Skip to content

registry vulnerabilities in R

7 messages · Barry Rowlingson, Marc Schwartz, Paul Martin +4 more

Barry Rowlingson
# 
I had another thought shortly after my initial email. Suppose yes, R
is accepted. Great. You run R.

 Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
to get security clearance for every package you want to download from
CRAN?

Barry
Marc Schwartz
#
On May 9, 2012, at 11:00 AM, Barry Rowlingson wrote:

            

      
      
      
    

        
That will depend upon their internal procedures/policies.

Presuming that the initial hurdle for R itself is overcome, for third party packages, whether from CRAN or elsewhere, Paul might see if the folks involved in the review process would allow him to install these to a local private folder tree, where it may be possible that security related concerns may be more mitigated and provide more flexibility than if for a system-wide install. In other words, see if there is some way to, in effect, sandbox the additional components, that would be acceptable.

A quick review of the lengthy output that Paul provided in the original post seems to suggest that the majority, if not all, of the registry related issues are specific to R-Studio itself and not to R.

Third party packages, of course, may have additional code that can perform a variety of activities (access/modify local system resources, access external IP's, etc.), so it would not be a surprise to me that there may need to be a package by package review and approval process.

Of course, the mere process of downloading and installing CRAN or other packages means that access to external IP's would be required, which appear to be part of the restrictions. It would be interesting to find out how updates "over the net" are handled for the approved applications. Are these allowed or are they controlled by a central authority?

So an internal discussion would be required to understand how R would fit within the policy and procedure constraints in place. It is clear that despite the subject heading for this thread, registry related issues are only a part of the underlying "problem".

It would also be of value to know how other folks, operating in similar 'restricted' environments, either inside or outside the U.S., have overcome these issues, so that Paul may learn from their experience. We do, for example, get posts here now and then from folks with U.S. ".mil" domain e-mail addresses. So there appear to be folks using R in such environments, unless they are using R, but not on DOD owned systems.

Regards,

Marc

  
  


  


      

    

    

      
      

        


  

        

      Paul Martin
    

    

      
      #
    

  


  

      
I don't have much new to add, but I want to make some clarifying comments:

First, there are clearly workarounds available. I am using one now. R is 
installed on a personal laptop which I bring to work every day. I take 
extreme care with the nature of the files I move back and forth, and 
none of this is classified. This is common practice here. Yes, it would 
be nice if I could get R onto my desktop machine at work. It would save 
me burning CDs to move plots back and forth. But it's not the end of the 
world. My ability to get work done is not the issue here.

The issue is the following: Is there anything her which is of concern to 
the R community? I suspect the answer is no, but cannot say anything for 
sure at this point.

The registry analysis tool looks like it is custom software developed by 
the Air Force. I can't get any specific information beyond that. That is 
unfortunate, since it would be nice if the tests could be duplicated and 
confirmed.

We will get separate tests on R without RStudio.

The registry analysis reports results in two sections: Registry entries 
added and registry entries modified. There were no vulnerabilities found 
in the "entries modified" section. All of the vulnerabilities are listed 
under "entries added".

I will let you know if I find out anything else. Certainly the isolated 
test of the R software without RStudio will be of interest.

Thank you all or your comments,

Paul Martin

        
On 5/9/2012 10:00 AM, Barry Rowlingson wrote:

            

      
      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Gabor Grothendieck
    

    

      
      #
    

  


  

      
On Wed, May 9, 2012 at 12:46 PM, Paul Martin <pamartin at alum.mit.edu> wrote:

            

      
      
      
    

        
During the installation process its only the installer that sets any
registry values, not R itself.

Using the standard installer that comes with R it asks you whether you
want to save version numbers in the registry and whether you want to
create an association for RData files.  If you uncheck those then the
installation does not set any registry values.

        --
Statistics & Software Consulting
GKX Group, GKX Associates Inc.
tel: 1-877-GKX-GROUP
email: ggrothendieck at gmail.com

  
  


  


      

    

    

      
      

        


  

        

      Duncan Murdoch
    

    

      
      #
    

  


  

      
On 09/05/2012 2:04 PM, Gabor Grothendieck wrote:

            

      
      
      
    

        
That's correct.  And with a small change to the installer script, even 
that can be suppressed.  (For anyone interested:  you need 
"Uninstallable=no" near the top of the Inno Setup script; if using the 
regular build, that's in the file RHOME/src/gnuwin32/installer/header1.iss.)

Duncan Murdoch

  
  


  


      

    

    

      
      

        


  

        

      Richard M. Heiberger
    

    

      
      #
    

  


  

      
One more item.  Have you given a copy of the document
   R: Regulatory Compliance and Validation Issues A Guidance Document
for the Use of R in Regulated Clinical Trial Environments
   http://www.r-project.org/doc/R-FDA.pdf
to your security office?

It addresses overlapping, not identical, security issues.

Rich

        
On 5/9/12, Paul Martin <pamartin at alum.mit.edu> wrote: