-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cyphr #114
Comments
Thanks for your submission @richfitz! 😸 Editor checks:
Editor commentsNothing now that R CMD check succeeded on my weird Windows machine! 😉 Since you asked me whether the README was clear, I have two comments:
Reviewers: @stephlocke @hrbrmstr |
Thanks @stephlocke and @hrbrmstr for agreeing to review this package! Here are links to our review template and to our reviewing guide. |
Gracias. Starting this a bit later this afternoon for a change of pace from tracking global cybercrime ;-) |
@hrbrmstr friendly reminder that your review is due on next Wednesday, June the 7th 😉 |
@hrbrmstr friendly reminder that your review is due today 😸 |
@hrbrmstr @stephlocke friendly reminder about your reviews |
|
Thanks a lot for your review @hrbrmstr ! 😁 Could you add how many hours you spent doing it (for our data collection)? |
I might be misunderstanding what you're poking at here, but for what it's worth, anyone with access to your R session (ie: malicious R packages) can easily overwrite any function you have with e.g.
I think that On the RStudio side, we'd definitely be interested because we certainly don't want to enable new attack vectors in addition to what's already available on the R side :) |
thx @kevinushey.
Let me clarify a bit.
On an RStudio Server environment with users alice, bob and charlie, each
one will have an rsession that the front-end is talking to.
I've not tried to look at how RStudio talks to these rsession processes,
but I'm guessing it's an open protocol. i.e. if I'm a generic user on that
shared system then can I, in theory, make a request to that running
rsession to "steal" (or even inject) any objects?
…On Mon, Jul 24, 2017 at 1:03 PM, Kevin Ushey ***@***.***> wrote:
I tried to "hack" rewrite_register() and was able to successfully remove
utils::read.csv from the package environment which enabled me to have my
stealth-registered malicious::read.csv called instead (with a bare call on
the order of cyphr::decrypt(read.csv("/tmp/file.csv"), key)). It should
likely be strongly suggested to the user that they always namespace prefix
(::) i/o calls in encrypt()/decrypt() and/or those functions should pretty
much not execute w/o prefixed calls. This is not a show-stopper, but I'm
trying to think like an attacker who really wants data. There are likely
easier ways to get said data, too, but this is a "security" package and one
could steal stuff from many places if they convinced folks to use their
malicious package (or subverted a legit pkg) in conjunction with this one.
I might be misunderstanding what you're poking at here, but for what it's
worth, anyone with access to your R session (ie: malicious R packages) can
easily overwrite any function you have with e.g.
ns <- asNamespace("utils")
unlockBinding("read.csv", ns)
assign("read.csv", function(...) stop("pwned"), envir = ns)
lockBinding("read.csv", ns)
ns <- as.environment("package:utils")
unlockBinding("read.csv", ns)
assign("read.csv", function(...) stop("pwned"), envir = ns)
lockBinding("read.csv", ns)
read.csv("hello.txt")
I think that cyphr then has to operate under the assumption that the
rsession it's running in has not been compromised, as I don't think
there's much that can be done here (but please correct me if there's
something I might be missing).
On the RStudio side, we'd definitely be interested because we certainly
don't want to enable new attack vectors in addition to what's already
available on the R side :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAfHts0S0QfJpuzi9R2Q9uZyS7DEeygbks5sRM5HgaJpZM4NUB65>
.
|
I'm speculating (from that really quick view with wireshark) that I'd need the session cookie to be able to do anything real to the rsession itself. I wish I had more cycles to poke at it w/o bugging you @kevinushey ;-) so we shld prbly add some guidance around ensuring proper user permissions on the server, not having certain tools installed on said servers and encourage folks to run RStudio Server over TLS if they are indeed working with sensitive data in a shared server environment. that may seem obvious but most folks are just trying to get stuff done vs think about attack scenarios. |
Indeed, RStudio uses a secure cookie (established at login) to ensure that RPC requests from the browser are routed to the right place. (This goes along with other various safeguards on the server side, e.g. using unix domain sockets validated against the running user ID to ensure that you and only you can interact with your |
Cool. Then my concerns are pretty much moot as any other threat modeling is
based on needing to be the user which is totes not a cyphr or rstudio
issue. #ty @kevinushey!
…On Mon, Jul 24, 2017 at 1:43 PM, Kevin Ushey ***@***.***> wrote:
Indeed, RStudio uses a secure cookie (established at login) to ensure that
RPC requests from the browser are routed to the right place. (This goes
along with other various safeguards on the server side, e.g. using unix
domain sockets validated against the running user ID to ensure that you and
only you can interact with your rsession process).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAfHtpmK1LZaM7efKNPjojAEO0ItJbZIks5sRNfGgaJpZM4NUB65>
.
|
Great to see such an animated discussion in this thread! @richfitz for info you can add a badge for rOpenSci peer-review to
|
Package ReviewPlease check off boxes as applicable, and elaborate in comments below. Your review is not limited to these topics, as described in the reviewer guide
DocumentationThe package includes all the following forms of documentation:
Functionality
Final approval (post-review)
Estimated hours spent reviewing: 2 Review Comments
|
Thanks a lot for your review @stephlocke ! 🐶 |
Thanks for the reviews and especially with PRs! I will probably get through these in detail next week |
@richfitz do you have a timeline for the changes? |
Thanks for the prod @maelle - things refuse to settle down at work! I've merged the two PRs and added the badge to the README. The other substantive suggestions from the reviewers are:
I think this falls into the situation where we must rely on all loaded packages not being malicious; there's nothing stopping a package adding a load hook that harvests ssh keys as they are unlocked. This is consistent with the points that Kevin raises above. I could move some of the unlocking into C at the cost of maintainability and clarity, but I think it would still be trivially circumvention by a malicious package. At the same time, I think it would be interesting to explore what could be done to extend the |
Thanks @richfitz for the update and especially for having carried this out while being busy! I'll wait for you to say you've done that last thing (authenticated decryption with openssl) before asking for the reviewers' approval. I'm also thinking of how to keep this security discussion going once we'll have closed this issue, maybe via Discuss / a channel in the Slack? |
OK, I have made the last set of changes and pushed to github! Please let me know if there's anything I have missed |
Thanks a lot for the update @richfitz! @stephlocke @hrbrmstr can you look at Rich's work and answer the last question "The author has responded to my review and made changes to my satisfaction. I recommend approving this package." in your reviews? Thanks a lot in advance. |
Done |
Thanks @stephlocke! |
hey @hrbrmstr - did Rich address all your concerns? yea or nah? |
Not really part of the review, my "dummy-friendly" issues |
Further reviewer @jeroen, thanks Jeroen for accepting to have a look at the changed package! 😸 |
should be done in a cpl mins |
Official response: The author has responded to my review and made changes to my satisfaction. I recommend approving this package Commentary: I agree w/Rich that there are definitely items I mentioned that are out of scope for this package (since they cannot be solved by the package alone). I've Evernoted this issue and added it to the overall "security & safety TODO" for R work. |
Thanks @hrbrmstr! 😸 @jeroen we won't need your review after all, sorry but thanks for your motivation! @richfitz your package is now approved, thanks a lot to @stephlocke and @hrbrmstr for their reviews! To-dos:
|
@richfitz will you soon transfer your repo? 😉 |
Sure - I'll do that now. This is going into ropensci or ropenscilabs? |
Cool! ropensci, we no longer have the transitional onboarding at ropenscilabs. :-) |
done! 🎉 |
Awesome, thanks again for your submission! |
Summary
cyphr
provides a set of user-friendly wrappers aroundopenssl
andcyphr
to encrypt and decrypt data.https://github.com/richfitz/cyphr
Data analysts who deal with sensitive data, especially those who need to collaborate on it.
The packages
openssl
andsodium
provide the lower level support; this package builds on those to avoid exposing users to raw vectors and to try and make it easy to do the right thing. There is also overlap withgpg
(but again that's lower level)Requirements
Confirm each of the following by checking the box. This package:
Publication options
paper.md
with a high-level description in the package root or ininst/
.Detail
Does
R CMD check
(ordevtools::check()
) succeed? Paste and describe any errors or warnings:Does the package conform to rOpenSci packaging guidelines? Please describe any exceptions:
If this is a resubmission following rejection, please explain the change in circumstances:
If possible, please provide recommendations of reviewers - those with experience with similar packages and/or likely users of your package - and their GitHub user names:
If either are up for it, Ironholds or hrbrmstr (or someone else with similar security focus) (not @-copied directly to avoid adding them to a thread).
The text was updated successfully, but these errors were encountered: