Reputation: 36446
How can I safely run untrusted Java applications?
I'm writing an autograder web application that accepts a program from the user as input. What are some ways of protecting my web server from malicious program inputs?
Currently only Java program inputs are supported. I'm thinking about somehow disabling access to certain packages/classes, but I'm not sure how.
Any ideas/suggestions?
Upvotes: 4
Views: 261
Answers (1)
Reputation: 231093
The simplest approach for protecting against unwanted malicious program input is to simply run it in a separate VM. If you're on Linux, boot up a VM using KVM or something, run the program there, and have the output logged somewhere (over a virtual serial port, for example). Give the VM no network access and wipe its drive each time.
Failing that, Java does have an extensive security and sandboxing model, originally designed for isolating applets. However, it's tricky to use properly, and I wouldn't recommend using it for something like this - spawning a VM is much easier and safer.
Upvotes: 7
Related Questions
- What are the security risks I should guard against when running user-supplied Java code?
- Prevent Java Application from performing malicious activities
- Running applications on an old Java versions
- Can I use a java policy file to safely run an un-trusted app with sudo
- How to force un-signed java applications to run
- Run java with highest security setting
- Java code, Being Secure
- How to run untrusted Java Swing application inside a sandbox?
- How can I run untrusted code on behalf of third parties?
- Keeping my Java program secure