Re: Security considerations in Mathematica&J/Link
- To: mathgroup at smc.vnet.net
- Subject: [mg25131] Re: Security considerations in Mathematica&J/Link
- From: Richard Fateman <fateman at cs.berkeley.edu>
- Date: Sun, 10 Sep 2000 03:14:50 -0400 (EDT)
- Organization: University of California, Berkeley
- References: <8p9l1l$1uu@smc.vnet.net>
- Sender: owner-wri-mathgroup at wolfram.com
Surely someone has thought a little about it; otherwise you could try breaking into WRI's integrator program. For example, Integrate [ ShellCommand["rm *"], x] In a "purely functional" subset of Mathematica you could do no input or output, you could not assign any values. Then if you limit the amount of time and space consumed you are on the right track. I suggest you remove ALL functionality not needed by clearing function definitions of irrelevant commands. But you seem to be interested in making a browser out of Mathematica... why care if he wrecks his own machine? RJF Murphy wrote: > > yo group (& especially Todd Gayley), > > I am trying to write something of a Mathematica FrontEnd for the Web using > J/Link & Servlets; > > the problem is the security; > by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE > backdoor in the website; > > there have been discussions in my company that the feature set should be > reduced to simply allowing the > user to enter the function in a plot expression & also checking for eg. > Filesystem and equally dangerous > functions; > > but you can restrict as much as you want, potential crackers will always > find a way; > whether its by placing a pure function somewhere that somehow calls a > dangerous function > or by using a more indirect way like BufferOverflows or exploiting one of > the numerous Mathematica bugs; > > my questions are: > - does anyone have any experience with something like that? > > - to Todd Gayley: have you considered security for mathematica or J/Link? > since WRI is trying to place J/Link as a tool for web applications > (according to the website), > that might be one of the things to do; > (of course I know that J/Link is only a Layer on top of mathematica & so > can't really do much about > security by itself, but since you're a Java programmer I thought you > might have some ideas/thoughts in > this direction); > > thanx in advance, > murphee > >