From owner-freebsd-hackers@FreeBSD.ORG Thu Oct 16 18:39:30 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB9BF16A4BF for ; Thu, 16 Oct 2003 18:39:30 -0700 (PDT) Received: from sizone.org (mortar.sizone.org [65.126.154.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66AB643FBF for ; Thu, 16 Oct 2003 18:39:27 -0700 (PDT) (envelope-from dgilbert@daveg.ca) Received: by sizone.org (Postfix, from userid 66) id 9C7C830208; Thu, 16 Oct 2003 21:39:24 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 2863D1D25D3; Thu, 16 Oct 2003 18:28:16 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16271.7039.150262.159805@canoe.dclg.ca> Date: Thu, 16 Oct 2003 18:28:15 -0400 To: earthman In-Reply-To: <1197083983.20031009074645@inbox.ru> References: <1197083983.20031009074645@inbox.ru> X-Mailer: VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid cc: freebsd-hackers@freebsd.org Subject: On-line judgment kernel module X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2003 01:39:30 -0000 >>>>> "earthman" == earthman writes: earthman> I want to create on-line judge for acm like olympiads. So I earthman> have to execute some code that came in source from earthman> outside(www). Thus security problem is my main problem. earthman> The idea is to deny all syscalls for specific process earthman> p. This is possible even without rewriting kernel by kernel earthman> module. earthman> Now I'm thinking how to do this. Possibly it would be easy earthman> to point p->sv_sysent to the structure that points earthman> sv_prepsyscall to some function that denies some system earthman> calls. (kill process, make some record in module about earthman> restricted call) But I don't understand how to cancel earthman> syscall out of those function. Maybe it's possible to change earthman> code parameter to something else. I don't know how secure this would be from random binary attacks, but I'd be very tempted to run the tests inside a vmware or bochs instance launched by a script. If I was making the decisions, I'd lean towards the bochs emulator ... as it's a complete virtual environment rather than vmware's magic mojo. As you conjecture, a syscall-less or syscall-restricted environment *should* be safe ... if your syscall changes are bulletproof *_and_* the rest of the runtime environment is bulletproof. Isn't a syscall required to finish off exit()? I would expect that bochs is scriptable. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================