Which of the functions from the base
R package would you let a malicious user run?
There are 1281 functions in the base
package version 3.4.4.
What functions would you want to prevent a malicious user from running?
This post is going doing a (very rough) first pass over what’s in the base
package and do some (lazy, half-arsed!) classification of some functions into safe(?) and unsafe(?). Note the presence of the (?) to indicate that I’m just roughing out some classifications here and I’m not actually assuming any function is perfectly safe or unsafe!
Reasons for not letting someone access a function
I would like to restrict access to functions as I’d like to restrict access to
- My resources
- CPU
- RAM
- Filesystem
- Network
- My information
- Files
- Other objects in the R environment
Unsafe(?) functions: Those which access the system
Lots of functions to access the underlying system that R is running on. Most seem to have sys in their name. The key culprit is system
which is the holy grail of unsafe functions.
sys_funcs <- grep('(sys)', base_funcs, ignore.case = TRUE, value = TRUE)
sys_funcs
[1] ".First.sys" "R_system_version" "sys.call"
[4] "sys.calls" "Sys.chmod" "Sys.Date"
[7] "sys.frame" "sys.frames" "sys.function"
[10] "Sys.getenv" "Sys.getlocale" "Sys.getpid"
[13] "Sys.glob" "Sys.info" "sys.load.image"
[16] "Sys.localeconv" "sys.nframe" "sys.on.exit"
[19] "sys.parent" "sys.parents" "Sys.readlink"
[22] "sys.save.image" "Sys.setenv" "Sys.setFileTime"
[25] "Sys.setlocale" "Sys.sleep" "sys.source"
[28] "sys.status" "Sys.time" "Sys.timezone"
[31] "Sys.umask" "Sys.unsetenv" "Sys.which"
[34] "system" "system.file" "system.time"
[37] "system2"
Unsafe(?) functions: Those which appear to access the filesystem based upon their name
If the function name contains file
, read
, write
then you can be pretty sure it’s going to hit the filesystem.
file_funcs <- grep('(file|read|write|save|load|conn)', base_funcs, ignore.case = TRUE, value = TRUE)
file_funcs
[1] ".readRDS" ".saveRDS" "autoload"
[4] "autoloader" "bzfile" "close.connection"
[7] "close.srcfile" "close.srcfilealias" "closeAllConnections"
[10] "dyn.load" "dyn.unload" "env.profile"
[13] "file" "file.access" "file.append"
[16] "file.choose" "file.copy" "file.create"
[19] "file.exists" "file.info" "file.link"
[22] "file.mode" "file.mtime" "file.path"
[25] "file.remove" "file.rename" "file.show"
[28] "file.size" "file.symlink" "flush.connection"
[31] "getAllConnections" "getConnection" "getLoadedDLLs"
[34] "gzfile" "is.loaded" "isNamespaceLoaded"
[37] "lazyLoad" "lazyLoadDBexec" "lazyLoadDBfetch"
[40] "library.dynam.unload" "list.files" "load"
[43] "loadedNamespaces" "loadingNamespaceInfo" "loadNamespace"
[46] "memory.profile" "open.connection" "open.srcfile"
[49] "open.srcfilealias" "open.srcfilecopy" "parseNamespaceFile"
[52] "print.connection" "print.srcfile" "rawConnection"
[55] "rawConnectionValue" "read.dcf" "readBin"
[58] "readChar" "readline" "readLines"
[61] "readRDS" "readRenviron" "save"
[64] "save.image" "saveRDS" "seek.connection"
[67] "showConnections" "socketConnection" "srcfile"
[70] "srcfilealias" "srcfilecopy" "summary.connection"
[73] "summary.srcfile" "sys.load.image" "Sys.readlink"
[76] "sys.save.image" "Sys.setFileTime" "system.file"
[79] "tempfile" "textConnection" "textConnectionValue"
[82] "truncate.connection" "unloadNamespace" "write"
[85] "write.dcf" "writeBin" "writeChar"
[88] "writeLines" "xzfile"
Unsafe(?) functions: Those which appear to access the filesystem based upon their arguments
There are also functions which take a filename or a connection, which means they also access the filesystem.
file2_funcs <- formal_arg_names %>%
keep(~any(c('file', 'filename', 'open', 'con') %in% .x)) %>%
names()
file2_funcs
[1] ".getRequiredPackages" "bzfile" "cat"
[4] "close" "close.connection" "close.srcfile"
[7] "close.srcfilealias" "dget" "dput"
[10] "dump" "fifo" "file"
[13] "flush" "flush.connection" "gzcon"
[16] "gzfile" "isatty" "isIncomplete"
[19] "isOpen" "isSeekable" "load"
[22] "open" "open.connection" "open.srcfile"
[25] "open.srcfilealias" "open.srcfilecopy" "parse"
[28] "pipe" "rawConnection" "rawConnectionValue"
[31] "read.dcf" "readBin" "readChar"
[34] "readLines" "readRDS" "save"
[37] "save.image" "saveRDS" "scan"
[40] "seek" "seek.connection" "sink"
[43] "socketConnection" "source" "srcfile"
[46] "srcfilealias" "srcfilecopy" "sys.source"
[49] "textConnection" "textConnectionValue" "truncate"
[52] "truncate.connection" "unz" "url"
[55] "write" "write.dcf" "writeBin"
[58] "writeChar" "writeLines" "xzfile"
Unsafe(?) functions: Those which appear to access package internals based upon their arguments
internal_funcs <- formal_arg_names %>%
keep(~any(c('package', 'lib.loc', 'useImports', 'handlers') %in% .x)) %>%
names()
internal_funcs
[1] ".Defunct" ".Deprecated"
[3] ".getRequiredPackages" ".getRequiredPackages2"
[5] ".packages" "autoload"
[7] "autoloader" "find.package"
[9] "library" "library.dynam"
[11] "loadNamespace" "packageHasNamespace"
[13] "parseNamespaceFile" "path.package"
[15] "registerS3methods" "require"
[17] "requireNamespace" "system.file"
[19] "taskCallbackManager"
Unsafe(?) functions: Those which appear to access R internals based upon their name
internal2_funcs <- grep('(gc)', base_funcs, ignore.case = TRUE, value = TRUE)
internal2_funcs
[1] "gc" "gc.time" "gcinfo" "gctorture" "gctorture2"
Unsafe(?) functions: Those which change the global state.
An example of a function which can change global state even when evaluated within a restricted environment is graphcis::par
.
I haven’t gone looking in the base
package for similar.
Unsafe(?) functions: Those which start with a .
I have no idea what most of these are for!
dot_funcs <- grep('^\\.', base_funcs, ignore.case = TRUE, value = TRUE)
dot_funcs
[1] ".__H__.cbind" ".__H__.rbind"
[3] "..getNamespace" ".amatch_bounds"
[5] ".amatch_costs" ".bincode"
[7] ".C" ".cache_class"
[9] ".Call" ".Call.graphics"
[11] ".colMeans" ".colSums"
[13] ".decode_numeric_version" ".Defunct"
[15] ".deparseOpts" ".Deprecated"
[17] ".detach" ".difftime"
[19] ".doTrace" ".dynLibs"
[21] ".encode_numeric_version" ".expand_R_libs_env_var"
[23] ".External" ".External.graphics"
[25] ".External2" ".find.package"
[27] ".First.sys" ".format.zeros"
[29] ".Fortran" ".getNamespace"
[31] ".getNamespaceInfo" ".getRequiredPackages"
[33] ".getRequiredPackages2" ".gt"
[35] ".gtn" ".handleSimpleError"
[37] ".Internal" ".isMethodsDispatchOn"
[39] ".isOpen" ".kappa_tri"
[41] ".kronecker" ".libPaths"
[43] ".make_numeric_version" ".makeMessage"
[45] ".mapply" ".maskedMsg"
[47] ".mergeExportMethods" ".mergeImportMethods"
[49] ".NotYetImplemented" ".NotYetUsed"
[51] ".OptRequireMethods" ".packages"
[53] ".packageStartupMessage" ".path.package"
[55] ".POSIXct" ".POSIXlt"
[57] ".Primitive" ".primTrace"
[59] ".primUntrace" ".readRDS"
[61] ".rmpkg" ".row_names_info"
[63] ".rowMeans" ".rowSums"
[65] ".saveRDS" ".Script"
[67] ".set_row_names" ".signalSimpleWarning"
[69] ".standard_regexps" ".subset"
[71] ".subset2" ".TAOCP1997init"
[73] ".traceback" ".tryResumeInterrupt"
[75] ".valid.factor"
What’s left?
After this triage of ‘unsafe’ funcs, there’s still over 1052 functions still to go!
Safe(?) functions: as.*
functions
as_funcs <- grep('^as\\.', leftover_funcs, ignore.case = TRUE, value = TRUE)
as_funcs
[1] "as.array" "as.array.default"
[3] "as.call" "as.character"
[5] "as.character.condition" "as.character.Date"
[7] "as.character.default" "as.character.error"
[9] "as.character.factor" "as.character.hexmode"
[11] "as.character.numeric_version" "as.character.octmode"
[13] "as.character.POSIXt" "as.character.srcref"
[15] "as.complex" "as.data.frame"
[17] "as.data.frame.array" "as.data.frame.AsIs"
[19] "as.data.frame.character" "as.data.frame.complex"
[21] "as.data.frame.data.frame" "as.data.frame.Date"
[23] "as.data.frame.default" "as.data.frame.difftime"
[25] "as.data.frame.factor" "as.data.frame.integer"
[27] "as.data.frame.list" "as.data.frame.logical"
[29] "as.data.frame.matrix" "as.data.frame.model.matrix"
[31] "as.data.frame.noquote" "as.data.frame.numeric"
[33] "as.data.frame.numeric_version" "as.data.frame.ordered"
[35] "as.data.frame.POSIXct" "as.data.frame.POSIXlt"
[37] "as.data.frame.raw" "as.data.frame.table"
[39] "as.data.frame.ts" "as.data.frame.vector"
[41] "as.Date" "as.Date.character"
[43] "as.Date.date" "as.Date.dates"
[45] "as.Date.default" "as.Date.factor"
[47] "as.Date.numeric" "as.Date.POSIXct"
[49] "as.Date.POSIXlt" "as.difftime"
[51] "as.double" "as.double.difftime"
[53] "as.double.POSIXlt" "as.environment"
[55] "as.expression" "as.expression.default"
[57] "as.factor" "as.function"
[59] "as.function.default" "as.hexmode"
[61] "as.integer" "as.list"
[63] "as.list.data.frame" "as.list.Date"
[65] "as.list.default" "as.list.environment"
[67] "as.list.factor" "as.list.function"
[69] "as.list.numeric_version" "as.list.POSIXct"
[71] "as.logical" "as.logical.factor"
[73] "as.matrix" "as.matrix.data.frame"
[75] "as.matrix.default" "as.matrix.noquote"
[77] "as.matrix.POSIXlt" "as.name"
[79] "as.null" "as.null.default"
[81] "as.numeric" "as.numeric_version"
[83] "as.octmode" "as.ordered"
[85] "as.package_version" "as.pairlist"
[87] "as.POSIXct" "as.POSIXct.date"
[89] "as.POSIXct.Date" "as.POSIXct.dates"
[91] "as.POSIXct.default" "as.POSIXct.numeric"
[93] "as.POSIXct.POSIXlt" "as.POSIXlt"
[95] "as.POSIXlt.character" "as.POSIXlt.date"
[97] "as.POSIXlt.Date" "as.POSIXlt.dates"
[99] "as.POSIXlt.default" "as.POSIXlt.factor"
[101] "as.POSIXlt.numeric" "as.POSIXlt.POSIXct"
[103] "as.qr" "as.raw"
[105] "as.single" "as.single.default"
[107] "as.symbol" "as.table"
[109] "as.table.default" "as.vector"
[111] "as.vector.factor"
Safe(?) functions: *apply
functions
apply_funcs <- grep('apply', leftover_funcs, ignore.case = TRUE, value = TRUE)
apply_funcs
[1] "apply" "eapply" "lapply" "mapply" "rapply" "sapply" "tapply" "vapply"
Safe(?) functions: print.*
functions
print_funcs <- grep('^print', leftover_funcs, ignore.case = TRUE, value = TRUE)
print_funcs
[1] "print" "print.AsIs"
[3] "print.by" "print.condition"
[5] "print.data.frame" "print.Date"
[7] "print.default" "print.difftime"
[9] "print.Dlist" "print.DLLInfo"
[11] "print.DLLInfoList" "print.DLLRegisteredRoutines"
[13] "print.eigen" "print.factor"
[15] "print.function" "print.hexmode"
[17] "print.libraryIQR" "print.listof"
[19] "print.NativeRoutineList" "print.noquote"
[21] "print.numeric_version" "print.octmode"
[23] "print.packageInfo" "print.POSIXct"
[25] "print.POSIXlt" "print.proc_time"
[27] "print.restart" "print.rle"
[29] "print.simple.list" "print.srcref"
[31] "print.summary.table" "print.summaryDefault"
[33] "print.table" "print.warnings"
assign funcs
[1] "[[<-" "[[<-.data.frame"
[3] "[[<-.factor" "[[<-.numeric_version"
[5] "[<-" "[<-.data.frame"
[7] "[<-.Date" "[<-.factor"
[9] "[<-.numeric_version" "[<-.POSIXct"
[11] "[<-.POSIXlt" "@<-"
[13] "<-" "<<-"
[15] "$<-" "$<-.data.frame"
[17] "attr<-" "attributes<-"
[19] "body<-" "class<-"
[21] "colnames<-" "comment<-"
[23] "diag<-" "dim<-"
[25] "dimnames<-" "dimnames<-.data.frame"
[27] "Encoding<-" "environment<-"
[29] "formals<-" "is.na<-"
[31] "is.na<-.default" "is.na<-.factor"
[33] "is.na<-.numeric_version" "length<-"
[35] "length<-.factor" "levels<-"
[37] "levels<-.factor" "mode<-"
[39] "mostattributes<-" "names<-"
[41] "names<-.POSIXlt" "oldClass<-"
[43] "parent.env<-" "regmatches<-"
[45] "row.names<-" "row.names<-.data.frame"
[47] "row.names<-.default" "rownames<-"
[49] "split<-" "split<-.data.frame"
[51] "split<-.default" "storage.mode<-"
[53] "substr<-" "substring<-"
[55] "units<-" "units<-.difftime"
Non-alpha funcs
[1] "-" "-.Date" "-.POSIXt"
[4] ":" "::" ":::"
[7] "!" "!.hexmode" "!.octmode"
[10] "!=" "(" "["
[13] "[.AsIs" "[.data.frame" "[.Date"
[16] "[.difftime" "[.Dlist" "[.factor"
[19] "[.hexmode" "[.listof" "[.noquote"
[22] "[.numeric_version" "[.octmode" "[.POSIXct"
[25] "[.POSIXlt" "[.simple.list" "[.table"
[28] "[.warnings" "[[" "[[.data.frame"
[31] "[[.Date" "[[.factor" "[[.numeric_version"
[34] "[[.POSIXct" "{" "@"
[37] "*" "*.difftime" "/"
[40] "/.difftime" "&" "&.hexmode"
[43] "&.octmode" "&&" "%*%"
[46] "%/%" "%%" "%in%"
[49] "%o%" "%x%" "^"
[52] "+" "+.Date" "+.POSIXt"
[55] "<" "<=" "="
[58] "==" ">" ">="
[61] "|" "|.hexmode" "|.octmode"
[64] "||" "~" "$"
[67] "$.data.frame" "$.DLLInfo" "$.package_version"
Functions which seem safe(?)
math_funcs <- c('sin', 'cos', 'tan',
'acos', 'asin', 'atan', 'atan2',
'sinpi', 'cospi', 'tanpi',
'exp', 'expm1',
'log', 'logb', 'log10', 'log2')
object_funcs <- c('logical', 'as.logical', 'is.logical',
'integer', 'as.integer', 'is.integer',
'numeric', 'as.numeric', 'is.numeric',
'double' , 'as.double' , 'is.double' ,
'single' , 'as.single' , 'is.single',
'complex', 'as.complex', 'is.complex',
'structure',
'c', 'list', 'data.frame', 'complex')
complex_funcs <- c('Re', 'Im', 'Mod', 'Arg', 'Conj')
seq_funcs <- c(':', 'seq', 'seq.int', 'seq_along', 'seq_len')
plot_funcs <- c('plot', 'points', 'lines', 'title', 'legend', 'points.formula')
flow_control_funcs <- c('if', 'for', 'while', 'repeat', 'break', 'next')
Conclusion
So many functions. So many ways for a malicious user to abuse the system.
And this was only the base
package!
Appendix: sandboxr
’s list of blacklisted functions from base
For comparison, the sandboxR
package contains some blacklists for various core R packages.
Here is its list of functions it blacklists from the base package
Share this post
Twitter
Google+
Facebook
Reddit
LinkedIn
StumbleUpon
Pinterest
Email