How do online interpretors/compilers deal with mal

2020-07-10 05:54发布

问题:

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 7 years ago.

How does an online code interpreter/compiler (jsfiddle.net, jsbin.com, ideone.com, codepad.org, etc) deal with malicious code, such as an infinite loop?

回答1:

That particular site looks like it is running its code on the client side. So you can't hurt their servers.

Other sites take the approach of running code in virtual machines. You can just throttle the resources that the virtual machine can take, and they have limited the potential damage that can be done.



回答2:

jsFiddle only runs client side code (JavaScript) - the only machine it can harm is yours (or someone viewing your fiddle).

Most browsers have something in place to detect an unresponsive script (like an infinite loop), and give you the option to halt the script.

Then there are sites like codepad.org and ideone.com, which do run code on the local machine.

Codepad.org

Code execution is handled by a supervisor based on geordi. The strategy is to run everything under ptrace, with many system calls disallowed or ignored. Compilers and final executables are both executed in a chroot jail, with strict resource limits.

When your app is remote code execution, you have to expect security problems. Rather than rely on just the chroot and ptrace supervisor, I've taken some additional precautions:

  • The supervisor processes run on virtual machines, which are firewalled such that they are incapable of making outgoing connections.
  • The machines that run the virtual machines are also heavily firewalled, and restored from their source images periodically.


回答3:

Since sites like jsfiddle are only client side code (you can't write server side code), any bad code will affect the browser that runs it. It shouldn't affect their servers at all.