Re: Security considerations in Mathematica&J/Link
- To: mathgroup at smc.vnet.net
- Subject: [mg25204] Re: Security considerations in Mathematica&J/Link
- From: tgayley at wolfram.com (Todd Gayley)
- Date: Fri, 15 Sep 2000 02:21:42 -0400 (EDT)
- Organization: Wolfram Research, Inc.
- References: <8p9l1l$1uu@smc.vnet.net>
- Sender: owner-wri-mathgroup at wolfram.com
On 7 Sep 2000 23:05:25 -0400, Murphy <werner.schuster at netway.at> wrote: >yo group (& especially Todd Gayley), > >I am trying to write something of a Mathematica FrontEnd for the Web using >J/Link & Servlets; > >the problem is the security; >by allowing the user to evaluate arbitrary expressions, I'm opening a HUGE >backdoor in the website; > >there have been discussions in my company that the feature set should be >reduced to simply allowing the >user to enter the function in a plot expression & also checking for eg. >Filesystem and equally dangerous >functions; > >but you can restrict as much as you want, potential crackers will always >find a way; >whether its by placing a pure function somewhere that somehow calls a >dangerous function >or by using a more indirect way like BufferOverflows or exploiting one of >the numerous Mathematica bugs; > >my questions are: >- does anyone have any experience with something like that? > >- to Todd Gayley: have you considered security for mathematica or J/Link? > since WRI is trying to place J/Link as a tool for web applications >(according to the website), > that might be one of the things to do; > (of course I know that J/Link is only a Layer on top of mathematica & so >can't really do much about > security by itself, but since you're a Java programmer I thought you >might have some ideas/thoughts in > this direction); > >thanx in advance, >murphee Murphee, You are quite right to realize the security concerns about allowing web users access to a Mathematica kernel on your server. J/Link itself is really just a toolkit for integrating Mathematica and Java. Although it is exactly the sort of tool that developers who want to put Mathematica on the web will want to use, and it is the tool that we recommend they use, by itself it does not have much web-specific functionality. As WRI prepares a more specifically web-oriented product for release, we are working on security considerations. I do not want to say anything specific about potential security solutions. It is not that the security features will be secret or proprietary, it is just that they are still under development and I would not want to commit to any specific strategy publicly. It will always be the case that users who have critical security needs will want to implement their own security measures. Others in this thread have mentioned some of these measures, which can go as far as running Mathematica on a dedicated machine that is physically isolated from anything else on your network. --Todd Todd Gayley Wolfram Research