Security Concerns with NetLogo

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Concerns with NetLogo

NetLogo-Users mailing list
I'm quite new to NetLogo, but I'm very interested in learning more about
it. Currently I'm trying to get my company to allow it to be installed
on our corporate network, however I'm being denied by IT security
because "The product is capable of producing stand-alone executables."

So my questions to you guys are:

Is NetLogo capable of compiling java code, or does it merely use
externally-created (via another not included program) JAR files as
extensions?

Are any of the programs (Netlogo, Netlogo 3D, HubNet, or Behaviorsearch)
included with the NetLogo 64 or 32-bit installers capable of creating
standalone executables?

Do you know of any way to leverage the Netlogo suite for malicious purposes?

Thanks for taking the time to read this. Any help would be greatly
appreciated.

-Jeff

Reply | Threaded
Open this post in threaded view
|

Re: Security Concerns with NetLogo

NetLogo-Users mailing list
Jeff,

This is an excellent question. First, let me say that NetLogo certainly has the potential for abuse and insecurity. This is inseparable from its role as a programming environment. Programming languages like NetLogo are designed to be able to do a variety of tasks. In any environment where you can run code provided by other users, there will always be a potential for abuse and insecurity.

I'll take your three questions in order and then include some ideas at the end about how to run NetLogo securely.

> Is NetLogo capable of compiling Java code or does it merely use externally-created JAR files as extensions?

NetLogo itself does not compile Java code while running. It does generate Java bytecode using pre-compiled Java classes, primarily as a way to improve execution speed. This is a default-enabled behavior which can be disabled via configuration file.

Because NetLogo loads externally-created JAR files, it is possible for NetLogo to end up running and/or compiling Java code via extensions. Extensions have access to the fully power of the JRE and are capable of accessing network connections, running arbitrary Java code, and even creating new processes ("shelling out").

> Are any of the programs included with NetLogo 64 or 32-bit installers capable of creating standalone executables?

The basic answer here is "no". The longer answer (as in the first question) is that since extensions have access to the full power of the JRE it would theoretically be possible for a malicious and determined user to write a NetLogo extension which created an executable program.

> Do you know of any way to leverage the NetLogo suite for malicious purposes?

Yes. This is a direct consequence of its power as a programming language. To give an example, it would be very easy to write a program which deleted or overwrote all of a user's files in a particular directory. Such a program wouldn't even require the use of an extension. One feature which makes this more dangerous is the immediate execution of a procedure named startup every time a model is opened (if that model contains such a procedure).

Here are some security tips that we would recommend for all users:

  *   Run the latest version of NetLogo. Since NetLogo 5.3, we've bundled the latest version of Java available (at the time that version was built) with each new release, ensuring that every release contains Java patches and fixes.
  *   Download NetLogo only from https://ccl.northwestern.edu/netlogo (we don't publish checksums, but we're happy to provide them upon request).
  *   As mentioned above, never run NetLogo with elevated (root/admin) privileges.
  *   Consider using NetLogo Web<netlogoweb.org> to run or distribute your model. While it doesn't have widget authoring support at the time of this email, it replicates most of the language features of NetLogo Desktop faithfully and is continuing to grow and improve. Because modern browsers have a rigorous Javascript sandbox, NetLogo Web models pose virtually no security risk.
  *   Be very cautious when opening a model from a user you don't know. If you're unsure what a model does or what extensions it uses, ".nlogo" files should be opened for inspection using a text editor before opening them in NetLogo. In addition to looking at what extensions an unknown model loads, look carefully at whether the model contains a startup procedure and what that procedure does.

For highly security-conscious users, here are some additional steps you might take:

  *   Avoid models which load non-bundled extensions.
  *   Avoid running NetLogo on security-critical systems.
  *   If you must run NetLogo Desktop with non-bundled extensions and you must run it on a security-critical system, consider sandboxing NetLogo using OS-Level tools, just as you would for any other "potentially dangerous" program. Here are some general ways you might do that:
     *   Creating a separate user just to run NetLogo. This ensures that NetLogo will not have access to your user files.
     *   (Linux only) Run NetLogo in a lxc or Docker container or in a chroot environment.
     *   Run NetLogo on a virtual machine. NetLogo will run quite happily in a minimal linux VM (we test on Ubuntu) setup inside VirtualBox or VMware. VirtualBox is free and easy to use.

Thanks again for the terrific question, best of luck with IT security, and please feel free to email [hidden email]<mailto:[hidden email]> if you need any further info..

Robert Grider

On 8/16/17 3:52 PM, [hidden email]<mailto:[hidden email]> wrote:


I'm quite new to NetLogo, but I'm very interested in learning more about
it. Currently I'm trying to get my company to allow it to be installed
on our corporate network, however I'm being denied by IT security
because "The product is capable of producing stand-alone executables."

So my questions to you guys are:

Is NetLogo capable of compiling java code, or does it merely use
externally-created (via another not included program) JAR files as
extensions?

Are any of the programs (Netlogo, Netlogo 3D, HubNet, or Behaviorsearch)
included with the NetLogo 64 or 32-bit installers capable of creating
standalone executables?

Do you know of any way to leverage the Netlogo suite for malicious purposes?

Thanks for taking the time to read this. Any help would be greatly
appreciated..

-Jeff