Security issues with CRAN packages

 

[ Edit: June 2013 ] A paper has appeared on ArXiv describing this issue in greater detail, and suggesting some solutions: http://arxiv.org/abs/1303.4808. It will appear in the Journal of Statistical Software later in 2013.

I have a cronjob on my Ubuntu servers that downloads and installs every source package from CRAN. However on the same server I started to notice some irregular activity. It might be totally unrelated, but it got me thinking about if there could be a possibility that some CRAN packages contain malicious code.

The process of creating and publishing a cran package is extremely easy. Maybe a little too easy. You upload your package to the FTP, Kurt will do a check, and publish it. With the volume of R packages that is being uploaded every day, it is reasonable to assume that there is no extensive auditing of the package going on. Also there is no signing of a package using a private key, like most distro packages. Even the email address in the DESCRIPTION is rarely verified.

Now it would not be very hard to include some code that installs a rootkit, either at compile time or at run time. Compile time is probably more vulnerable, because I install my packages using sudo, which I probably should stop doing. But also at runtime a lot can be done. The linux kernel has had several security vulnerabilities lately, and I have confirmed myself that it can be extremely easy to obtain root via a privilege escalation exploit, on a completely up to date system. As R usually has internet access, the malicious code does not even have to be included in the package, it can simply be downloaded from somewhere using wget or download.file().

That said, are R users considering this at all? Or is the philosophy mostly that you should only download packages from people you trust? Still without signing the packages that is not very reliable. What could be a safer approach to installing cran packages? I have considered something like a separate machine for building packages and then copying the binaries, and always running R in a sandbox. That is a little cumbersome though.

链接地址: http://www.djcxy.com/p/60058.html

上一篇: FTP“550访问被拒绝”错误

下一篇: CRAN软件包的安全问题