Scribd Logo
Importer

Bienvenue sur Scribd !

  • Potential Risks in Running R On The Cloud

    Transféré par

    rapporter.net
    97 vues10 pages
    Gergely Daróczi gave an introductory talk on potential ways of securing R instances running in the cloud: R, the "lingua franca of statistical and data analysis" is a programming language and environment developed to be run on desktops, but more and more people tend to or would like to use it in the cloud or in other shared infrastructure. The idea is great, but the implementations happen to show some rather embarrassing security issues. This talk gives a quick introduction to the potential risks in running an R console on the cloud, also some alternative solutions or workarounds that we successfully deployed in our one year old R-as-a-Service cloud platform. More details: http://www.meetup.com/Budapest-IT-Security-Meetup/events/151953332/

    Titre original

    Potential risks in running R on the cloud

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Gergely Daróczi gave an introductory talk on potential ways of securing R instances running in the cloud: R, the "lingua franca of statistical and data analysis" is a programming language and environment developed to be run on desktops, but more and more people tend to or would like to use it in the cloud or in other shared infrastructure. The idea is great, but the implementations happen to show some rather embarrassing security issues. This talk gives a quick introduction to the potential risks in running an R console on the cloud, also some alternative solutions or workarounds that we successfully deployed in our one year old R-as-a-Service cloud platform. More details: http://www.meetup.com/Budapest-IT-Security-Meetup/events/151953332/

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    97 vues10 pages

    Potential Risks in Running R On The Cloud

    Transféré par

    rapporter.net
    Gergely Daróczi gave an introductory talk on potential ways of securing R instances running in the cloud: R, the "lingua franca of statistical and data analysis" is a programming language and environment developed to be run on desktops, but more and more people tend to or would like to use it in the cloud or in other shared infrastructure. The idea is great, but the implementations happen to show some rather embarrassing security issues. This talk gives a quick introduction to the potential risks in running an R console on the cloud, also some alternative solutions or workarounds that we successfully deployed in our one year old R-as-a-Service cloud platform. More details: http://www.meetup.com/Budapest-IT-Security-Meetup/events/151953332/

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 10

    Potential risks in running R on the cloud

    This means its the equivalent of a chainsaw: there are ways to use it safely. rserve.js

    Gergely Darczi daroczig@rapporter.net

    13 January 2014

    What is R?
    The lingua franca of statistical analysis

    Budapest IT secutrity meetup

    Running R on the cloud

    13/1/2014

    2 / 10

    R in the cloud
    Full access to the servers right in your browser

    > system(uname -a) Linux nevermind 3.12.6-1-ck #1 SMP PREEMPT Fri Dec 20 14:27:18 EST 2 > readLines(pipe(whoami)) [1] "daroczig" > length(list.files(/etc)) [1] 253 > cat(Hello, world!, file = /tmp/foobar.sh) > readLines(/tmp/foobar.sh) [1] "Hello, world!" Warning message: In readLines("/tmp/foobar.sh") : incomplete final line found on /tmp/foobar.sh > while (TRUE) fork()
    Budapest IT secutrity meetup Running R on the cloud 13/1/2014 3 / 10

    Potential solutions
    Workarounds, limitations, ongoing discussion

    chroot Renjin RAppArmor OpenCPU sandboxR custom solutions

    Budapest IT secutrity meetup

    Running R on the cloud

    13/1/2014

    4 / 10

    Demo
    R version 3.0.2 (2013-09-25) -- "Frisbee Sailing" Copyright (C) 2013 The R Foundation for Statistical Computing Platform: x86_64-unknown-linux-gnu (64-bit) R is free software and comes with ABSOLUTELY NO WARRANTY. You are welcome to redistribute it under certain conditions. Type license() or licence() for distribution details. R is a collaborative project with many contributors. Type contributors() for more information and citation() on how to cite R or R packages in publications. Type demo() for some demos, help() for on-line help, or help.start() for an HTML browser interface to help. Type q() to quit R. >
    Budapest IT secutrity meetup Running R on the cloud 13/1/2014 5 / 10

    sandboxR
    Filtering "malicious" calls in R

    > getParseData(parse(text = foo <- get("system")("whoami")))


    21 1 3 2 19 12 4 6 5 7 9 8 13 14 16 15 line1 col1 line2 col2 id parent 1 1 1 30 21 0 1 1 1 3 1 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 5 8 8 8 8 11 12 12 20 21 22 22 30 1 1 1 1 1 1 1 1 1 1 1 1 1 1 3 3 6 2 30 19 20 12 10 4 10 6 11 5 19 7 19 9 20 8 21 13 29 14 29 16 30 15 token terminal expr FALSE SYMBOL TRUE FALSE TRUE FALSE FALSE TRUE text foo <-

    21 expr 21 LEFT_ASSIGN 21 expr 19 expr 6 SYMBOL_FUNCTION_CALL 12 12 9 12 12 19 16 19 19 expr ( STR_CONST expr ) ( STR_CONST expr )

    get

    FALSE TRUE ( TRUE "system" FALSE TRUE ) TRUE ( TRUE "whoami" FALSE TRUE )
    13/1/2014 6 / 10

    Budapest IT secutrity meetup

    Running R on the cloud

    sandboxR in action

    http://hackme.rapporter.net

    Budapest IT secutrity meetup

    Running R on the cloud

    13/1/2014

    7 / 10

    Summary
    sandboxR + RAppArmor

    sandboxR R-specic rules Advantages user-friendly msgs can call RAppArmor

    RAppArmor easy to congure kernel module great for FS-rules needs AppArmor

    tedious to maintain Disadvantages not 100% protection

    basic network-rules should use prole instead of hats eval.secure forks no R-specic rules

    Budapest IT secutrity meetup

    Running R on the cloud

    13/1/2014

    8 / 10

    Summary
    sandboxR + RAppArmor

    sandboxR R-specic rules Advantages user-friendly msgs can call RAppArmor

    RAppArmor easy to congure kernel module great for FS-rules needs AppArmor

    tedious to maintain Disadvantages not 100% protection

    basic network-rules should use prole instead of hats eval.secure forks no R-specic rules

    Budapest IT secutrity meetup

    Running R on the cloud

    13/1/2014

    9 / 10

    Questions?
    daroczig@rapporter.net http://hackme.rapporter.net

    Vous aimerez peut-être aussi