6

OK: a forward. I am not a security expert. I am one of four kids at a high school working on a project. I don't have any experience with real-life situations where security is a concern.

I have a project that's for automated program grading. Students upload code and we compile and test it. Obviously, there's a threat of people uploading malicious code. So what we have recently done is have the code be executed behind a runas command on a user with little privileges. It seems to work, but then again what do we know?

Now my instructor wants us to go forward and put our project online, available to the internet. I worry that our project is likely insecure, and that us students are not qualified to assess the program's security.

Would a simple runas-based "security" system be sufficient, or should we hold off on putting it online?

Edit: to clarify, the way it works is that people upload programs to our server, which then executes it locally and displays the results. So if the uploaded code is malicious and works, then it's our server that's taken over.

user26672
  • 61
  • 2
  • Do you want to release your program as a download/source code for people to run or are you actually hosting your application somewhere for users upload code? If it's the former I'll go ahead and release it with a warning of potential security issues. –  Jun 03 '13 at 14:42
  • I'd agree with Terry above. Users can download and use the program for it's functionality and take their chances. If you post online without having done application security reviews, systems vulnerability scanning, penetration testing etc, you could be exposing yourself and your potential customers to issues as well as whoever owns the servers. – AndyMac Jun 03 '13 at 14:47
  • create user accounts and maintain logs. Remember don't make things too complicated for your users as it is just a high school project. You will get a lot of good advice here but you need to strike a balance between security and usability for all your projects. – Shurmajee Jun 03 '13 at 14:51
  • 2
    I started writing an answer but just kept thinking of more and more ways this can go wrong. Basically this is fine (in fact this kind of safe system-sharing is what Unix is designed to allow) if you have a decent sysadmin to ensure the integrity of the system. You don't have such a sysadmin, so I would advise you do this on a machine that is not part of a LAN, and is not used for anything else. And do not allow user programs to open network sockets, or you will be part of a botnet in no time :P – lynks Jun 03 '13 at 14:52
  • 1
    Make it so that only users with a username and password can upload, no anonymous uploads. Make sure that those who have access to upload know that if anyone does upload something malicious there will be consequences. Leave it up to the school to decide how harsh the consequences are, but they could range from detention to criminal charges. – Rod MacPherson Jun 03 '13 at 15:12
  • If you can at all port it to Unix/Linux then run it in a "chroot jail" that could help a lot. For an added layer of security deny the programs network access when possible. Lastly try Cloud hosting through AWS or Azure that way if something does go wrong its not your network that gets hit. – David Jun 03 '13 at 18:16
  • First thing coming to mind are the potential fork bombs and other DoS-related attacks. That's the most easily exploitable attack vector. In any case, very good question, I very much support that you're thinking of doing this in high school! High schools here should encourage people to. In any case, why don't you look at existing services like codepad.org? Perhaps you can get to ask the owner some questions (and share his answers here :)! ). – Luc Jun 05 '13 at 19:18

2 Answers2

2

"runas" will protect you from only a portion of the threats.

There are a few ways you could handle this. You need to lock down the firewall to prevent outgoing connections that you do not intend. Logging and auditing need to be turned on (and reviewed!!) to catch tampering.

If the server is a VM, you could have it revert to a saved snapshot every hour, meaning that any malicious code could not persist.

Can you maintain a copy of the uploaded code and the IP address that uploaded it for forensic review?

In any case, you need to think of the server as already compromised and treat it as such. Segregate it on the network that it is on, and nuke it from orbit either regularly or at the end of your project. Make sure there is nothing else running on the server that could not handle being taken over (i.e. make your service the only thing running on the server).

schroeder
  • 129,372
  • 55
  • 299
  • 340
0

Run the compiled software in a virtual machine, show the output, and then restore the virtual machine at the previous snapshot after each execution.

something like:

  1. compile the executable on the server
  2. copy it on the VM via network
  3. activate a command on the VM that will run the compiled executable in , say, 5 seconds
  4. exec a command on the server that will isolate the VM from the network
  5. wait for the VM executing the program
  6. grab the output from the VM (screenshot? remote control/viewer?)
Max
  • 351
  • 2
  • 8