On Nov 28, 2009, at 1:50 AM, Dr. David Kirkby wrote: > Robert Bradshaw wrote: >> On Nov 27, 2009, at 5:10 AM, Dr. David Kirkby wrote: >>> On Solaris one can block outgoing ports in a zone, without affecting >>> the rest of >>> the machine. In fact, if someone gets root access in a zone, they >>> can do no >>> damage elsewhere. >>> >>> I know one of the BSD's supports a 'jail', where again the same >>> could be done. I >>> do not know about Linux, but perhaps it has a similar system, where >>> you can run >>> an insecure service in a zone/jail/restricted area, so any hacker >>> can't do much >>> damage. >> >> We run the whole notebook inside a VM, which means it'd be really >> difficult to get out and cause damage on the hosting machine. There >> needs to be better support for isolating user processes from the >> notebook process and from each other. > > I must admit, I do not know if the virtual machines are more/less > secure than > zones. My gut feeling is a zone would be more secure than a virtual > machine, but > I might be wrong. A belt-and-braces approach of running a Virtual > machine in a > zone is probably not a bad idea.
I have the opposite gut feeling, but both wouldn't hurt (though unfortunately zones aren't nearly as portable). Another nice thing about a VM is that its entire state is a single file, so they're easy to move around, and if one gets messed up or vandalized it's trivial to restore. >> I think the real concern is, however, spammers using the cpu and >> network connection from the notebook to send emails, host fake >> webpages, do cross-site scripting attacks, etc. rather than hijack >> the >> notebook server machine itself. In fact, if they're doing the above, >> it's best not to disrupt the normal server operation so as to go >> longer unnoticed. > > Can you not enable a firewall on the virtual machine, which blocks all > unnecessary ports? If the virtual machine is a only a Sage server, > and nothing > else, there is no reason to allow incoming connections from the > outside world to > any port other than the one used by the Sage server. No outgoing > connections net > be permitted at all, except for those made in response to the incoming > connections, which I assume the firewall can sort out (in ipfilter, > one uses the > 'keep state' keyword to do this). > > I've found when building firewalls, it is very easy to mess up and > block oneself > out. What I do, until I am happy the firewall is correct, is to add > something in > crontab which disables the firewall every 5 minutes. Then if I > manage to lock > myself out, I know I'll be able to get reconnected in 5 minutes or > less. Of course, one can limit everything. It's a question of balancing the utility of the notebook vs. its attack potential. >>> Perhaps there is a project there, to get a computer science student >>> to find all >>> the ways to attack a Sage server, and then fix any problems. >> >> Actually, someone did a Masters project on just this. > > Perhaps the firewall has been covered then. > > Is the MSc project available online? I'd be interested to read it if > possible. > Though you might think it more appropriate to not make it public, > until issues > highlighted have been resolved. I don't know where it is, but he was quite verbose about it on the list a while back, so it probably won't be too hard to find. - Robert -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
