A little bit of cloud computing security

Xinlu

Cloud computing is getting increasingly popular, and our planet is also ready to be migrated to GAE for operation. At present, snail bait has been developed and is in the internal test state. Let's take a moment to talk about cloud security and computing. The cloud here does not include anything that claims that cloud is actually a network storage.

There is a reason to write this thing. Some time ago I participated in a programming competition with snail bait and our harry. During the competition, I uploaded my code to the server for compilation and execution to determine whether the code is correct or not. Last weekend after the competition, I made an experiment with snail bait to test the compiling server. Finally, snail bait obtained the root permission of the server. Then I tested the server of a programming competition at Peking University, and the situation was not optimistic. After a while, the match between Baidu and youdao started. Maybe I will test it again. In a sense, this kind of competition is similar to that of cloud computing. Users must be allowed to upload and execute their own code, the difference is that in cloud computing, the code is executed in the cloud composed of a large number of cheap servers.

There is a balance between business and security that needs to be balanced. First, we need to provide users with powerful functions. Second, we need to ensure secure code execution, which requires strict restrictions. The Programming Competition server I tested adopted a library and API method to restrict user code behavior. However, after various conversions to the Code, these API restrictions do not play the expected role during design, and they execute insecure behaviors or even obtain system permissions. In the past few days, some GAE functions are much better in terms of security. As far as I guess, they should not only impose some restrictions on the default library or design a sandbox for executing code, but directly design and implement a lite version of Python language.

Compared to library restrictions and user code execution in the sandbox, you may be safer to implement a lite language. However, it is difficult to customize Perl, Python, Rubu, and other languages. However, I think Lua should be a good choice. Lua's C implementation code is very concise and refined, and a script language that can be securely used on the server can be implemented with a slight reduction. Of course, the language reduction here only involves the security of code execution. Other content such as CPU restrictions, user permissions, and Billing needs to be implemented in other ways.