On Aug 25, 2009, at 8:06 AM, Yoav Aner wrote: > > Following my previous posts, I've finished working on the draft MSc > project draft paper. The paper includes two threat models I already > shared previously, one for the Sage open source development process, > and another of the application itself - focusing on the Sage Notebook. > There's some further analysis, including a look into open source > security issues in general, process isolation techniques, > virtualisation etc. > > The paper is not very practical, i.e. it doesn't actually include any > code or spells out exactly how things should be done, but I hope it > can give the Sage project some ideas on the security threats and > vulnerabilities it faces, and some high level suggestions on how to > improve security. > > The current version is available at http://www.gingerlime.com/ > 20090825_sage_msc_proj_draft.pdf > > I would highly appreciate any comments or thoughts on the paper, > particularly if you feel I did injustice to Sage or made any serious > mistakes.
Looks like you spent a lot of time looking into this, thanks. I didn't have time to read it all, but it looks pretty exhaustive. One thing you repeatedly mention is that sniffing data/credentials may be possible on the public server. I don't think this is ever high risk, as anyone doing "sensitive" computations shouldn't be using someone else's hardware to do it (SSL encrypted connection or not), especially as it is so easy to run your own personal copy of Sage (locally or somewhere that you trust). Also, by default, there's a big warning on running without https on anything but localhost. Encrypting and authenticating worksheets seems beyond the scope of what the Sage notebook should do, there are plenty of 3rd party tools to do this cleanly and it's obvious (I hope) that sharing worksheets is sharing code. The %auto keyword could be bad though. Threat #46. Stricter ulimits could be good. Note that the entire server is virtualized, with limited resources, and monitoring easily happens from the outside by the host. Actually, I don't see anywhere in your report that the entire thing is run in a virtual environment and the benefits this provides (including easy to snapshot in case anything goes horribly wrong). Threat #70 (and related) seems the biggest so far, hopefully that's resolved this fall. - Robert --~--~---------~--~----~------------~-------~--~----~ To post to this group, send an email to [email protected] To unsubscribe from this group, send an email to [email protected] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
