I've researched this stuff a lot in the recent months but I can't grasp any solid basis on how they achieve running unsafe scripts in so many languages without a problem!
I'm sure they are running virtual machines since language specific sandboxes won't cut it, but what about white listing every language?
There has to be another restraint I'm not seeing.
Codepad explains how they provide security on their about page:
codepad.org is an online compiler/interpreter. [...] The strategy is to run everything under ptrace, with many system calls disallowed or ignored. Compilers and final executables are both executed in a chroot jail, with strict resource limits. [...]
Rather than rely on just the chroot and ptrace supervisor, I've taken some additional precautions:
The supervisor processes run on virtual machines, which are firewalled such that they are incapable of making outgoing connections.
The machines that run the virtual machines are also heavily firewalled, and restored from their source images periodically.
This seems like a reasonable strategy to me.
For more background on sandboxing technologies, see the following: What is sandboxing?, How can I restrict what an application can do with my computer?, Monitoring system calls (in a reliable and secure way), and Wikipedia's entry on chroot.
