Mathematica 9 is now available
Services & Resources / Wolfram Forums
-----
 /
MathGroup Archive
2000
*January
*February
*March
*April
*May
*June
*July
*August
*September
*October
*November
*December
*Archive Index
*Ask about this page
*Print this page
*Give us feedback
*Sign up for the Wolfram Insider

MathGroup Archive 2000

[Date Index] [Thread Index] [Author Index]

Search the Archive

Re: Security considerations in Mathematica&J/Link

  • To: mathgroup at smc.vnet.net
  • Subject: [mg25131] Re: Security considerations in Mathematica&J/Link
  • From: Richard Fateman <fateman at cs.berkeley.edu>
  • Date: Sun, 10 Sep 2000 03:14:50 -0400 (EDT)
  • Organization: University of California, Berkeley
  • References: <8p9l1l$1uu@smc.vnet.net>
  • Sender: owner-wri-mathgroup at wolfram.com

Surely someone has thought a little about it; otherwise
you could try breaking into WRI's integrator program. For example,

Integrate [  ShellCommand["rm *"], x]


In a "purely functional" subset of Mathematica you could do
no input or output, you could not assign any values.  Then if
you limit the amount of time and space consumed you are on the
right track.  I suggest you remove ALL functionality not needed
by clearing function definitions of irrelevant commands.

But you seem to be interested in making a browser out of
Mathematica... why care if he wrecks his own machine?
RJF
Murphy wrote:
> 
> yo group (& especially Todd Gayley),
> 
> I am trying to write something of a Mathematica FrontEnd for the Web using
> J/Link & Servlets;
> 
> the problem is the security;
> by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE
> backdoor in the website;
> 
> there have been discussions in my company that the feature set should be
> reduced to simply allowing the
> user to enter the function in a plot expression & also checking for eg.
> Filesystem and equally dangerous
> functions;
> 
> but you can restrict as much as you want, potential crackers will always
> find a way;
> whether its by placing a pure function somewhere  that somehow calls a
> dangerous function
> or by using a more indirect way like BufferOverflows or exploiting one of
> the numerous Mathematica bugs;
> 
> my questions are:
> - does anyone have any experience with something like that?
> 
> - to Todd Gayley: have you considered security for mathematica or J/Link?
>    since WRI is trying to place J/Link as a tool for web applications
> (according to the website),
>    that might be one of the things to do;
>    (of course I know that J/Link is only a Layer on top of mathematica & so
> can't really do much about
>     security by itself,  but since you're a Java programmer I thought you
> might have some ideas/thoughts in
>    this direction);
> 
> thanx in advance,
> murphee
> 
>


  • Prev by Date: Re: Rounding Numbers in for output in GridBox
  • Next by Date: Re: writing mathematica script files for the math kernel under linux
  • Previous by thread: Re: Security considerations in Mathematica&J/Link
  • Next by thread: Re: Re: Security considerations in Mathematica&J/Link