1

I'm developing a platform similar to hackerrank.com where someone can submit C code, and then that code will be compiled, and run on my server, but I want to limit the C instruction set that a person will be able to execute on my server.

For example: limit the instruction set to I/O only.

My first approach was to parse the code and look for malicious code, but that is pretty naive because it can be easily overriden (shell code, obfuscation, etc..)

My second approach (the one I think it could work) is to remove all the "unnecessary" headers, and just leave stdio.h, math.h, stdlib.h, etc... just to name a few.

But then I thought that it might be possible to limit from gcc the instruction set of C, but after reading the man entry for gcc I couldn't find anything close to what I need, so I wonder if that's even possible.

If that's not possible, what could be a safe way to solve this problem? Other than getting rid of unnecessary libraries.

Thanks!

ILikeTacos
  • 17,464
  • 20
  • 58
  • 88
  • 1
    This has been discussed previously - see [How to create a lightweight C code sandbox?](http://stackoverflow.com/questions/980170/how-to-create-a-lightweight-c-code-sandbox) –  Apr 09 '13 at 23:47
  • 2
    Compile the code for MIPS. Run the compiled code in a MIPS emulator. Control or disable special instructions and system calls. – Alexey Frunze Apr 09 '13 at 23:56

1 Answers1

0

You could limit system calls using systrace, which is available on OpenBSD. I'm sure there's an equivalent for linux and other operating systems. This would allow you to restrict syscalls to file io only and not things like sockets and forking.

sigflup
  • 305
  • 2
  • 11