How do I let customers run arbitrary code as securely as possible?

Question

I'd like to offer a service where customers can write arbitrary java code, send it to me, and I'll run it for them on Amazon EC2. My question is: how can I do this without exposing one customer's data to another customer?

Right now I'm thinking that each customer can be sandboxed as their own OS-level user with restricted permissions. Is that good enough?

I understand that this is a tricky issue, but it seems to be one that many people, such as the designers of multi-user OS's and Amazon themselves are solving, so I am optimistic that there might be a good approach.

Just create new virtual machines on the EC2 cluster for each customer -- Amazon is basically doing the security work for you! — edA-qa mort-ora-y, Jun 29 '11 at 12:09
By "arbitrary" are you allowing disk access, net access, etc? — Peter Taylor, Jun 29 '11 at 12:19

score 3 · Answer 1 · answered Jun 29 '11 at 12:09

You are aware of the security manager? It allows you to restrict a lot of functionality, but you need to spend quite some time to make it airtight.

Why not just fire up an new ec2 instance to run it completely seperate?

score 2 · Answer 2 · answered Jun 29 '11 at 08:49

2

Firstly - virtualise.

Secondly - check the terms of service to ensure that Amazon EC2 actually allows you to do this, it sounds like re-selling their service.

answered Jun 29 '11 at 08:49

quickly_now

14,822
1
35
48

Can you elaborate on "virtualise" ? – Tyler Jun 29 '11 at 09:30
Also, I don't mean at all to simply re-sell their service. I plan to add a lot of functionality, and as part of this functionality, I'd like to allow developers to write custom code to give them (as customers) more power. I'm not at liberty to go into details, but I'm confident that this does not violate their terms of service. It is in keeping with the spirit of what AWS is built for, and, in case that's not enough, I have actually read the terms of service (aka AWS Customer Agreement), and what I want to do is allowable. – Tyler Jun 29 '11 at 09:35
1

Virtualise: keep each customer separate, use a virtual machine (ie virtualise the entire machine and operating system). Or only allow code to run thats using some kind of virtualised environment / specially designed for sandboxing, something like that. It depends on what AWS actually permit [I have not checked.] You may still have issues - for example customer write code that uses all available CPU will likely result in a "please do not do that again" along with termination of whatever (possibly everything) you have running. Take care with this kind of thing. – quickly_now Jun 29 '11 at 09:40

score 0 · Answer 3 · answered Jun 29 '11 at 12:06

Your only safe way to do it (and not 100% foolproof) is to audit their code yourself before running it. Use of code review tools will catch a lot of potential security issues, and manual code review should catch most of the rest.

I would be exceedingly worried about trying to do this - you do have good liability insurance, right? And you can manage legal battles in all the countries your clients are based in?

score 0 · Answer 4 · answered Jun 29 '11 at 12:39

Read about section at codepad.org for a general description of security measures for online interpreter/complier. The guy uses virtualization and chroot and periodically restores virtual machines from backups. Maybe he would license his supervisor software, it's probably one of the reasons he runs the whole project for.

How do I let customers run arbitrary code as securely as possible?

4 Answers4