Implement a SecurityManager
1 for the client code. I would also recommend testing how long the code runs, and ending it if over a limit (this is more aimed at catching programmer incompetence that leads to an infinite loop, rather than deliberately malicious actions).
- E.G. as seen in this answer which aims to achieve Preventing System.exit() from API.