All geek questions in one place

User code sandbox with Erlang

As far as I know, Erlang provides advanced features for error handling and process isolation.

I am creating a system that allows a user to submit their code that will be executed in a shared server environment and should make it secure.

Requirements:

  • Limit CPU and memory usage for each user process separately.
  • Prevent the user process from interacting with other processes (with the exception of some processes specifically designed for this purpose).
  • Deny access to all sytem resources (shell, file system, ...).
  • completion of the user process in the event of errors or high resource consumption.

Is it possible for all of this with Erlang and maintain its effectiveness?

+4
source share
2 answers

Safe Erlang has been done in the past, and you can find several articles about it. The ErlHive project addresses the issue in an interesting way.

+1
source

In general, Erlang does not provide a means for the sandbox code that the user can enter. You can try writing your own security code, but it is rather complicated.

A better choice would probably be a language like "safe haskell":

http://www.haskell.org/ghc/docs/7.4.2/html/users_guide/safe-haskell.html

which is specially made for this kind of thing.

The isolation provided by Erlang is not intended to protect against malicious modules that are being introduced. In fact, there is no such protection in a distributed case. Once two machines are connected, there is no limit to what you can do with another machine.

+2
source

Source: https://habr.com/ru/post/1443846/

More articles:


All Articles