Colleagues, Some co-workers are wondering about how secure R software is. Is there any documentation on this which I can forward to them? All the best, Thomas Subia Quality Engineer
(no subject)
3 messages · Thomas Subia, Ivan Krylov, Bert Gunter
On Tue, 5 Oct 2021 22:20:33 +0000
Thomas Subia <thomas.subia at fmindustries.com> wrote:
Some co-workers are wondering about how secure R software is.
I'm afraid that this question is too hard to answer without their threat model. Secure against what, specifically?
Is there any documentation on this which I can forward to them?
Well, R is a programming language. It's Turing-complete (see halting problem), will happily run machine code from shared objects (see dyn.load, .C, .Call), and install.packages() is there to download third-party code from the Internet. But that's the case with all programming languages I know that are used for statistics, which aren't supposed to run untrusted code. Maybe you're concerned about data input/output instead. Functions are first-class objects, so it's possible to save and load them from data files. Not sure if there's a way to run code on data load, but you can do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't load()/readRDS() untrusted data files. There are known bugs in the deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034 Don't know if it's documented anywhere, though. What are your co-workers concerned about?
Best regards, Ivan
Perhaps it's R packages and the security policies -- checks for malicious software, etc. -- of the repositories on which they reside that Thomas should be concerned with. R, itself, is fine(checksums are provided), but, as you say, can be programmed to do anything. So R packages can certainly do damage. For CRAN, at least, I believe it's download at your own risk. Presumably, virus checking capabilities at the local level could check all such downloads, as per usual. Correction and clarification of any of the above welcome of course. Bert Gunter "The trouble with having an open mind is that people keep coming along and sticking things into it." -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
On Wed, Oct 6, 2021 at 2:53 AM Ivan Krylov <krylov.r00t at gmail.com> wrote:
On Tue, 5 Oct 2021 22:20:33 +0000 Thomas Subia <thomas.subia at fmindustries.com> wrote:
Some co-workers are wondering about how secure R software is.
I'm afraid that this question is too hard to answer without their threat model. Secure against what, specifically?
Is there any documentation on this which I can forward to them?
Well, R is a programming language. It's Turing-complete (see halting problem), will happily run machine code from shared objects (see dyn.load, .C, .Call), and install.packages() is there to download third-party code from the Internet. But that's the case with all programming languages I know that are used for statistics, which aren't supposed to run untrusted code. Maybe you're concerned about data input/output instead. Functions are first-class objects, so it's possible to save and load them from data files. Not sure if there's a way to run code on data load, but you can do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't load()/readRDS() untrusted data files. There are known bugs in the deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034 Don't know if it's documented anywhere, though. What are your co-workers concerned about? -- Best regards, Ivan
______________________________________________ R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.