security - Securely running user's code -


i looking create ai environment users can submit own code ai , let them compete. language anything, easy learn javascript or python preferred.

basically see 3 options couple of variants:

  1. make own language, e.g. javascript clone basic features variables, loops, conditionals, arrays, etc. lot of work if want implement common language features.

    1.1 take existing language , strip core. remove lots of features from, say, python until there nothing left above (variables, conditionals, etc.). still lot of work, if want keep date upstream (though ignore upstream).

  2. use language's built-in features lock down. know php can disable functions , searching around, similar solutions seem exist python (with lots , lots of caveats). i'd need have understanding of language's features , not miss anything.

    2.1. make preprocessor rejects code dangerous stuff (preferably whitelist based). similar option 1, except have implement parser , not implement features: preprocessor has understand language can have variables named "eval" not call function named "eval". still lot of work, more manageable option 1.

    2.2. run code in locked-down environment. chroot, no unnecessary permissions... perhaps in virtual machine or container. in sense. i'd have research how achieve , how make give me results in secure way, seems doable.

  3. manually read through code. doable on small scale or moderators, though still tedious , error-prone (i might miss stuff if (user.id = 0)).

the way imagine 2.2 work this: run both ais in virtual machine (or something) , constrain communicate host machine (no other internet or lan access). both ais run in separate machine , communicate each other (well, playing field, , thereby see each other's positions) through api running on host.

option 2.2 seems doable, relatively hacky... let someone's code loose in virtualized or locked down environment, hoping that'll keep them in while giving them free game dos or break out of environment. again, other options not better.

tl;dr: in essence question is: how let people give me 'logic' ai (which think done using code) , run without compromising functionality of system? there must @ least 2 ais working on same playing field.

this plugin system, researching how others implement plugins starting point. in particular, i'd @ web browsers chrome , safari , plugin systems.

a common theme in modern plugins systems process isolation. ideally should run plugin in own process space in sandbox. in os x @ xpc, designed explicitly problem. on linux (or more portably), @ nacl (native client). jvm designed provide sandboxing, , offers rich selection of languages. (that said, don't consider jvm strong sandbox. it's had history of security problems.)

in general, preference on these kinds of projects language-agnostic api. use rest apis (or "rest-like"). allows plugin highly restricted, while not restricting language choice. simple http communications whenever possible because has rich support in numerous languages, puts little restriction on plugin. in fact, given description, wouldn't have run plugin on hardware (and not on main server). making plugins remote clients removes many potential concerns.

but ultimately, think "2.2" right direction.


Comments

Post a Comment

Popular posts from this blog

javascript - Using jquery append to add option values into a select element not working -

i'm looking dynamically populate select element names of items stored array. for reason it's not working , i'm not sure why. html: <div class="col-md-4 col-md-offset-4"> <select class="select1"> </select> , <select class="select2"> </select> </div> note i'm using bootstrap layout. here's jquery i'm using try , populate ".select1" jquery: select: function() { $.each(state.greens, function(index, value) { $(".select1").append("<option value =' " + index + " '>" + state.greens[index].name + "</option>"); }); } note function 'select' stored within object called 'display'. state.greens name of array i'm trying access. so @ end of html page call display.select(); call function. no error messages showing in console. also, saw question: appending
Read more

Android soft keyboard reverts to default keyboard on orientation change -

i'm building android soft keyboard , can't seem fix bug - have arabic , qwerty keyboard , when rotate device on qwerty keyboard (or arabic shift), it's if program has "restarted" , becomes arabic keyboard without shift. the onsaveinstancestate(bundle savedinstancestate) not work because application not extend activity inputmethodservice . i put following in android manifest android:configchanges="keyboard|keyboardhidden|orientation" android:windowsoftinputmode="stateunchanged|adjustresize"> i tried using @override public void onconfigurationchanged(configuration newconfig) { super.onconfigurationchanged(newconfig); log.i(mydebug, "config changed " + currentkeyboard.equals(qwerty)); } however, currentkeyboard.equals(qwerty)) results false , made sure true before orientation change. any appreciated. i think applications fault. if application restarting on orientation change
Read more

jquery - javascript onscroll fade same class but with different div -

i new @ javascript , want learn new. there wrong code : why div fades @ same time. i want ask how fade different div s same class name.can me , explain me. thanks in advance. javascript: $(window).scroll(function(){ if ($( "div.fade" ).offset().top - $(window).scrolltop() <= 100){ $('.fade').addclass( "fade-in"); } else { $('.fade').removeclass("fade-in"); } }); here jsfiddle onscroll = function () { var scrolltop = $(this).scrolltop() ; $("div.fade").each(function(){ if(($(this).offset().top - scrolltop) <= 100){ $(this).toggleclass("fade-in"); } }) }
Read more