Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m writing an autograder web application that accepts a program from the user as input. What are some ways of protecting my web server from malicious program inputs?
Currently only Java program inputs are supported. I’m thinking about somehow disabling access to certain packages/classes, but I’m not sure how.
Any ideas/suggestions?
The simplest approach for protecting against unwanted malicious program input is to simply run it in a separate VM. If you’re on Linux, boot up a VM using KVM or something, run the program there, and have the output logged somewhere (over a virtual serial port, for example). Give the VM no network access and wipe its drive each time.
Failing that, Java does have an extensive security and sandboxing model, originally designed for isolating applets. However, it’s tricky to use properly, and I wouldn’t recommend using it for something like this – spawning a VM is much easier and safer.