Maple Engine Security - Maple Programming Help

Online Help

All Products    Maple    MapleSim


Home : Support : Online Help : Configure Maple : Customize the Maple System : Configure Maple Engine Security Settings : EngineSecurity

Maple Engine Security

Overview of security features in the Maple engine

 

Description

Security Model Overview

Categories of Controlled Operations

Security Settings

Summary of Controlled Operations

Description

• 

Through library and built-in functions, the Maple language provides full access to the computer on which it is running. This access is limited only by the privileges of the user who started the engine. However, this user may wish to restrict the capabilities of the Maple language in certain situations, such as when executing untrusted code, or in the context of MapleNet. Maple engine security can be used to restrict the read, write, external calling, and system calling privileges of the Maple language.

Security Model Overview

• 

In the Maple engine, security is implemented as a collection of lists that describe which files and directories are permitted for certain operations. These operations have been grouped into categories. Associated with each category are two lists of patterns (file specifications); one represents the list of permitted files and the other represents the list of restricted files.

• 

With security enabled, when an operation on a file is attempted, the Maple engine tests the file against associated lists to determine if the action is permitted.

Categories of Controlled Operations

• 

Potentially unsafe operations performed by the Maple engine have been divided into the following categories:

1. 

(read) reading of files or directories

2. 

(write) writing to files or directories

3. 

(extcall) loading of files for execution through an external call

4. 

(syscall) other commands that are potentially dangerous

• 

Operations in categories (1), (2), and (3) are controlled by lists of patterns (file specifications) that specify which files can be written, read, and executed through an external call.

Category (1) is controlled by the security settings SECURE_READ_LIST and SECURE_NOREAD_LIST.

Category (2) is controlled by the security settings SECURE_WRITE_LIST and SECURE_NOWRITE_LIST.

Category (3) is controlled by the security settings SECURE_EXTCALL_LIST and SECURE_NOEXTCALL_LIST.

Each of these settings contains a list of file specifications. For a description of valid file specifications, see the File Specifications for Maple Engine Security help page.

• 

Category (4) is controlled by the security setting SECURE_SYSCALL_ENABLED. The entire group of operations in category (4) can only be enabled or disabled as a whole.

Security Settings

• 

The security settings are stored in the Maple engine as follows:

SECURE_READ_LIST

list of file specifications for permitted read operations

SECURE_NOREAD_LIST

list of file specifications for restricted read operations

SECURE_WRITE_LIST

list of file specifications for permitted write operations

SECURE_NOWRITE_LIST

list of file specifications for restricted write operations

SECURE_EXTCALL_LIST

list of file specifications for permitted external call libraries

SECURE_NOEXTCALL_LIST

list of file specifications for restricted external call libraries

SECURE_SYSCALL_ENABLED

Boolean flag for enabling/disabling calls to system and ssystem

SECURE_MODE

Boolean flag for enabling/disabling security

• 

To view the current security settings, you can use the command Security:-Config().

• 

Maple engine security settings can be configured either through command line options or through the GUI interface.

• 

For information on how to configure security setting through the GUI interface, see the GUI Configuration of Maple Engine Security help page.

• 

For information on how to configure security settings through command line options, see the Command-line Configuration of Maple Engine Security help page.

Summary of Controlled Operations

Read Operations

• 

In general, any operation that attempts to open a file for read will be affected by the read settings. This includes (but is not restricted to):

– 

library read operations performed explicitly through march or implicitly through libname

– 

reading of Maple source files or Maple internal format files through either the read command or implicitly by referencing specific names

– 

read operations in the FileTools package

• 

For these operations, if the file is deemed readable, the operation is permitted.

Write Operations

• 

In general, any operation that attempts to open a file for writing will be affected by the write settings. This includes (but is not restricted to):

– 

library save operations performed explicitly through march or implicitly through libname

– 

write operations in the FileTools package

– 

appendto or writeto

• 

For these operations, if the file is deemed writable, the operation is permitted.

External Call Operations

• 

All define_external commands are affected by the extcall settings.

• 

For all languages other than Java, if the library argument is deemed loadable, the operation will be permitted.

• 

For Java external calls, if all classpath elements are deemed loadable, the operation is permitted.

System Operations

• 

In general, any operation that interrogates the underlying system or relies on it to evaluate arbitrary commands will be affected by the syscall setting. This includes (but is not restricted to):

– 

system and ssystem

– 

Compiler (which relies on system)

– 

currentdir

– 

fopen commands using pipes or processes

• 

For these operations, if syscalls are enabled, the operation is permitted.

See Also

EngineSecurity,CLIConfig

EngineSecurity,FileSpec

EngineSecurity,GUIConfig

Security

 


Download Help Document

Was this information helpful?



Please add your Comment (Optional)
E-mail Address (Optional)
What is ? This question helps us to combat spam