Executing a third-party compiled program on a client's computer

I'd like to ask for your advice about improving security of executing a compiled program on a c开发者_如何学Client's computer. The idea is that we send a compiled program to a client but the program has been written and compiled by a third-party. How to make sure that the program won't make any harm to a client's operating system while running? What would be the best to achieve that goal and not decrease dramatically performance of executing a program?

UPDATE: I assume that third-party don't want to harm client's OS but it can happen that they make some mistake or their program is infected by someone else.

The program could be compiled to either bytecode or native, it depends on third-party.

There are two main options, depending on whether or not you trust the third party.

If you trust the 3rd party, then you just care that it actually came from them, and that it hasn't changed in transit. Code signing is a good solution here. If the third party signs the code, and you check the signature, then you can check nothing has changed in the middle, and prove it was them who wrote it.

If you don't trust the third party, then it is a difficult problem. The usual solution is to run code in a "sandbox", where it is allowed to perform a limited set of operations. This concept has been implemented for a number of languages - google "sandbox" and you'll find a lot about it. For Perl, see SafePerl, for Java see "Java Permissions". Variations exist for other languages too.

Depending on the language involved and what kind of permissions are required, you may be able to use the language's built in sandboxing capabilities. For example, earlier versions of .NET have a "Trust Level" that can be set to control how much access a program has when it's run (newer versions have a similar feature called Code Access Security (CAS)). Java has policy files that control the same thing.

Another method that may be helpful is to run the program using (Microsoft) Sysinternals process monitor, while scanning all operations that the program is doing.

If it's developed by a third party, then it's very difficult to know exactly what it's going to do without reviewing the code. This may be more of a contractual solution - adding penalties into the contract with the third-party and agreeing on their liability for any damages.

sign it. Google for 'digital signature' or 'code signing'

If you have the resources, use a virtual machine. That is -- usually -- a pretty good sandbox for untrusted applications.

If this happens to be a Unix system, check out what you can do with chroot.

The other thing is that don't underestimate the value of thorough testing. you can run the app (in a non production environment) and verify the following (escalating levels of paranoia!)

• CPU/Disk usage is acceptable
• doesn't talk to any networked hosts it shouldn't do - i.e no 'phone home capability'
• Scan with your AV program of choice
• you could even hook up pSpy or something to find out more about what it's doing.

additionally, if possible run the application with a low privileged user. this will offer some degree of 'sandboxing', i.e the app won't be able to interfere with other processes

..also don't overlook the value of the legal contracts with the vendor that may often give you some kind of recompense if there is a problem. of course, choosing a reputable vendor in the first place offers a level of assurance as well.

-ace