Run user code safely

I have to mark C code and part of that involves running and timing their submissions. The problem is that their code then runs as me and they can in principle do whatever they like using my permission settings. For example, they could copy my ssh private key.

I could set up a virtual machine and run their code within it (although I am not entirely sure of the best way to lock this down either). A problem with this is that the speed performance will now not be realistic. I could provide the same virtual machine to all the users to test their code on beforehand so at least they have the same set up to test with.

Is there a good way to set up an environment where you can run code written by others but limit the damage it can do?


Solution 1:

There are actually multiple types of virtual machines, which is kinda being missed in the other answers. You can have what's known as container virtualisation - something like Linux vServer or OpenVZ. They share the host kernel, running what are known as 'containers' (with their own environments) rather than virtualising any hardware, and are almost as fast as bare metal. (OpenVZ is more common in cheaper VPS services, but only supports up to a custom kernel 2.6.x, while vServer goes up to latest stable).

Apart from that, the overhead of full virtualisation on a modern machine isn't as bad as you think! With hardware virtualisation on a mid-high end CPU, most uses wouldn't even notice any performance penalty, unless there was contention for resources (e.g. the host or another VM was using a lot). It will be a little slower, because some resources are used by the guest OS, but the cost of the virtualisation itself is almost negligible - especially CPU usage, since that can be passed to the raw hardware with (almost) no translation, if it's hardware accelerated. You could try it, you might be surprised.


Note that each also comes with differing levels of isolation. Container virtualisation makes it much easier to exploit kernel and other bugs to 'break out' of the container - LXC is not secure at all, though OpenVZ is considered pretty mature and secure (and is commonly used in VPS services, where you're selling containers to untrusted people). vServer is somewhere in between. Full virtualisation has better isolation, but some attacks still exist to break out.

It depends just how far you expect a malicious student to go. It might be sufficient to simply run as a different user. You might want a container for more security. Chances are that a container is enough for anything you'll encounter in these circumstances.

Solution 2:

Make a single user account with limited privileges (which means access to only a limited set of library routines, possiby even a stripped down shell access).

ssh as the user in your system, and run their programs.

You can even write a small bash shell script (or any other shell script) to achieve this.

Solution 3:

  1. Run the code as nobody, which should give you minimal privileges. Depending on how hair-raising the configuration is, this may not be safe
  2. Run in a chroot jail. Depending on the code this may change the behaviour, and jails can often be broken out of. They are not a security feature.
  3. Run in a virtual machine. I think there are only very few known instances of being able to break out of those, but I'm not sure. You can use for example Vagrant to set up very simple virtualisation. Example configuration and commands.

Solution 4:

There's a few different possibilities, depending on how much isolation you want.

The easiest is to simply trust the code. It looks like that is out of the question for you, or you wouldn't be asking this.

The next step up is to run the code on a separate user account, as Vigneshwaren suggested. If you want to restrict network access specifically for a particular user account, that can be accomplished through iptables owner matching. When done, the user account can be left around or deleted, and any processes running as that user can be killed outright.

One more step up is to add a chroot jail to the separate user account. This can cause trouble with libraries or configuration files that need to be in place, but if it's e.g. a pure number-crunching exercise, it can be practical. It ensures that only the files you want the students' code to be able to access are accessible to that code.

The final step would be to execute the code in a completely separate environment. Think virtual machine, here, although a separate physical computer could accomplish the same thing. The code can execute in a completely isolated environment, including with the virtual network cable unplugged, and any damage it could possibly do, including filling up the disk or fork-bombing, will be isolated within the virtual machine and the worst that might happen is that you need to forcibly turn it off. Since the VM will have a completely separate OS installation, especially if you remove the network connection before running the software, this cannot possibly leak any of your sensitive data. With a VM, you can use disk snapshots to allow you to quickly and easily return to a known state after running each student's program.

It all depends on where on the effort-versus-trust-needed scale you place your students. Less trust requires more effort on your part to make sure nothing bad happens.