I'd like to point out that Mike Hansen has been doing some work on rewriting the notebook. It'd be good to get his input on whatever you do -- and perhaps you could help out with his rewrite since he's now busy doing release management.
On Wed, Jun 3, 2009 at 2:18 AM, Yoav Aner<y...@gingerlime.com> wrote: > > Hello all, > > This is my first post. My name is Yoav, and I'm studying for an > Information Security MSc at Royal Holloway, University of London. I'm > starting to work on a project proposed by Martin Albrecht, to look at > several security aspects of the Sage Notebook server. > > The MSc project is primarily intended to produce a paper, rather than > write code or deliver any functionality (and my programming skills are > limited anyway). Nevertheless, I'm hoping that at least some of the > work would benefit the Sage community, at the very least in suggesting > some security improvements. > > Martin has kindly pointed me to a couple of threads on the subject: > http://groups.google.com/group/sage-devel/browse_thread/thread/06735e88260cc079/5a341e48670c5465 > and > http://groups.google.com/group/sage-support/browse_thread/thread/1351e426eb55d6e2 > > Martin highlighted two primary areas on his project proposal: > > 1. Denial of Service - which is apparently relatively easy considering > access is granted via the web to the shell and / or spawning processes > via external system calls (e.g. python os.system etc). Denial of > Service attacks are not limited to the Sage platform itself, but it > can be used as a platform to launch attacks on other systems. > 2. Using Sage Notebook in an academic environment, where stricter > access control to data may be necessary. For example, to prevent one > student tampering with or accessing other's work. > > The project will obviously try to cover those, and possibly other (in) > security areas if they can be identified. I would therefore like to > start by performing some form of a threat modeling / assessment, to > discover other areas which security needs consideration or > improvements. > > I have sage running on a virtual machine and tried to read through the > various groups and documentation, but still trying to figure out the > sage notebook architecture, components, interfaces etc. Any help, > suggestions, ideas or comments are most welcome. I would try to share > my own thoughts and project progress with you and hope to contribute > to the project as much as I can. > > Yoav > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
