September 30th, 2003, 10:50 PM
Dangerous System Functions for Servers !!!
If I have to compile and run any C/C++ program sent by any client PC by submit-o-matic or email to the server, how can I check that he isn't using malicious server functions???
Is there any way to check wether he/she is trying to use system resources???
Can anyone provide me with the list of those functions and Macros???
September 30th, 2003, 11:21 PM
sorry i'm not quite following. people are going to send you code which you will then compile and run from your server? is this stuff running suid root or "Admin" privileges? #define malicious as well. what exactly are you allowing/disallowing?
October 1st, 2003, 12:33 AM
October 1st, 2003, 12:42 AM
For *NIX systems, there's always systrace. See http://www.systrace.org/ and also read the articles by Michael Lucas http://www.onlamp.com/pub/a/bsd/2003...y_Daemons.html and http://www.onlamp.com/lpt/a/3260 for how to use it.
Note that systrace was originally written for OpenBSD and NetBSD, but has been ported to Linux and Mac OSX. The FreeBSD port is still a work in progress.
Also, The Hairy Eyeball(http://www.blafasel.org/~floh/he/) has a repository of systrace scripts.
Up the Irons
What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
"Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
Down with Sharon Osbourne
"I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
October 1st, 2003, 05:37 AM
This is actually a surprisingly tough question.
I'm assuming you want a server that people can download C++ source code to, and your server will compile and execute it unless it finds an error.
One way is to configure a compiler and it's library to enforce whatever constraints you wish. Another approach is to have a person in the loop who reviews the code, but I assume you want to avoid that. You will wish to ensure your library has no non-standard functions (eg the system() call, functions like sprintf), and also does not allow creating files on the server.
You may wish to write a preprocessor that checks for and prevents the following;
a) usage of raw pointers.
b) bounds checking violations
c) explicit or implicit typecast of pointer types.
d) use of the various _cast operators
e) statements with multiple side effects (very easy to introduce undefined behaviour, which results in potential security holes).
One simple way is to compile and execute the code, but only execute it in the context of a very unprivileged user. The challenge is configuring a user account to do that (and being able to spawn the process to execute it as that user). This obviously relies on having an operating system that allows you to enforce user privileges.
October 1st, 2003, 02:34 PM
also, what about the security issue?lets say you check the source, but i.e. it would be trivial to write a program vulnerable to bufffer overflow, and then exploit it that way to execute the code you want to execute. how to fix? stackguard is one option. but then they could use format strings and the GOT instead. so i donno, just some stuff to tihnk about.
October 2nd, 2003, 01:30 PM
Thanks for your good suggesion!
Then you are saying that I should use Linux and define access levels ???
BUT HOW ???
October 4th, 2003, 04:20 AM
I wasn't actually suggesting Linux, but it can certainly be used. Any operating system that has a means by which a user can be granted or denied privileges is enough. All flavours of unix support that, as does windows NT/2000/XP, VMS, etc etc. For example, a guest account under NT may be enough for your purposes.
With Linux, it depends on the flavour. With redhat, you can use Linuxconf. Then go down through the menus to Config/User Accounts to configure particular accounts. Somewhere in that menu structure, you will find a way to allow or deny various privileges to various types of users.
In general terms, privileges are used to grant or deny access to hardware, devices, system resources (eg memory). Individual devices can have assigned protections to deny or permit access by some users and not others (although a suitably privileged user can bypass protections). Once an account with suitable privileges (or lack thereof is set up), then a suitably privileged user can use setgid/setuid to launch processes owned by that user --- and therefore constrained by the privileges.
Look in the man pages for
exec (spawning of processes)
setuid (set user identification)
setgid (set group identification)
for info on the function calls (or, if you're working from a shell script, the commands) to do this sort of stuff. I don't have the info at my fingertips, but this should be enough to get you started.
October 7th, 2003, 01:42 PM
I'll try and if any problem occurs, I know you people are there :)