views:

329

answers:

3

I've spent more than a few hours humbling myself on the ACM ICPC's problem set archive, and I've wondered how the online judge is able to compile and run source code from any user and prevent malicious attacks to their system.

Are the compiled binaries run from some kind of limited sandbox? How would one go about setting up this kind of sandbox? What OS would you use? How would you launch a user's compiled executable?

A: 

You could run it in a Linux chroot jail, or link it against a libc that doesn't implement any file I/O.

thirtyseven
What exactly is a chroot jail?
Andrew Garrison
It's an environment available in some UNIX systems that lets a program run without having any access to the full filesystem. Processes running inside the jail see a certain subdirectory as their root directory, and cannot access anything outside of it. Specifically, a system call sets the fake root directory and all child processes inherit it.
thirtyseven
A: 

I think they don't run any code. Sometimes there is this error "Restricted function" for example when you try to read or write a file "ofstream" & "ifstream" in c++

Ahmad Farid
A: 

The programs are run in a chrooted jail with a limited run time. Judge computers are distributed across a number of servers to help prevent a single point of failure or DOS attacks.

I am a regional contest admin.

N8s
could you elaborate on what a chrooted jail is?
Andrew Garrison