I am building a web based interface where people can type in simple C code for solving algorithmic programming questions. I am using Ace editor where people can type in code and when the press the run button, the C code is sent to server, compiled and output sent back.
How do the accomplish the second part in a secure way. I mean given a C code file, compile it and execute it. I can't trust the code so how do i make sure its not malicious and will not harm my system. Also how to impose memory and time limits.
Is there any already existing system open source system available which I can modify to suit my needs? I didn't find anything in my search. Or some pointers on how i should proceed next?
edit: Found http://cs.sru.edu/~contest/rocktest/ and trying to understand their code but still looking for better options, preferably in php
Allow me to plug AppArmor, a simple mandatory access control mechanism that can make creating these sorts of sandboxes simple. Here is a profile I have in place to confine my xpdf PDF viewer:
#include <tunables/global>
/usr/bin/xpdf {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/X>
#include <abstractions/fonts>
/dev/tty rw,
owner /dev/pts/* rw,
/etc/papersize r,
/etc/xpdf/* r,
/bin/bash ix,
/usr/bin/xpdf r,
/usr/bin/xpdf.bin rmix,
/usr/share/xpdf/** r,
/usr/share/icons/** r,
owner /**.pdf r,
owner /tmp/* rw,
}
You could learn the basics of confining applications of your choice in half a day or so, and have profiles written for your server in another half day. (That xpdf profile took me about four minutes to write, but I know what I'm doing. We have deployed AppArmor on a leading online retailer's public-facing servers over the course of an afternoon, with similar results with other deployments.)
AppArmor also gives an easy interface for configuring run-time limits, such as how much memory a process is allowed to allocate:
rlimit as <= 100M, # limit address space to 100 megabytes
AppArmor would be easiest to use on Ubuntu, openSUSE, SLES, PLD, Mandriva, Pardis, or Annvix distributions, as the tools come pre-installed. But the core AppArmor functionality is in stock Linux kernels 2.6.36 and newer, and it is possible to install AppArmor on any Linux distribution.
Other similar tools include SElinux, TOMOYO, or SMACK. I think SMACK would be the next-easiest to deploy, but any of them could prevent malicious code from harming your system.
I recommend the Ideaone API: http://ideone.com/api
You'll have to execute the code in a sandboxed environment. There is a similar question on SO that might help.
You could also run some virtual machines to execute the code, but that's basically an example of sandboxing - just a bit heavy.
Run the code in a sandbox - a virtual machine.
In addition to that I would remove access to any sytem calls and only allow calls to the standard C libraries. Also, replace any unsafe library calls with your own calls that check the input and delegate safe inputs to the real functions (in particular for malloc you would want to put an upper bound on how much each program can allocate).
If you do the above, just one virtual machine should be enough for everyone's code.
I will be using uevalrun:
"The primary use case for uevalrun is evaluation of solution programs submitted by contestants of programming contests: uevalrun compiles the solution, runs it with the test input, compares its output against the expected output, and writes a status report."
Related
If I would like to distribute PHP application with installer(package system of OS) how should I proceed? I don't want PHP files to be there, just working application, so when I type 'app' into console, it ends up being launching application, without need to install PHP on system(no php installation on host required). I would also like the application to have patch-able byte-code, so it's in parts, loaded when needed and only part needs to be replaced on update.
What I would do now is following:
->Compile PHP with extensions for specific platform.
->Make binary application which launches '/full/php app' when app is launched.
->Pack it in installer in a way, that there would be binary added to path when added, launching specific installation of PHP which is alongside the app with argument of start point->App would be running.
Problem is:
Maybe I don't want my PHP files to be exposed(in application, there will be available source anyway) is there some ready made stuff to do this? Is there some better way than I proposed?
Alternative: Modifying OP Cache to work with "packing" application to deliver byte codes to modified OP Cache which just reads the cache.
My suggestion would be a tiny tool I just finished, for almost exactly the same problem. (Oh yes I tried all the others but they're old and rusty, sometimes they're stuck with 4.x syntax, have no support, have no proper documentation, etc)
So here's RapidEXE:
http://deneskellner.com/sw/rapidexe
In the classical way, it's not a really-real compiler, just a glorified packer, but does exactly what you need: the output exe will be standalone, carrying everything with it and transparently building an ad-hoc runtime environment. Don't worry, it all happens very fast.
It uses PHP 7.2 / Win64 by default but has 5.x too, for XP compatibility.
It's freeware, obviously. (MIT License.)
(Just telling this because I don't want anyone to think I'm advertising or something. I just took a few minutes to read the guidelines about own-product answers and I'm trying to stay within the Code of the Jedi here.)
However...
I would also like the application to have patch-able byte-code, so it's in parts, loaded when needed and only part needs to be replaced on update.
It's easier to recompile the exe. You can extract the payload pieces of course but the source pack is one big zip; there seems to be no real advantage of handling it separately. Recompiling a project is just one command.
Maybe I don't want my PHP files to be exposed(in application, there will be available source anyway)
In this case, the exe contains your source compressed but eventually they get extracted into a temp folder. They're deleted immediately after run but, well, this is no protection whatsoever. Obfuscation seems to be the only viable option.
If something goes wrong, feel free to comment or drop me a line on developer-at-deneskellner-dot-com. (I mean, I just finished it, it's brand new, it may misbehave so consider it something like a beta for now.)
Happy compiling!
PHP doesn't do that natively, but here are a few ideas:
Self-extracting archive
Many archival programs allow you to create a self-extracting archive and some even allow to run a program after extraction. Configure it so that it extracts php.exe and all your code to a temp folder and then runs ir from there; deleting after the script has complete.
Transpilers/compilers
There's the old HPHC which translates PHP code to C++, and its wikipedia age also contains links to other, similar projects. Perhaps you can take advantage of those.
Modified PHP
PHP itself is opensource. You should be able to modify it withot too much difficulty to take the source code from another location, like some resource compiled directly inside the php.exe.
Use Zend Guard tool that compiles and converts the plain-text PHP scripts into a platform-independent binary format known as a 'Zend Intermediate Code' file. These encoded binary files can then be distributed instead of the plain text PHP. Zend Guard loaders are available for Windows and Linux platform that enables PHP to run the scripts encoded by Zend Guard.
Refer to http://www.zend.com/en/products/zend-guard
I would like to add another answer for anyone who might be Googling for answers.
Peach Pie compiler/runtime
There is an alternative method to run (and build apps from) .php source codes, without using the standard php.exe runtime. The solution is based on C#/.NET and is actually able to compile php source files to .NET bytecode.
This allows you to distribute your program without exposing its source code.
You can learn more about the project at:
https://www.peachpie.io/
You've got 3 overlapping questions.
1. Can I create a stand-alone executable from a PHP application?
Answered in this question. TL;DR: yes, but it's tricky, and many of the tools you might use are semi-abandoned.
2. Can I package my executable for distribution on client machines?
Yes, though it depends on how you answer question 1. If you use the .Net compiler, your options are different to the C++ option.
3. Can I protect my source code once I've created the application?
Again, depends on how you answer question 1. Many compilers include an "obfuscator" option which makes it hard to make sense of any information you get from decompiling the app. However, a determined attacker can probably get through that (this is why software piracy is possible).
PHP makes it relatively easy to limit what a user can do on a server - just instruct it to disable features via the php.ini disable_functions directive. Is there a similar capability in Node.js? A spot of googling with the more obvious phrases has turned up a blank. I imagine one can do something similar by controlling just what can go into the requires clauses. However, perhaps there is another way? I'd be much obliged to anyone who might be able to point me in the right direction.
Judging from the comments I need to clarify this question
Context - I am setting up a service which allows users to run their own Node code in a Docker container. Docker containers are fairly secure but - as Docker make clear - there is no cast iron guarantee that the container is a Sandbox with no risk of anything spilling out of it.
Within reason I want to allow users to use external modules whose use is declared in their code using the standard Node require('modulename') syntax
Now suppose I let this happen and the user sticks in
require('shelljs/global');
Boom... the user has the ability to run shell commands. So how do I stop this from happening? One way would be to play policeman and strictly control what external modules the user can rope in in this way. The other - and hence my question - if there is a php.ini style way of simply blocking access to certain capabilties... . From my understanding of how Node works (and it is as yet imperfect) this is not possible. However, given that I am a relative newbie I thought I would ask here and see what those who understand Node better than I have to say.
I'm not sure what you mean but you can control what you export from module exports. For instance:
var DB = require("db");
var userFromDB = DB.find("username");
modules.exports = {
publicUser: userFromDB.publicData
}
We only made userFromDB.publicData public instead of the entire userFromDB object. No one from the public can access anything else.
One way to prevent one angle of attack is to set global node_modules path folder in the shell to something different then the default before running node.js.
Then you'd maybe have some issues with apps that actually require global modules, but you could npm link them or similar.
I am trying to be make a online gcc compiler which can be accessed by the browser. For all this I have use php,cygwin on window XP. Actually I am giving the code window on the browser to the user.
The general process is as:
$source write in .c file
.c file compile by gcc compiler and .exe file created
the output of .exe file is shown to the user.
It's supposed that there is no read function in c program for testing I am use only a single printf statement.
The problem is:
If there are about to 30 simultaneous request means 30 users compiler the program at the same point of time then it will produce output in about 15 seconds, which is too long.
Can some please one help me to reduce this time. Each suggestions are welcomed
Can I just read the output of C program with out making a .exe file.
A starting point could be exploring distributed build systems.
On Windows I have known a (non-free) solution is Incredibuild. We used it for one of our projects around 8 years ago, and it reduced clean and build time from 25 minutes to around 5 minutes. There is a review of it here.
Right now, as I just searched for other alternatives and non-windows solutions I have also found distcc.
There is also a discussion (seemingly old) here about alternatives to Incredibuild.
If the C source code are almost the same for each compilation request, you can use compiler cache enabled building system. E. g. waf and cmake. They can utilized the copy of the previous building to speed up the compilation.
How do I run PHP Security Scanner and SpikePHPSecAudit?
I've already extracted them at the root of my website and thought it could be run like phpSecInfo where you just navigate to
www.mySite.com/phpsecinfo/index.php
Any assistance will be appreciated.
ps I am using Windows XP and XAMPP
Spike PHP SecAudit does static analysis of the files, its also very old. Pixy and RATS are also static analysis tools for php, but I think Rats is the only one the three that is still maintained. These tools will produce a lot of false positives and it takes skill to tell the difference between a real problem and meaningless output.
In terms of scanners you are best off with Wapiti, which will produce very few false positives. Wapiti also very easy to use python wapiti.py http://localhost/vulnerable_app/. I recommend downloading "Hackme Blog" from The Whitebox. Many apps aren't immediately vulnerable, sometimes you have to use the app a bit before the vulnerability can be reached. Try scanning the blog after a fresh install, then login as the admin and create a blog entry and then scan it again.
If all goes well I'll see an exploit of yours on BugTraq, Give a shout out to "The Rook" ;).
Hello I have a couple questions about PHP exec() and passthru().
1)
I never used exec() in PHP but I have seen it is sometimes used with imagemagick. I am now curious, what is some other common uses where exec is good in a web application?
2)
About 6 years ago when I first started playing around with PHP I did not really know anything, just very basic stuff and I had a site that got compromised and someone setup there own PHP file that was using the passthru() function to pass a bunch of traffic throught my site to download free music or video and I got hit with a 4,000$ bandwidth charge from my host! 6 years later, I know soo much more about how to use PHP but I still don't know how this ever happened to me before. How can someone beable to add a file to my server through bad code?
1] Exec() is really useful when you:
A) Want to run a program/utility on the server that php doesn't have a command equivalent for. For example ffmpeg is common utility run via an exec call (for all sorts of media conversion).
B) Running another process - which you can block or NOT block on - that's very powerful. Sometimes you qant a pcnt_fork though, or similar, along with the correct CL args for non blocking.
C) Another example is when I have to process XSLT 2.0 - I have to exec() a small java service I have running to handle the transformations. Very handy. PHP doesn't support XSLT 2.0 transformations.
2] Damn that's a shame.
Well, lots of ways. Theres a family of vulnerability called, "remote file include vulns", that basically allow an attacker to include arbitrary source and thus execute it on your server.
Take a look at: http://lwn.net/Articles/203904/
Also, mentioned above, say your doing something like (Much simplified):
exec("someUnixUtility -f $_GET['arg1']");
Well, imagine the attacker does, url.come?arg1="blah;rm -rf /", your code will basically boil down to:
exec("someUnixUtility -f blah; rm -rf /");
Which in unix, you separate commands w/the ; So yeah - that could be a lot of damage.
Same with a file upload, imagine you strip the last four chars (.ext), to find the extension.
Well, what about something like this "exploit.php.gif", then you strip the extension, so you have exploit.php and you move it into your /users/imgs/ folder. Well, all the attacker has to do now is browse to users/imgs/exploit.php and they can run any code they want. You've been owned at that point.
Use exec or when you want to run a different program.
The documentation for passthru says:
Warning
When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.
Someone had probably found a security hole in your script which allowed them to run arbitrary commands. Use the given functions to sanitise your inputs next time. Remember, nothing sent from the client can ever be trusted.
exec() allows you to use compiled code that is on your server, which would run faster than php, which is interpreted.
So if you have a large amount of processing that needs to be done quickly, exec() could be useful.