Geek Answers Handbook

How do Internet interpreters / compilers deal with malicious code?

How does the online code interpreter / compiler ( jsfiddle.net , jsbin.com , ideone.com , codepad.org , etc.) work to process malicious code, such as an endless loop?

+7
source share
3 answers

This particular site looks like it is executing its code on the client side. This way you cannot damage your servers.

Other sites take an approach to running code in virtual machines. You can simply throttle the resources that the virtual machine can take, and they limit the potential damage that can be done.

+1
source

jsFiddle runs only client-side code (JavaScript) - the only machine that can be harmful is yours (or someone who is watching your violin).

Most browsers have something in place to detect an unresponsive script (like an infinite loop) and give you the option to stop the script.

Then there are sites like codepad.org and ideone.com that run code on the local machine.

Codepad.org

Code execution is handled by a geordi-based supervisor. The strategy is to run everything under ptrace, and many system calls are barred or ignored. Compilers and final executables are executed in a chroot jail with severe resource restrictions.

When your application is remote code execution, you should expect security problems. Instead of relying solely on the chroot and ptrace admin, I took some extra precautions:

  • Supervisor processes run on virtual machines, which are firewalls so that they are unable to outbound connections.
  • Machines that run virtual machines are also highly protected from the firewall, and are restored from the original images periodically.
+11
source

Since sites like jsfiddle are only client-side code (you cannot write server-side code), any bad code will affect the browser that launches it. It should not affect their servers at all.

0
source

More articles:


All Articles