Securely sandboxing for assessment in programming course

Hello,

I have one Linode 2Gb running Debian on which I run my personal website, and a couple of websites of other people. Now, I teach programming at a university and I need to set up some form of automated assessment for students programs (in different languages). The University has some basic setup for that, but it doesn't work very well.

I first thought I could just set up qemu machines on the Linode, with a shared /usr partition image mounted read-only, but then I checked this thread: ~~[https://forum.linode.com/viewtopic.php?f=20&t=4749" target="_blank">](https://forum.linode.com/viewtopic.php?f=20&t=4749]( – it doesn't seem to be a good idea to run qemu on a Linode.

(It is very important to me that my Linode doesn't hang, and that all other websites keep running as usual)

So I thought I could then set up chrooted environments, to which students will have no login access. They would submit code, which would be compiled or interpreted according to the language, and executed as non-root user by a daemon:

1. Student submits file to a web server. The file is put on that students' chroot.

2. Another program, chrooted in that same place, runs the program and puts the output in a file.

3. The output file is read by a program outside the chroot, and compared to an expected output.

4. The result is published on a webpage so the student has his feedback.

A single /usr directory would be used for all chroots, and mounted readonly, and each student would have his /home, /var and /tmp directories.

But I am not sure about the security implications of this. My questions then are:

  • Is it possible for a non-root user to break out of the root on a modern Linux kernel?

  • If I decide to go with the chroot solution, what should I do besides, of course, dropping root privileges as soon as possible?

Thanks a lot!

7 Replies

My advice, add a second Linode and use LXC containers in Ubuntu 14.04, you may want to use the distro's kernel it may support restriction better than Linodes (I haven't checked what's compiled in Linodes so can't comment).

LXC = Chroot on steriods https://linuxcontainers.org/

Thank you for pointing me to LXC!

Unfortunately, I am really short on money (in my country university teachers have low salaries), and setting up another Linode would be too expensive. I'll see what I can do witih one single Linode, though.

With LXC or any chroot it's still possible for a malicious student to cause havoc, they could for example thrash the disk grinding the server to a halt, use a massive amount of network bandwidth, run malicious scripts etc. On the bright side you can limit cpu and ram usage. Best to keep a close eye on what they're up to ;)

Why would you do that on a public VPS?

Except for the "upload file" part, everything else would be better on a local VM.

Why not setup your testing system in a VM on your local box using the free VirtualBox app, then have your students submit their projects (in a well defined Zip folder) to either your email address or your free public Dropbox folder.

You're burning resources on your public webserver (and opening up all kinds of security issues) for seemingly no good reason.

vonskippy: you're right, I should probably run the assessment in batch mode. It would be nice to let them have immediate feedback, though.

I came across a hacking website that uses a Linode for running exercises. It allows SSH access to anyone, so presumably they have something to prevent malicious activity. They have a website on GitHub: overthewire.org.

No matter what you do, there will probably still be opportunities for people you don't trust to cause trouble.

@John Henry Eden:

I came across a hacking website that uses a Linode for running exercises. It allows SSH access to anyone, so presumably they have something to prevent malicious activity. They have a website on GitHub: overthewire.org.

I'm sure the owner(s) of those servers don't store any sensitive information on them, and are prepared to wipe them at a moment's notice. The OP wants to do this on the same VM as an important web server, which is not a good idea.

If I were doing this, I'd get a cheap dedicated server from OVH and use VirtualBox and Vagrant. Each submission would trigger a script that initializes a Virtualbox VM using "vagrant up", runs the code inside the VM, then collects the output and nukes the VM with "vagrant destroy". If it's setup correctly, the only way a malicious student could cause trouble is by finding a VM escape exploit in Virtualbox, which would be quite an achievement. Should be fairly easy to setup if you're familiar with Vagrant, though preventing excess resource consumption may take some work.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct