User-Contributed Code Security

Question

I've seen some websites that can run code from the browser, and the code is evaluated on the server.

What is the security best-practice for applications that run user-contributed code? Besides of accessing and changing the server's sensitive information. (for example, using a Python with a stripped-down version of the standard library) How to prevent DoS like non-halting and/or CPU-intensive programs? (we can't use static code analysis here) What about DoSing the type check system?

Python, Prolog and Haskell are suggested examples to talk about.

Answer 1

The "best practice" (am I really the only one who hates that phrase?) is probably just not to do it at all.

If you really must do it, set it up to run in a virtual machine (and I don't mean something like a JVM; I mean something that hosts an OS) so it's easy to restore the VM from a snapshot (or whatever the VM in question happens to call it).

In most cases, you'll need to go a bit beyond just that though. Without some extra work to lock it down, even a VM can use enough resources to reduce responsiveness so it can be difficult to kill and restart it (you usually can eventually, but "eventually" is rarely what you want). You also generally want to set some quotas to limit its total CPU usage, probably limit it to using a single CPU (and run it on a machine with at least two), limit its total memory usage, etc. In Windows, for example, you can do (at least most of that) by starting the VM in a job object, and limiting the resources available to the job object.