14

I'm planning a service that will require allowing users to run arbitrary JVM code on a server. I'm planning to sandbox the code, but I know that the JVM has traditionally had security holes, which is why I want to explore other avenues.

There are already services such as Travis CI which allow anyone to run any code on their servers by checking it into GitHub.

How can a service like this ensure that someone isn't taking advantage of their servers to launch an attack or other malicious behavior?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Ryan Kennedy
  • 461
  • 3
  • 9
  • 5
    They run builds in VMs which are rolled back to a standard snapshot after __every__ build. – user1937198 Mar 17 '14 at 20:54
  • 1
    Right, I figured as much... but they could still be used for executing malicious code *during* a build. I would imagine that, in order to not be legally held liable for an attack, they'd have to have some measures in place. – Ryan Kennedy Mar 17 '14 at 21:05
  • 1
    Yes that's why I put it in a comment not an answer. I'd quite like to know how they handle that as well. – user1937198 Mar 17 '14 at 21:07
  • 2
    Do they? I mean, sure, they should, but... – JaimeCastells Oct 22 '15 at 02:40
  • 1
    I'm voting to close this question as off-topic because if it specific, OP should ask them directly or the question should be changed to be how one could do this without regard to how they do it. – Eric G Dec 28 '15 at 15:02
  • @EricG I've reworded the question to make it less specific to Travis CI. You're right in that I'm more interested in "how one could do this" than what Travis does, specifically. – Ryan Kennedy Jan 03 '16 at 20:10
  • Run it in a Container or VM, then you apply security controls, limit network accesses, probably apply bandwidth quota, apply OS based access control (e.g. SELinux, AppArmor). If you're really paranoid, you can run your hypervisor/base OS from a read only media. You could write books on this topic. – Lie Ryan Jan 04 '16 at 00:04
  • This question is still going to be very broad even thought you added "such as" . This question is similar to asking how can I secure "X", "my windows PC", etc. – Eric G Jan 04 '16 at 02:01
  • @RyanMuller: I've edited you question in order to broaden it's scope and turn Travis CI more as an example so it has more chances of being reopened. I hope I didn't went against your initial intent, feel free to rollback the change if you want to (the *rollback* option is available by clicking on the *edited* link below your post). – WhiteWinterWolf Jan 04 '16 at 11:11

1 Answers1

1

There are Docker containers for Java and I think some of the newer CI services might use those. You can put all sorts of additional restrictions on those, such as limiting memory/network/CPU/etc. VMs can also do this of course.

CrazyPyro
  • 111
  • 3
  • Are you suggesting that Docker adds security? If so, what does it protect and not protect? – Neil Smithline Jan 04 '16 at 21:07
  • Docker (or other containers) do bring some security, but offer a pretty large attack surface by themselves. I'd trust SELinux / traditional linux security rather than a container (or you can stack them: run each JVM inside a container, each container inside a SELinux/user sandbox). – ptyx Jan 04 '16 at 23:07