Safely executing student's code

[Chris]

Could someone point me to an example or at least outline of a solution
to the following problem:

I want to be able to compile the body of a method written in C++,
submitted by a possibly malicious CS student, and if it compiles
correctly execute it within a sandbox with limited privileges (e.g. no
I/O, or I/O only to certain directories).

I know Java and its security manager system pretty well, but I'm just
learning .NET. I know enough now see the outline of how to do this, but
what I'm unsure about is whether a sophisticated student could insert
commands into his C++ fragment that could subvert the security.
Generally you assume that any source could you have is trusted and it's
only object code/bytecode you need to verify. Here the source code
itself cannot be trusted.

Thanks,
Chris

 

[Nishant Sivakumar]

If you have the source code and it's not too big, gete a decent C++ dev to
go through it. If it's really huge, you could test out the compiled code on
a Virtual PC stub.
Though, if you don't trust the coder, I am surprised that you still want to
use his code.

 

[Chris]

Nish,

The context is that this is part of an automated homework submission
and evaluation system. So, yes, the amount of code that I'm expecting
from any given student at any time is small, but manually inspecting
everything that comes in defeats the purpose of being automated!

I'm aware there are pure C/C++ answers to this problem, but using C++
in the .NET environment seems like a nicer solution, especially since I
hope the security management could work at a finer level so potentially
dangerous method calls are not completely forbidden but can be limited
to certain known directories or addresses.

Thanks again,
Chris

 

[Steve Alpert]

Nish,

The context is that this is part of an automated homework submission
and evaluation system. So, yes, the amount of code that I'm expecting
from any given student at any time is small, but manually inspecting
everything that comes in defeats the purpose of being automated!

I'm aware there are pure C/C++ answers to this problem, but using C++
in the .NET environment seems like a nicer solution, especially since I
hope the security management could work at a finer level so potentially
dangerous method calls are not completely forbidden but can be limited
to certain known directories or addresses.

Although it's hard to catch everything. What about providing your own library
for basic file I/O and other operations. If the application does not call for
them, you could just "fatal" the program if they occur. Ditto for things like
ShellExecute(), etc. It would be a bit of work to develop but would be useful
in the long run.

/steveA

 

[William DePalo [MVP VC++ ]]

Could someone point me to an example or at least outline of a solution
to the following problem:

I want to be able to compile the body of a method written in C++,
submitted by a possibly malicious CS student, and if it compiles
correctly execute it within a sandbox with limited privileges (e.g. no
I/O, or I/O only to certain directories).

Well, the expedient, less straighforward thing to do is to get yourself a
virtual machine. Microsoft's is here:

http://www.microsoft.com/windows/virtualpc/default.mspx

and VMWare's is here:

http://www.vmware.com/

Either will let you virtualize an _entire_ machine, virtual disks and all.
(I think that there are inexpensize academic versions of these products but
I am not sure).

Then run the student's compiled and linked assignment under the VM. The
worst he can do is trash a disk. But with either virtual machine you should
be able to copy the virtual disk - which is just a big file or files -
immediately after you install an operating system to some safe location. In
a pinch just copy the files back and the damage is undone.

The straightforward approach would involve creating an account with minimal
privileges for running students' assignments. Next you could deny access to
all folders on all drives except those you select. This is a security topic
and not a development one. Check this link

http://www.le.ac.uk/cc/dsss/docs/acls1.shtml

to get started. Then try posting again in a secirity focused group.

Once your directories are secure you could use the RunAs command to run the
students assignments using the credentials of the low rights account you
created:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx

or you could adopt a policy such that you never run those assignments except
when logged in to the low rights account.

Regards,
Will

 

[Guest]

If someone is experienced and bold enough to write some malicious code and
give it to the professor, they shouldn't be taking your class!

If I were you, I wouldn't be worried about it. A student is giving you a few
lines of code that's supposed to call a couple of classes or something.

A simple way to see if it does a little more than it is supposed to is to
check which headers are being used before you execute the program. If you see
a program using winsock.h or something, you know something's up.

If this isn't good enough, just create a dummy user with no IO rights or
rights to the registry and you can safely run the students code.

Cheers,
Mark.

 

[Maxwell]

Just for another 2 cents, I would definitely recommending doing what
Will offered up.

If you use VMWare (http://www.vmware.com/) you can make use of the
snapshot feature. That way if any students project tries writing or
doing something malicious to the os or the virtual disk and they
somehow are able to, no big deal just discard changes and reload the vm
again, no need to copy files or worry about security permissions, they
are in a solid sandbox. Its not going to be any easier that plus save
you alot of headaches.

I'm not sure myself if there are ways to get at any backdoor win32 API
that would completely ingnore any DLL security settings. It would seem
to make sense that could never be the case, but with the VM stuff its
not something you would have to worry about if it did happen.