At CodeArena, we pride ourselves on a sub-millisecond judging engine. But a fast judge is useless if it isn't secure. When we first designed the platform, the primary challenge was executing untrusted code from thousands of users simultaneously without compromising our host infrastructure.
The Sandbox Architecture
We settled on Docker as our primary isolation layer. Every submission spawns a lightweight, ephemeral container with strictly limited resources:
- CPU Pinning: Each container is limited to a fraction of a core to prevent CPU exhaustion attacks.
- Memory Limits: We enforce strict 256MB/512MB limits depending on the problem difficulty.
- No Network: Containers are completely isolated from the internet and local network.
Handling Concurrency with Redis
To handle thousands of submissions during live contests, we use a Redis-backed queue system. When you hit "Submit", your code is serialized and pushed to a Priority Queue. Our worker nodes (scaling horizontally on demand) pull these tasks, run them through the Docker sandbox, and push the results back to the frontend in real-time.
"The goal was never just to run code; it was to build a bulletproof environment where performance and security live in harmony."
The Future: WebAssembly?
While Docker serves us well today, we are actively exploring Wasm (WebAssembly) for even lighter isolation. Preliminary tests show a 40% reduction in cold-start times for judging tasks.