Mathematica 9 is now available
6.2 Security

Documentation6. Advanced Topics

 

6.2 Security

Internet security concerns both client and server security. However, webMathematica is a server technology. Consequently, there are no special client security issues relating to webMathematica JSPs. Of course, you still need to consider client-side security, but Mathematica does not introduce any special client security issues. The real issue is the security of the server.

IMPORTANT SUMMARY: If you do not have time to read all of this security section or you are unsure about some of the terms, try to remember one important rule about security. NEVER use ToExpression ; instead always use the secure function MSPToExpression .

Running a general computation system like Mathematica inside of a web site presents many potential security hazards for the server. Mathematica contains commands for examining and deleting files and for launching arbitrary processes. A number of security features are built into the webMathematica tools, but these are designed to work in conjunction with other standard security features. If security is important to you, study and use features such as firewalls, trusted hosts, and HTTP-specific security features.

A major danger to any Mathematica site is that someone will try to send commands to Mathematica that may breach the security of the server. These commands can be sent as the value of input variables passed in from the server. The previous section on Interpretation of Input discussed how input is interpreted by the system. This section concentrates on the validation process. It is possible for the system to receive input such as:

ReadList[ "/etc/passwd"]

or

Run["telnetd -d"]

Even if used as an argument to a seemingly harmless Mathematica command, they still pose an attack.

Try using one of these as an input in an example, such as http://localhost:8080/webMathematica/Examples/Expand.jsp.

This type of input fails because input values are sent to Mathematica by the server as strings. In the Mathematica kernel, they should be processed by special functions, such as MSPBlock or MSPToExpression, which provide a secure way to interpret input. In addition, a security feature is built into the Mathematica command ToExpression that prevents inadvertent calls that bypass the security system.

6.2.1 MSP Function Validation

The MSP functions MSPBlock and MSPToExpression are provided to work with input to a webMathematica site in a secure way. These functions parse the expression but validate it before allowing it to evaluate. If validation succeeds, the input can be used for further computation. If it is not validated, an MSPException is thrown. Here is an example of how this works.

Needs["MSP`"];

SetSecurity[]

$$e="ReadList[\"/etc/passwd\"]";

MSPToExpression[$$e]

Hold[Throw[{$$e, "ReadList[\"/etc/passwd\"]"}, MSPException["SecurityError"]]]

The message about an uncaught Throw arises because there is no Catch statement. A default handler will catch any exceptions that are raised when a page is processed; typically, it inserts some suitable text. It is also possible for an author to catch these exceptions and issue some special error message.

Important: Security Warning

If you want your pages to be secure from attack, it is important you understand what your pages are computing. In particular, commands that open, close, or carry out other operations on files should be dealt with carefully, as should any commands, such as Run or LinkOpen, that start processes. If you use ToExpression, exercise caution as described below.

The Validation Process

The validation process works in a straightforward manner, and you can customize it to give more or less security. You can investigate its operation in the following steps:

First, load the MSP Mathematica application and then lock down the security model, which cannot be modified after SetSecurity is called. When the server initializes Mathematica, it calls SetSecurity.

Needs["MSP`"];

SetSecurity[]

Now you can test expressions for validity. A first example shows a harmless mathematical expression that is found to be secure.

InsecureExprQ[ HoldComplete[ Sin[6]]]

False

Here is a less-than-friendly expression, the sort of thing that could be sent as an attack.

InsecureExprQ[ HoldComplete[ Run[ "telnetd"]]]

True

Validation works by collecting all the symbols into a list and steadily reducing the list. If any symbols remain after reduction, the expression is not secure. The reduction process works with lists of symbol and context names that can either be allowed or disallowed according to the following steps:

If AllowedContexts is a list, remove symbols with contexts on this list.

If AllowedContexts is not a list, remove symbols with contexts not in DisallowedContexts.

If AllowedSymbols is a list, remove symbols found in this list.

If AllowedSymbols is not a list, remove symbols that are not in DisallowedSymbols.

If no symbols remain, the expression is secure; otherwise it is not secure.

These tests allow you to be restrictive or flexible. If you use the allowed lists, you are restrictive and have more security, whereas if you use the disallowed lists, you are less restrictive with less security. It is up to each individual site to decide the appropriate balance.

When the server is started, a default security model is installed. This default security model looks like this:

MSP`Utility`AllowedContexts

{"Global`"}

MSP`Utility`DisallowedContexts

MSP`Utility`DisallowedContexts

MSP`Utility`AllowedSymbols

HoldComplete[Plus, Times, Power, Sqrt, Log, Exp, HoldComplete, ∞, , , °, GoldenRatio, Catalan, EulerGamma, OutputForm, StandardForm, List, Sin, Cos, Tan, Sec, Csc, Cot, Sinh, Cosh, Tanh, Sech, Csch, Coth, ArcSin, ArcCos, ArcTan, ArcSec, ArcCsc, ArcCot, ArcSinh, ArcCosh, ArcTanh, ArcSech, ArcCsch, ArcCoth, True, False, Derivative, D, Dt, ⅈ, Greater, Less, GreaterEqual, LessEqual, Inequality, Equal, Re, Im, Abs, Sign, Conjugate, Arg, Round, Floor, Ceiling, Max, Min, Mod, Quotient, Not, And, Or, Xor, AiryAi, AiryAiPrime, AiryBi, AiryBiPrime, BesselJ, BesselK, BesselI, BesselY, Factorial, Binomial, Multinomial, Gamma, Beta, LogGamma, PolyGamma, LegendreP, SphericalHarmonicY, HermiteH, LaguerreL, Erf, Erfc, Erfi, InverseErf, InverseErfc, ClebschGordan, ThreeJSymbol, SixJSymbol, Zeta, FresnelS, FresnelC, CosIntegral, SinIntegral, ExpIntegralE, ExpIntegralEi, SinhIntegral, CoshIntegral, HypergeometricPFQ, Hypergeometric0F1, Hypergeometric1F1, Hypergeometric2F1, HypergeometricPFQRegularized, MeijerG, MSP`Security`Private`AppelF1, EllipticK, EllipticF, EllipticE, EllipticPi, JacobiZeta, EllipticNomeQ, EllipticLog, InverseEllipticNomeQ, JacobiAmplitude, EllipticExp, DiracDelta, UnitStep, DiscreteDelta, KroneckerDelta, Identity, Function, Slot, GrayLevel, Hue, RGBColor, CMYKColor, Automatic, None, All, Null]

MSP`Utility`DisallowedSymbols

MSP`Utility`DisallowedSymbols

This model will allow any symbol in Global` context, in addition to a number of specific symbols. This is a fairly restrictive model that provides a higher level of security.

6.2.2 Setting Your Own Security Model

You can make your own definitions for MSP`Utility`AllowedContexts, MSP`Utility`DisallowedContexts, MSP`Utility`AllowedSymbols, and MSP`Utility`DisallowedSymbols. These definitions should be placed into a file in the /WEB-INF/conf directory and the name of the file set by the configuration parameter SecurityConfigurationFile. For example, if the configuration information is in a file called SecurityConfiguration.m, the following should be added to MSP.conf.

SecurityConfigurationFile=SecurityConfiguration.m

A sample security configuration file is shown below. This only allows symbols in the Global` context in addition to Plus, Times, and Power. This is a particularly restrictive security system that might be appropriate in some circumstances.

MSP`Utility`AllowedSymbols =
HoldComplete[ Plus, Times, Power]

MSP`Utility`AllowedContexts =
   {"Global`"}

As described in the section on Multiple Kernel Pools, it is possible to use different configuration details for different request URLs. Each pool has its own configuration file and its own security system.

When each Mathematica kernel is launched, these four security parameters are sent to the log system.

You can test your security model from within Mathematica. You first need to have installed the MSP Mathematica application into your Mathematica layout. This installation is not necessary to run webMathematica; but it is necessary if you want to use the functions in an interactive session of Mathematica. It is described earlier.

You can then run the functions from within a Mathematica session. First you need to load the MSP application.

<<MSP`

Now you need to place your security configuration into a file and then load this into Mathematica. Here the example has used the configuration information shown above and the file is placed into the C:\Temp directory.

SetSecurity["C:\\Temp", "MySecurity.m"]

True

This input passes the security model since it contains symbols in the Global` context and Plus.

MSPToExpression[ "x+y"]

x+y

However, this input does not pass the security system since it also contains the Sin symbol which is not permitted by the security system.

MSPToExpression[ "Sin[x]+y"]

Hold[Throw[{"Sin[x]+y", "Sin[x]+y"}, MSPException["SecurityError"]]]

When you have determined the appropriate security system you can place your security configuration file into the webMathematica/WEB-INF/conf directory and set the SecurityConfigurationFile parameter of MSP.conf.

6.2.3 ToExpression Validation

It is possible that someone developing MSP scripts may not fully understand the security system. They may decide to call ToExpression directly on an input variable, which would bypass the security system and pose a potential danger. To provide security for such events, ToExpression is validated if it has a first argument equal to any of the inputs sent with the request. In this way, the security system will validate a computation such as the following.

<msp:evaluate>
val = ToExpression[ $$num]
</msp:evaluate>

If the value of $$num passes the security test, ToExpression works as expected. However, if the security test fails, a security exception will be thrown.

You can disable this security test by setting the Mathematica variable MSP`Utility`CheckToExpression to False. In addition, you can disable the test in MSP.conf.

CheckToExpression=false

It is probably an exceptional site that disables this security feature.

Of course, if the string input to ToExpression comes from an input sent with the request, but is modified in some way, the call to ToExpression will not carry out any validation. Due to this, it is highly recommended that you never use ToExpression, but instead use MSPToExpression.

6.2.4 Access Restrictions

You may wish to restrict access to certain parts of your system such as the Kernel Monitor, which is provided for monitoring and debugging your system. In this case, refer to the Site Administration section on Logging and the Kernel Monitor. The section on Apache and Tomcat describes how this can be when webMathematica is used from the Apache web server.



Any questions about topics on this page? Click here to get an individual response.Buy NowMore Information
THIS IS DOCUMENTATION FOR AN OBSOLETE PRODUCT. CURRENT WEBMATHEMATICA DOCUMENTATION IS NOW AVAILABLE.