3

Is there any way to disable system() and exec() function in C/C++ and Pascal, by using any compiler argument or modifying header/unit file? (It's a Windows)

I've tried using -Dsystem=NONEXIST for gcc and g++ but #include <cstdio> causes compile error.

EDIT: Of course I know they can use #undef system to bypass the defense, so I've tried to comment out the system function line in stdlib.h, but that doesn't work too.

EDIT2 (comment): It's a system, to which users submit their programs and the server compile and run it with different input data, then compare the program output with pre-calculated standard output to see if the program is correct. Now some users send code like system("shutdown -s -t 0"); to shutdown the server.

The server is running Windows system so I don't have any chroot environment. Also the server application is closed-source so I can do nothing to control how the program submitted by user is executed. What I can do is to modify the compiler commandline argument and modify header files.

Improve this question
9
  • What do you mean by "to disable"? Just don't use them? Commented Nov 2, 2011 at 8:42
  • 1
    Why? For sandboxes, this would be mind-boggingly insufficient. For checking whether some code uses them, just look at it (or inspect the compiler output if it's obfuscated). Commented Nov 2, 2011 at 8:43
  • @hexchain: why do you ask? that way people can help you better Commented Nov 2, 2011 at 8:46
  • 1
    What operating system are you using? If Linux (or other systems where you can use LD_PRELOAD), you can use LD_PRELOAD to load a library containing dummy stubs for those functions. Commented Nov 2, 2011 at 8:46
  • It's a system, to which users submit their programs and the server compile and run it with different input data, then compare the program output with pre-calculated standard output to see if the program is correct. Now some users send code like system("shutdown -s -t 0"); to shutdown the server. Commented Nov 2, 2011 at 8:50

6 Answers 6

Reset to default
4

Well, you could try:

#define system DontEvenThinkAboutUsingThisFunction
#define exec   OrThisOneYouClown

in a header file but I'm pretty certain any code monkey worth their salt could bypass such a "protection".

I'd be interested in understanding why you thought this was necessary (there may be a better solution if we understood the problem better).

The only thing that comes to mind is that you want to provide some online compiler/runner akin to the Euler project. If that was the case, then you could search the code for the string system<whitespace>( as an option but, even then, a determined party could just:

#define InoccuousFunction system

to get around your defenses.

If that is the case, you might want to think about using something like chroot so that no-one can even get access to any dangerous binaries like shutdown (and that particular beast shouldn't really be runnable by a regular user anyway) - in other words, restrict their environment so that the only things they can even see are gcc and its kin.

You need to do proper sandboxing since, even if you somehow prevented them from running external programs, they may still be able to do dangerous things like overwite files or open up socket connections to their own box to send through the contents of your precious information.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for your reply. The server is running Windows system so I don't have any chroot environment. Also the server application is closed-source so I can do nothing to control how the program submitted by user is executed.
@hexchain: if you cannot control how they're submitted, then you're pretty well pushing faecal matter uphill :-) Perhaps you could investigate the possibility of running these things in VMs that can be saved and restored in between each operation. Short of gaining that power you say you're lacking, I'm not sure how else you can protect yourself.
2

One possibility is to create your own version of such functions, and link them into every program you compile/link on the server. If the symbol is found in your objects, it'll take precedence.

Just make sure you get them all ;)

It would be much better to run the programs as a user with as few privileges as possible. Then you don't have to worry about them deleting/accessing system files, shutting down the system, etc.

EDIT: of course, by my logic, the user could provide their own version of the function also, which does dynamic library loading & symbol lookup to find the original function. You really just need to sandbox it.

Improve this answer

1 Comment

Running the compiled application with reduced properties is the best solution. Even if system() can't be called from the app, the app will still be able to invoke OS system calls via generated or hard-coded assembly instructions.
1

For unixoid environments, there is Geordi, which uses a lot of help from the operating system to sandbox the code to be executed.

Basically you want to run the code in a very restricted environment; Linux provides a special process flag for that which disables any system calls that would give access to resources that the process did not have at the point where the flag was set (i.e. it disallows opening new files, but any files that are already open may be accessed normally).

I think Windows should have a similar mechanism.

Improve this answer

Comments

0

Not really (because of tricks like calling some library function which would call system itself, or because the functionality of spawning processes can be done with just fork & execve system calls, which remain available...).

But why do you ask that?

Improve this answer

Comments

0

You can never (as you have found out) rely on user input to be safe. system and execXX are unlikely to be your only problems.

This means you have the following options:

  1. Run the program in some kind of chrooted jail (not sure how to do this on windows)
  2. Scan the code before before compiling to ensure there are no "illegal" functions.
  3. Scan the executable binary after compiling to ensure that it is not using any "forbidden" library function.
  4. Prevent the linker from linking to any external libraries including the standard C library (libc) on unix. You then create your own "libc" which explicilty allow certain functions.

Number 3 on unix can use utilities like readelf or objdump can check for linked in symbols. This can also probably be done using the Binary File Descriptor Library as well.

Number 4 will require fiddling with compiler flags but probably is the safest out of the options listed above.

Improve this answer

Comments

0

You could use something like this

#include<stdlib.h>
#include<unistd.h>
#define system  <stdlib.h>
#define exec   <unistd.h>

In this case even if the user wants to swap macro values they can't. If they try to swap macro values like this

#define <stdlib.h> system
#define <unistd.h> exec

they can't because C wouldn't allow this type of first name in macros. Even if somehow they swap these values then we have included those header files that will create a compile time error.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.