Sign in to follow this  

Am I just wasting my time?

This topic is 4088 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I've been building a system where the server component dynamically compiles some code and loads it when it runs. Now I have been strugling with restricting what that code can do to make things a little safer, but I'm not really making progress. So here is my question, If the code that the server compiles can only be put there by the admin, am I really just wasting my time? Its not like compiled code will be distributed. It will never be run on the client. Its very much like PHP in that the code that runs on the server could do all sorts of dangerous stuff, but the person who put the code on the server is probably the person responsible for the machine. How much effort in protecting the users of my software from themselves is reasonable, especially considering I could give up on this and let the dynamic code do whatever it wants and get back to working on other parts of the code? Any thoughts?

Share this post


Link to post
Share on other sites
IMO you shouldn't completely prevent the user1 from running the code they want to run, because there's no real way of detecting malicious code as opposed to code that's quite unsafe but doesn't do anything bad. However, you should make the user go though a few hoops. In a .NET managed language for instance you can't do anything unsafe unless you explicit say "hey I want to do something that isn't safe", and while it lets you interop with native code or whatever else it is you wanted to do, .NET marks the entire assembly as unsafe and that has some consequences as to when it can be run.

1 The user being the admin/server, since the client is (or should be) insulated regardless.

Share this post


Link to post
Share on other sites
.Net's security model is pretty good, and the server can run with a different permission set to its plugins; if you're using Windows and are still at the choosing a language stage I'd recommend looking into it.

Share this post


Link to post
Share on other sites
I do happen to be using .Net and I was trying to get the dynamically created assembly to run in a seperate AppDomain with tighter security. Its just that I have had so much trouble with that I'm questioning if its worth the effort.

Share this post


Link to post
Share on other sites

This topic is 4088 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this