Thank you for useful points / comments and for the pointers to how sage works in particular. I certainly have more information to get started now, though I'm sure I'll end up with more questions sooner or later...
I'm guessing the answer is no, but are there any high or lower level diagrams to help understand the architecture (e.g. server pool processes, OS processes, web front-end and their interfaces etc, how it all sits together)? I mean other than going through the code? I'll start looking at the code Martin and Robert mentioned though. That's already of great help! Regarding working out the security threats / vulnerabilities / scenarios - I think it's important to try to separate common vulnerabilities from sage/notebook specific ones. Booting from a CD and gaining direct access to the filesystem which Dave mentioned, or accessing localhost sockets which Robert referred to are not less important, but generic concerns tend to have generic solutions or approaches. However, Sage/Notebook specific vulnerabilities, which are inherent to the way Sage was designed and built and from the functionality it provides, would perhaps be of more interest / challenge to solve. I hope that this project can bring more 'value' by trying to address those. Having said that, some time the biggest 'value for money' can be gained by something as simple as changing a default parameter, even if it's something trivial like setting a process to listen on 127.0.0.1:80 instead of 0.0.0.0:80. I would certainly want to consider all threats, generic or otherwise. Thanks again for your replies. I'll try to figure out more on my own now, and come back with more specific questions. Yoav p.s hopefully more people would share their thoughts so this thread isn't dead yet... --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
