Reputation: 932
Run java with highest security setting
I'm currently writing an in house coding challenge web application and I am wondering if there is any other security precaution I would need to have other than below java option at runtime. So client will access an webpage via web browser, submit their code, server will compile and run that code.
java -Djava.security.manager=default
Basically, challenges would be more of single threaded math and algorithm focused. So I would need to enable basic data structure objects and disable any file, sockets, threading or any thing that might be not so important.
Based on my quick search turning on security manager as above seems to be a solution but since this is a security related I would like to be sure before it goes alive.
Is there anything else I could do more?
Upvotes: 0
Views: 95
Answers (1)
Reputation: 17945
Start by running your code in a chroot jail - I propose using jailkit (used in dom-judge) to automate the jail-building process (I am assuming you are under some sort of unix-like environment). Chroot jails are more lightweight than a full VM, and easier to set up. Some people try to achieve the same effect with AppArmor (used in edx). If neither are available, use a virtual machine such as VirtualBox; vagrant may come in handy for the VM setup.
Whatever you do, do not rely only on JVM security. All the serious coding-challenge systems I have seen use one of the above mechanisms, typically with several "code executor" machines taking in tasks as they appear on a common queue. The idea being that, although environment setup and teardown may be slow, by keeping enough execution machines on standby any incoming jobs can be processed without delay.
In particular, JVM permissions do not cover time constraints, threading, or max heap size. You will want to use setrlimit to control runtime and heap. I do not know how to limit Java thread creation, but a little research will probably uncover something more.
This being said, you can always provide an empty security policy such as the following:
grant {
};
This should disallow any and all security-requesting actions.
Upvotes: 1
Related Questions
- Reducing java security settings
- Update Java security policy at runtime?
- Prevent Java Application from performing malicious activities
- JVM Security Manager File permissions - custom policy
- Change Java Security level
- How to enforce a security policy for each and every executing java program
- Completely disable Java security mechanism?
- How to lower the Java Security setting for testing in Java 8
- Java security policy restrict RuntimePermission exitVM
- Run Java code on my own JVM