Block potentially malicious R calls

views:

138

answers:

+6 Q:

Block potentially malicious R calls

Let's presuppose that you have R running with root/admin privileges. What R calls do you consider harmful, apart from system() and file.*()?

This is a platform-specific question, I'm running Linux, so I'm interested in Linux-specific security leaks. I will understand if you block discussions about R, since this post can easily emerge into "How to mess the system up with R?"

+5 A:

Anything that calls external code could also be making system changes, so you would need to block certain packages and things like .Call(), .C(), .jcall(), etc.

Suffice it to say that it will end up being a virtually impossible task, and you are better off running it in a virtualized environment, etc. if you need root access.

Shane 2010-10-26 14:34:44

+3 A:

You can't. You should just change the question: "How do I run user-supplied R code so as not to harm the user or other users of the system?" That's actually a very interesting question and one that can be solved with a little bit of cloud computing, apparmor, chroot magic, etc.

Jeff 2010-10-26 14:38:00

You're absolutely right - I can't. I should have asked "What R calls can be potentially harmful?" Anyway, thanks for suggestions...

aL3xa 2010-10-26 15:29:47

+7 A:

Do not run R with root privs. There is no effective way to secure R in this way, since the language includes eval and reflection, which means I can construct invocations to system even if you don't want me to.

Far better is to run R in a way that cannot affect the system or user data, no matter what it tries to do.

Alex Brown 2010-10-26 14:42:48

Excellent point about `eval`, and you can obfuscate the contents as much as you like. `eval(parse(text = paste(rev(c(")", "whatever", "(", "m", "e", "t", "s", "y", "s")), sep = "", collapse = "")))`

Richie Cotton 2010-10-26 15:19:34

You could block `eval` in that case, but of course we're getting to the point that many of the base R functions will stop working properly.

Shane 2010-10-26 16:11:40

@Shane how can you block eval? base::eval is immutable.

mbq 2010-10-26 16:48:45

@mbq: you could drop the `base` package, create your own version, overwrite it with another function higher in the search path `eval <- function() print("hello")`, etc.. There are lots of options (none of which are good...).

Shane 2010-10-26 16:51:23

@Shane Ok, I've just discovered `unlockBinding`...

mbq 2010-10-26 16:59:25

@Shane: Anyone with root access will be able to change all of that, so that would be pointless, wouldn't it?

nico 2010-10-26 17:00:32

@nico This is all theoretical. You would have to create your own version of the R libraries. But then someone with root access could just hop onto r-project.org and revert to the original version, so you would have to block the root user from installing R packages (block paths to CRAN mirrors).

Shane 2010-10-26 17:31:40

@Shane: well, that was the point of my comment to the question... why would you let someone you don't trust run R (or any other software) as root?

nico 2010-10-26 17:43:59

@nico I agree 100%. But it's a theoretical question (I hope).

Shane 2010-10-26 17:48:40

+2 A:

There are tons of commands you could use to harm the system. A handful of examples: Sys.chmod, Sys.umask, unlink, any command that allows you to read/write to a connection (there are many), .Internal, .External, etc.

And if you blocked users from those commands, there's nothing stopping them from implementing something in a package that you wouldn't know to block.

Joshua Ulrich 2010-10-26 14:44:41

+1 A:

To adapt a cliche from gun rights people, "system() isn't harmful - people who call system() are harmful".

No function calls are intrinsically harmful, but if you allow people to use them freely then those people may cause harm.

Also, the definition of harm will depend on what you consider harmful.

Spacedman 2010-10-26 15:05:45

+3 A:

As noted by just about every response to this thread, removing the "potentially harmful" calls in the R language would:

Be potentially impossible to do completely.
Be difficult to do without spending significant time writing complicated (i.e. ugly) hacks.
Kneecap the language by removing a ton of functionality that makes R so flexible.

A safer solution that doesn't require modifying/rewriting large parts of the R language would be to run R inside a jail using something like BSD Jails, Jailkit or Solaris Zones.

Many of these solutions allow the jailed process to exercise root-like privileges but restrict the areas of the computer that the process can operate on.

A disposable virtual machine is another option. If a privileged user thrashes the virtual environment, just delete it and boot another copy.

Sharpie 2010-10-26 17:07:50

In general, R is so complex that you can assume that there is a way to trick it in executing data with seemingly harmless functions, for instance through buffer overflow.

mbq 2010-10-26 19:12:04

ansaurus

tags:

views:

answers:

Block potentially malicious R calls

related questions