[R] Security issue
b.rowlingson at lancaster.ac.uk
Wed Apr 2 14:11:49 CEST 2008
Hanek Martin wrote:
> I am trying to convince our IT Manager that R is as safe as possible
> from IT security point of view - could you point me to something on
> the web / some reasons for why this is true? I do not think he has a
> specific concern but does not know the software and would like to
> understand the security implications.
To add to Brian's note that rightly says 'R can only do what a user
can do anyway', I'll point out that R doesn't open any network ports so
doesn't expose the machine that way. Unless of course you run a network
server in R (is there a server package on CRAN?).
I can think of crazy ways where R might be involved in an exploit -
for example if the malicious party poisoned your DNS, then if you tried
to install a package from CRAN, a fake DNS entry for cran.r-project.org
would mean you instead got a package from a malicious party's web site,
and hence you'd be running the wrong code. It would take a lot of work
though - I suspect the intersection set of R programmers and black-hat
hackers is pretty small. And if the hacker can poison the DNS
effectively then there's plenty of easier exploits to do.
And anyway, it's probably easier to get malicious R code by just
announcing it on R-help. A message of "I've written this package to do
XXYYZ" and a non-CRAN URL might get some people to bite. But the same
applies to just about anything you download from the net - browser
extensions, screen savers, add-on applications and so forth.
R mitigates against this by having open source code for its core and
CRAN add-on packages. Perhaps your IT Manager should only sanction the
use of packages from CRAN? Although enforcing this wouldn't be easy.
So yes, R is as safe as possible, for most values of 'safe' and
More information about the R-help