An open web service capable of executing scripts in which an execution environment is provided by a third party is a typical requirement. However, the execution environment provided may allow unsafe operations, such as, accessing the file system. The input provided to the web service may not arrive from a trusted source. The input provided may even be actively hostile causing damaged systems and compromised data resources.
A known approach to solving the potential problem of unsafe script operation uses chroot, an operation on UNIX®1 systems to change the apparent disk root directory for the current running process and associated child processes and run a command. However, for other environments such as Windows®2 the chroot option is not applicable. 1Registered trademark of The Open Group.2Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
Another typical approach to secure script execution uses a parser for the target language to catch dangerous operations using a technique referred to as a black list. However, as with any black list, obtaining certainty that all dangerous attacks are eliminated is difficult to achieve and harder to maintain. Creation and maintenance of a specialized parser for filtering is typically very difficult. A black list approach is also vulnerable when an underlying target is upgraded, because new commands and options may be added but are not restricted.
The blacklist approach requires prior knowledge of elements to be restricted. Environments with frequent changes require continued timely updates to a parser to catch dangerous operations. Only those operations deemed to be dangerous can be trapped and prevented. Unknown operations may be problematic, but the status of the operation is not known until after the operation has executed. The timing of awareness may be too late to protect the system. For example, in many computer virus incidents when a damaging operation is known to exist poor application of a trap for the damaging operation typically leads to system problems. Unknown malicious operations or malicious use of known operations typically cause problems for a system in which the operation is performed.