[R] registry vulnerabilities in R
Barry Rowlingson
b.rowlingson at lancaster.ac.uk
Wed May 9 08:59:49 CEST 2012
On Tue, May 8, 2012 at 4:10 PM, Paul Martin <pamartin at alum.mit.edu> wrote:
>
> Kirtland Air Force Base has denied approval for the use of R on its
> Windows network. Some of their objections seem a bit strange, but some
> appear to be legitimate. In particular, they have detected registry
> "vulnerabilities"
> which are detailed in the attachment.
> I know nothing about Windows registry vulnerabilities. If any of these
> issues are
> legitimate concerns, I would like to see them fixed for everyone's benefit.
> I would
> appreciate a referral to the appropriate forum for this information. I am
> willing
> to assist in getting questions answered and gathering additional
> information.
My thoughts on this matter will be mitigated by my desire not to get
on the no-fly list so I can attend UseR! this year...
Firstly we don't know what the NIPRNet is. The analyst does say "this
[software? process?] can be continued for standalone systems", which
seems to imply you can have it on your desktop, but not on NIPRNet. If
NIPRNet is some kind of multi-user system running a variant of Windows
then maybe the security testing is looking for the sort of problems
that occur when you try and mash a single-user operating system into a
multi-user environment. We've never had any problems running R on
Windows Server OSes. It's always been proprietary software that has
insisted on writing to C:\TMP\TEMP.DAT for every user, and with closed
source programs we can't change that...
Secondly, we don't know what the security analysis tool did. I'm
guessing its essentially looking at the difference in the registry
before and after installation or running of R/RStudio, or just
monitoring registry access.
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
The file extensions section of this 'security audit' relate to Adobe
Acrobat Reader and a registry key with USAF_PKI_SPO in the name.
Somehow I don't think R did this. It doesn't mention .r files, which
should be one file extension that R uses. So at least that's not
forbidden.
The long list of "registry vulnerabilities" is also equally odd. It
looks like a standard set of registry keys plus a whole bunch of
firewall configuration. Has R tried to modify these? Has R tried to
read these? It almost certainly didn't write them. Googling for
"Windows registry vulnerabilities" doesn't find anything specific. It
doesn't seem to be a class of security problems.
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities. Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
Here's where we all face-palmed. High risk?
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
Maybe if you shell out for a proprietary version of R you'll get it approved.
So, given the large quantity of unknowns (both known unknowns and
unknown unknowns) there's not much we can do. It seems that a security
tool which I doubt the analyst understands and which I doubt we are
allowed to know much about has just decided to block you.
The great irony being of course that open source software is more
secure than any close-source proprietary system.
Barry
Barry
More information about the R-help
mailing list