Changes between Version 5 and Version 6 of SecurityIssues


Ignore:
Timestamp:
Jun 10, 2008, 1:35:10 PM (16 years ago)
Author:
davea
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SecurityIssues

    v5 v6  
    1616'''Result falsification'''
    1717
    18  This can be probabilistically detected using redundant computing and result verification: if a majority of results agree (according to an application-specific comparison) then they are classified as correct.
     18This can be reduced using
     19[ValidationSummary replication or other result validation methods].
    1920
    2021'''Credit falsification'''
    2122
    22  This can be probabilistically detected using redundant computing and credit verification: each participant is given the minimum credit from among the correct results (or some other algorithm, such as the mean or median of claimed credits).
     23This can be reduced using [ValidationSummary replication or other result validation methods].
    2324
    2425'''Malicious executable distribution'''
    2526
    26  BOINC uses code signing to prevent this. Each project has a key pair for code signing. The private key should be kept on a network-isolated machine used for generating digital signatures for executables. The public key is distributed to, and stored on, clients. All files associated with application versions are sent with digital signatures using this key pair.
    27 
    28  Even if attackers break into a project's BOINC servers, they will not be able to cause clients to accept a false code file.
    29 
    30  BOINC provides a mechanism by which projects can periodically change their code-signing key pair. The project generates a new key pair, then (using the code-signing machine) generates a signature for the new public key, signed with the old private key. The core client will accept a new key only if it's signed with the old key. This mechanism is designed to prevent attackers from breaking into a BOINC server and distributing a false key.
     27BOINC uses [CodeSigning code signing] to prevent this.
     28Even if attackers break into a project's BOINC server,
     29they will not be able to cause clients to accept a false code file.
    3130
    3231'''Denial of server attacks on data servers'''
    3332
    34  Each result file has an associated maximum size. Each project has a '''upload authentication key pair'''. The public key is stored on the project's data servers. Result file descriptions are sent to clients with a digital signature, which is forwarded to the data server when the file is uploaded. The data server verifies the file description, and ensures that the amount of data uploaded does not exceed the maximum size.
     33BOINC provides an optional mechanism, '''upload certificates''',
     34to prevent data server attacks.
     35Each output file has an associated maximum size.
     36Each project has a '''upload authentication key pair'''.
     37The public key is stored on the project's data servers.
     38Result file descriptions are sent to clients with a digital signature,
     39which is forwarded to the data server when the file is uploaded.
     40The data server verifies the file description,
     41and ensures that the amount of data uploaded does not exceed the maximum size.
    3542
    3643'''Theft of participant account information by server attack'''
    3744
    38  Each project must address theft of private account information (e.g. email addresses) using conventional security practices. All server machines should be protected by a firewall, and should have all unused network services disabled. Access to these machines should be done only with encrypted protocols like SSH. The machines should be subjected to regular security audits.
     45Each project must address theft of private account information
     46(e.g. email addresses) using conventional security practices.
     47All server machines should be protected by a firewall,
     48and should have all unused network services disabled.
     49Access to these machines should be done only with encrypted protocols like SSH.
     50The machines should be subjected to regular security audits.
    3951
    40  Projects should be undertaken only by organizations that have sufficient expertise and resources to secure their servers. A successful attack could discredit all BOINC-based projects, and public-participation computing in general.
     52Projects should be undertaken only by organizations that have
     53sufficient expertise and resources to secure their servers.
     54A successful attack could discredit all BOINC-based projects,
     55and volunteer computing in general.
    4156
    4257'''Theft of participant account information by network attack'''
    4358
    44  Attackers sniffing network traffic could get a user's account key, and use them to get the user's email address, or change the user's preferences. BOINC does nothing to prevent this.
     59Attackers sniffing network traffic could get a user's account key,
     60and use them to get the user's email address, or change the user's preferences.
     61BOINC does nothing to prevent this.
    4562
    4663'''Theft of project files'''
    4764
    48  The input and output files used by BOINC applications are not encrypted. Applications can do this themselves, but it has little effect since data resides in cleartext in memory, where it is easy to access with a debugger.
     65The input and output files used by BOINC applications are not encrypted.
     66Applications can do this themselves,
     67but it has little effect since data resides in cleartext in memory,
     68where it is easy to access with a debugger.
    4969
    5070'''Intentional abuse of participant hosts by projects'''
    5171
    52   BOINC uses account-based sandboxing: applications run under a specially-created account (Mac/Linux version 5.4+, Windows version 6+). If your system's file and directory permissions are set appropriately, applications will have no access to files outside of the BOINC directory.
     72BOINC uses account-based sandboxing:
     73applications run under a specially-created account
     74(Mac/Linux version 5.4+, Windows version 6+).
     75If file and directory permissions are set appropriately,
     76applications will have no access to files outside of the BOINC directory.
    5377
    5478'''Accidental abuse of participant hosts by projects'''
    5579
    56  BOINC prevents some problems: for example, it detects when applications use too much disk space, memory, or CPU time, and aborts them. Projects can minimize the likelihood of causing problems by pre-released application testing. Projects should test their applications thoroughly on all platforms and with all input data scenarios before promoting them to production status.         
     80BOINC prevents some problems:
     81for example, it detects when applications use too much disk space, memory, or CPU time, and aborts them. Projects can minimize the likelihood of causing problems by pre-released application testing.
     82Projects should test their applications thoroughly on all platforms
     83and with all input data scenarios before promoting them to production status.