Securely loading and running untrusted modules

caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed

From: Richard Jones <rich@annexia.org>
To: caml-list@inria.fr
Subject: Securely loading and running untrusted modules
Date: Tue, 5 Apr 2005 13:14:59 +0100	[thread overview]
Message-ID: <20050405121459.GA29378@furbychan.cocan.org> (raw)

Suppose I wanted to set up a website where people could upload
untrusted .ml files and have them be compiled and run on my server.
(This would be used as an OCaml teaching tool).  The uploaded
"untrusted.ml" source files would be compiled on the server by
"ocamlc", then loaded using:

  Dynlink.init ();
  Dynlink.allow_only ["SafeAPI"];
  Dynlink.loadfile_private "untrusted.cmo"

where SafeAPI is a module which defines a safe, trusted subset of the
API where only Good Things are allowed.

I don't want the modules to be able to do Bad Things, where Bad Things
is stuff like:

* Reading and writing local files.
* Corrupting memory.
* Inserting executable code into memory.
* Executing arbitrary functions from the server.
* Denial of service (infinite loops, unlimited resource allocation).
* Making arbitrary network connections.
* (and so on ...)

To prevent unlimited resource allocation, I'm thinking of using
setrlimit(2) to limit the size of the server process (it would be a
pre-forked Apache server, so causing one process to hit its memory
limit does not constitute a denial of service attack).

To prevent infinite loops, starting an alarm(2) before loading the
module should kill the Apache process if it uses too much CPU time.

I'm fairly sure that the method above should cope with everything
barring bugs in the compiler and bugs in SafeAPI.

Am I thinking right?

Rich.

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com

next             reply	other threads:[~2005-04-05 12:15 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-05 12:14 Richard Jones [this message]
2005-04-05 12:55 ` [Caml-list] " Nicolas Cannasse
2005-04-05 13:16   ` Richard Jones
2005-04-05 14:09     ` Alex Baretta
     [not found]     ` <42529C01.2080609@barettadeit.com>
2005-04-05 14:17       ` Richard Jones
2005-04-05 14:36         ` Jacques Garrigue
2005-04-05 20:58           ` sejourne_kevin
2005-04-05 21:02             ` Jacques Garrigue
2005-04-06  7:59               ` sejourne_kevin
2005-04-05 14:38         ` Virgile Prevosto
2005-04-05 14:40         ` Daniel Bünzli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050405121459.GA29378@furbychan.cocan.org \
    --to=rich@annexia.org \
    --cc=caml-list@inria.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).