filtering.</p></li> </ul> <p>You would probably want to run the compiler as a slightly more privileged user; more memory and CPU time, access to compiler tools and header files e.t.c.</p></li> <li><p><strong>Level 2 - Advanced operating-system constraints:</strong></p> <p>On Linux I consider that to be the use of a Linux Security Module, such as <a href="http://en.wikipedia.org/wiki/AppArmor" rel="nofollow noreferrer">AppArmor</a> or <a href="http://en.wikipedia.org/wiki/Security-Enhanced_Linux" rel="nofollow noreferrer">SELinux</a> to limit access to specific files and/or system calls. Some Linux distributions offer some sandboxing security profiles, but it can still be a long and painful process to get something like this working correctly.</p></li> <li><p><strong>Level 3 - User-space sandboxing solutions:</strong></p> <p>I have successfully used <a href="http://www.systrace.org/" rel="nofollow noreferrer">Systrace</a> in a small scale, as mentioned in <a href="https://stackoverflow.com/a/4249228/507519">this older answer of mine</a>. There several other sandboxing solutions for Linux, such as <a href="http://sourceforge.net/projects/libsandbox/" rel="nofollow noreferrer">libsandbox</a>. Such solutions may provide more fine-grained control over the system calls that may be used than LSM-based alternatives, but can have a measurable impact on performance.</p></li> <li><p><strong>Level 4 - Preemptive strikes:</strong></p> <p>Since you will be compiling the code yourself, rather than executing existing binaries, you have a few additional tools in your hands:</p> <ul> <li><p>Restrictions based on code metrics; e.g. a simple "Hello World" program should never be larger than 20-30 lines of code.</p></li> <li><p>Selective access to system libraries and header files; if you don't want your users to call <code>connect()</code> you might just restrict access to <code>socket.h</code>.</p></li> <li><p>Static code analysis; disallow assembly code, "weird" string literals (i.e. shell-code) and the use of restricted system functions.</p></li> </ul> <p>A competent programmer might be able to get around such measures, but as the cost-to-benefit ratio increases they would be far less likely to persist.</p></li> <li><p><strong>Level 0-5 - Monitoring and logging:</strong></p> <p>You should be monitoring the performance of your system and logging all failed attempts. Not only would you be more likely to interrupt an in-progress attack at a system level, but you might be able to make use of administrative means to protect your system, such as:</p> <ul> <li><p>calling whatever security officials are in charge of such issues.</p></li> <li><p>finding that persistent little hacker of yours and offering them a job.</p></li> </ul></li> </ul> <p>The degree of protection that you need and the resources that you are willing to expend to set it up are up to you.</p>
    singulars
    1. This table or related slice is empty.
    1. POHow do sites like codepad.org and ideone.com sandbox your program?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USCommunity
    1. USthkala
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI think I'll try systrace then; that's a *really* unhelpful website though! Will that allow me to limit to cpu and memory usage and all that too? Or do I kind of need to 'stack' the different programs together for the full effect? One criterion I forgot to mention was that I need to communicate with these programs via pipes. I assume I can do that with systrace?
      singulars
      1. PO
      1. USmpen
    2. COIIRC systrace is essentially a system call filter. I do not remember if it has any kind of resource control, but stacking `ulimit`,`nice`, `ionice` e.t.c. is rather standard in the Unix/Linux world. As for the programs, they work as they do outside of systrace, albeit quite slower, as long as systrace does not decide to block a system call...
      singulars
      1. PO
      1. USthkala
    3. CORecently I read somewhere that some Linux distributions (Redhat and ...?) have a sandbox policy based on SELinux that even allows the execution of graphical programs. You might want to look at it - if it does what you need it would be definitely more performant and streamlined than systrace.
      singulars
      1. PO
      1. USthkala
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload