Tuesday, February 28, 2006

Security risks in web based scientific computing

Pretty much every science software company has spun off a web version their products. But there is something odd about many of them - there is no sign of them on the makers websites. Sure there are pages of prose and pretty pictures telling you about them, but rarely any live demo. No chance to interact with an example deployment. It seems obvious that this would be the best way to showcase or trial such products.

And so it is with the Matlab Web Server that I was researching when this fact dawned on me. It's not that Mathworks doesn't consider its website to be an important part of its business and promotion. Then it occured to me that it might be because their website is important to them that they have no live demo.

The architecture of the system is: The web browser connects to a TCP/IP client "matweb", on the server that passes all requests to the matlabserver that connects to Matlab where the task is computed. So the matlab server is exposed to full scrutiny of the internet community, including the unfriendly ones.

There is a great power struggle going on out there between security companies and the hackers. With mighty companies like Microsoft and real experts like The Apache Foundation struggling to keep up with the latest tricks of the enemy. Would you trust the security of your web server made to a company who's expertise is not in security? Well it looks like neither would Mathworks!

Perhaps this is paranoid, but when you look at the documentation for the Matlab Web Server, there does not appear to be even a mention of security, let alone any serious instruction.

Since most scientific software are essentially programming languages, they are very dangerous to give unrestricted access to. You must block two levels of access:

First you must control the tasks that the user requests to get computed (Matlab, like most other languages, can be instructed to delete files, launch programs like telnet daemons, or copy and send files such as your password file).

Second you must make sure that you are opening a door only to the application that you intended.

One line of the documentation that interested me was:
"observe that the line
<input name="mlmfile" value="webmagic" type="hidden">
sets argument mlmfile to the value webmagic. The mlmfile argument contains the name of the MATLAB M-file to run."

So the choice of what program to run is visible in the page source! Sure enough, if you find some user's pages and do "Show source" you can see this "hidden" field in the HTML. This means that I can instruct that user's Matlab to run any .m file that I can predict to exist on his server, just by copying the HTML and editing that line and opening it in a browser. Now hands up who knows the matlab installation and most popular addons well enough to know which could be misused if malicious user could run them? Also, if I can place a file on the server by some other exploit, I now have a way to execute it. I'm sure a real hacker would have plenty of ideas.

If you are considering any other web based deployment system for a language, a good test might be to see if the supplier trusts it enough to run on their own websites.

5 comments:

Anonymous said...

Partly wrong.
If matworks wanted to put up a web
site matweb, they could buy a computer for $2,000, run virtual PC on it, and give each login a time-limited run in a security sandbox.
Risk to their other operations is minimal.

Right in that if they (or you) deployed matweb without security, then it would be , well, without security.

Scientific Computing said...

It is true, that there are many steps you can take to quarantine a potential source of compromize. Though the effort required may depend on the existing architecture of the site.

But utility and security are opposing forces. The approach you suggest, essentially of treating the Matlab web server as "untrusted", rules out all kinds of interesting uses for such technology.

You would not be able to trust it to interrogate your internal databases, so login/account related data could not be used in the Matlab program, there could be no connection with accounting systems, or inventory management systems etc

It also means that you cannot deploy secret processes. To share the benefits of your research, is potentially the same as to share your research. The .m file must live within reach of the server, and therefore is potentially exposed by any security failure.

Finally, your approach does not prevent a malicious attack bringing down the Matlab server. It only contains the damage. So you would still need to think about how critical up-time was to your site.

But back to my original point. If it was as easy as you suggest to ensure the safety of this service, why hasn't Mathworks done this?

Ayisha said...

these are gifts for everyone
Knowledge
Collection of books
Kitaben
Kitab ghar
Books and references
Liberary
booksshelf
Computer Science Reference Books
Rapidshare ebooks
Free collection of ebooks
Free Ebooks

new house said...

companies marketing mineral makeups and also get the best bargains in mineral makeup you can imagine,
find aout how to consolidate your students loans or just how to lower your actual rates.,
looking for breast enlargements? in Rochester,
homeopathy for eczema learn about it.,
Allergies, information about lipitor,
save big with great bargains in mineral makeup,

change edition interviewing motivational people preparing second
,

interviewing motivational people preparing second time
,

interviewing people motivational preparing for a second time
,

black mold exposure
,

black mold exposure symptoms
,

black mold symptoms of exposure
,

free job interview questions
,

free job interview answers
,

interview answers to get a job
,

lookfor hair styles for fine thin hair
,

search hair styles for fine thin hair
,

hair styles for fine thin hair
,

beach resort in the philippines
,

great beach resort in the philippines
,

luxury beach resort in the philippines
,
iron garden gates, here,
iron garden gates,
wrought iron garden gates
, here
,
wrought iron garden gates
,
You: The Owner's Manual: An Insider's Guide to the Body That Will Make You Healthier and Younger
,
eat eating mindless more than think we we why
,


texturizer,
texturizers here,
black hair texturizer,
find aout how care curly hair,
find about how to care curly hair,
care curly hair,
lipitor rash,
lipitor reactions,
new house ventura california,
the house new houston tx,
new house washington dc,
new house pa philadelphia,
san antonio tx house new,
house new pa philadelphia,
new house washington dc,
new house ventura california,
the house new houston tx,
house new san antonio tx,
the house new houston tx, that you are looking for,
new house ventura california, you need to buy,
new house washington dc,
house new pa philadelphia,
new house san antonio tx,

hair surgery transplant
,

air filter allergy
,

refurbished dell laptop computers
,

hair surgery transplant
,

air filter allergy
,

refurbished dell laptop computers
,

hair surgery transplant
,

air filter allergy
,

refurbished dell laptop computers
,

chocolate esophagus heartburn study
,

chocolate esophagus heartburn study
be informed,

digestion healing healthy heartburn natural preventing way
,

digestion healing healthy heartburn natural preventing way
,
sew skirts, 16simple styles you can make!,
sew what skirts 16 simple styles you,
rebates and discounts on sunsetter awnings,
sunsetter awnings discounts and rebates,
discount on sunsetter awnings


truck and bus tires 12r 22.5, get the best price,
tires truck and bus 12r 22.5 best price,
tires truck bus tires12r 22.5 best price,
plush car seat strap covers,
car seat strap covers,plush,
car seat strap, plush covers,
oscoda voip phone systems, the best!,
oscoda voip the phone system,
oscoda voip phone systems,
exterior iron gates,
oriental wrought iron gates,
powder coated iron garden fencing,

photo soft said...

black mold exposure,
black mold symptoms of exposure,

wrought iron garden gates,
your next iron garden gates, here,

hair styles for fine thin hair,
search hair styles for fine thin hair,

night vision binoculars,
buy, night vision binoculars,

lipitor reactions,
lipitor reactions,

luxury beach resort in the philippines,
beach resort in the philippines,

homeopathy for baby eczema.,
homeopathy for baby eczema.,

save big with great mineral makeup bargains,
companies marketing mineral makeups,

prodam iphone praha,
Apple prodam iphone praha,

iphone clone cect manual,
manual for iphone clone cect,

fero 52 binoculars night vision,
fero 52 night vision,

best night vision binoculars,
buy, best night vision binoculars,

computer programs to make photo albums,
computer programs, make photo albums,