Services & Resources / Wolfram Forums
-----
 /
MathGroup Archive
2000
*January
*February
*March
*April
*May
*June
*July
*August
*September
*October
*November
*December
*Archive Index
*Ask about this page
*Print this page
*Give us feedback
*Sign up for the Wolfram Insider

MathGroup Archive 2000

[Date Index] [Thread Index] [Author Index]

Search the Archive

Re: Security considerations in Mathematica&J/Link

  • To: mathgroup at smc.vnet.net
  • Subject: [mg25204] Re: Security considerations in Mathematica&J/Link
  • From: tgayley at wolfram.com (Todd Gayley)
  • Date: Fri, 15 Sep 2000 02:21:42 -0400 (EDT)
  • Organization: Wolfram Research, Inc.
  • References: <8p9l1l$1uu@smc.vnet.net>
  • Sender: owner-wri-mathgroup at wolfram.com

On 7 Sep 2000 23:05:25 -0400, Murphy <werner.schuster at netway.at>
wrote:

>yo group (& especially Todd Gayley),
>
>I am trying to write something of a Mathematica FrontEnd for the Web using 
>J/Link & Servlets;
>
>the problem is the security;
>by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE 
>backdoor in the website;
>
>there have been discussions in my company that the feature set should be 
>reduced to simply allowing the
>user to enter the function in a plot expression & also checking for eg. 
>Filesystem and equally dangerous
>functions;
>
>but you can restrict as much as you want, potential crackers will always 
>find a way;
>whether its by placing a pure function somewhere  that somehow calls a 
>dangerous function
>or by using a more indirect way like BufferOverflows or exploiting one of 
>the numerous Mathematica bugs;
>
>my questions are:
>- does anyone have any experience with something like that?
>
>- to Todd Gayley: have you considered security for mathematica or J/Link?
>   since WRI is trying to place J/Link as a tool for web applications 
>(according to the website),
>   that might be one of the things to do;
>   (of course I know that J/Link is only a Layer on top of mathematica & so 
>can't really do much about
>    security by itself,  but since you're a Java programmer I thought you 
>might have some ideas/thoughts in
>   this direction);
>
>thanx in advance,
>murphee

Murphee,

You are quite right to realize the security concerns about allowing
web users access to a Mathematica kernel on your server.

J/Link itself is really just a toolkit for integrating Mathematica and
Java. Although it is exactly the sort of tool that developers who want
to put Mathematica on the web will want to use, and it is the tool
that we recommend they use, by itself it does not have much
web-specific functionality. As WRI prepares a more specifically
web-oriented product for release, we are working on security
considerations. I do not want to say anything specific about potential
security solutions. It is not that the security features will be
secret or proprietary, it is just that they are still under
development and I would not want to commit to any specific strategy
publicly.

It will always be the case that users who have critical security needs
will want to implement their own security measures. Others in this
thread have mentioned some of these measures, which can go as far as
running Mathematica on a dedicated machine that is physically isolated
from anything else on your network.


--Todd

Todd Gayley
Wolfram Research



  • Prev by Date: ParametricPlot3D is buggy
  • Next by Date: Re: Re: Mathematica 3.0 & MathReader 4.0
  • Previous by thread: Re: Re: Security considerations in Mathematica&J/Link
  • Next by thread: Add the Logarithms (error in integral)