Malicious Code in Online Judge

Question

Malicious Code in Online Judge

Asked 9 years, 7 months ago

Viewed 144 times

0

I’m creating an online Judge, like Spoj, Uva and others. I already have my Web part, which was done in PHP, where it is possible to submit the codes and I have a server in Python that receives them, executes the code and returns the result of the program (AC, WA, TLE, RTE). But what I need now is to handle the incoming codes, so it is not possible for example to execute OS command. I didn’t want to have to go through the entire code and keep checking if there is any function that I don’t allow, because that way it would be a lot of work, because every new language I add to my OJ, I would have to figure out what the malicious functions are.

Any idea how to do that ?

If possible explain better what you intend to do, give more details, because the question is currently difficult to understand where you want to go.

– stderr

2015/02/17 at 15:32
I need that when the codes arrive in my server in Python they are treated in some way, to avoid malicious code. How to execute OS commands, tinker with files, open Sockets and Threads. All this has to be avoided.

– Gabriel Duarte

2015/02/17 at 15:38

1 answer

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by Intruso • **1,625** points · Answer 1 · 2015-02-17T16:04:28+00:00

Foreseeing all the situations you will face is very difficult, the most practical is to create the code in a way that only allow certain situations and everything that is outside, can not be executed.

Working with a black list is virtually impossible, I suggest you work with a white list and/or an expression validator to validate the types of expressions that can be executed.

The reserved word list of any language can be found easily on the internet.

In addition, you can also restrict some types of executions based on your environment configuration (do not run code as Administer, do not give write permission in folders, etc).

Another concern would be XSS (cross side scripting) and Cross Path (which would allow you to read your configuration files, for example), you can find a reference to these types of attacks here: https://www.owasp.org/

You see, it’s not an easy task designing software to perform specific actions, designing software to run software is much more difficult, if you had to choose a path, you would go by the rule of least privilege, which basically says to design the code so that it runs with the lowest possible privilege.

A good general book on security:

http://www.saraiva.com.br/como-quebrar-codigos-a-arte-de-explorar-e-proteger-software-182830.html