[visit-users] Building 1.11.1 svn 5827 problem

Meredith, Jeremy S. jsmeredith at ornl.gov
Fri Apr 3 16:43:04 EDT 2009


It should be at least as secure as any other user-space application that uses sockets.  Basically, VisIt comprises several UNIX processes, and they talk to each other using sockets.  But, the critical thing here is a security key -- we generate a random key that's different for each process launch, and it's passed over the encrypted SSH connection to the remote process, which is then expected to hand that back when connecting.  In fact, the connection works backwards from what you might expect -- your local process is the one that listens for incoming connections.  This is good on one hand because the local process is always the one making requests of the remote process, so if an attacker managed to spoof our protocol and somehow get the encrypted security key, there's still nothing useful he could really do.  And since this is all running in user space, not some system daemon, even an attack that somehow gets past all that and manages to get access to your system is not in a privileged account.

If it helps, this was good enough to get approval from the security specialists at the DOE Labs.

--
Jeremy Meredith
Oak Ridge National Laboratory


> -----Original Message-----
> From: Daniel S Spicer [mailto:dsspicer1 at comcast.net]
> Sent: Friday, April 03, 2009 4:23 PM
> To: VisIt software users community
> Subject: Re: [visit-users] Building 1.11.1 svn 5827 problem
> 
> I was just talking to my one and only system guy and he wants to know
> how Visit is using ports before he messes with my machine. Can you
> enlighten me since he thinks this may be a security problem.
> 
> Thanks,
> 
> Dan
> 
> 
> On Fri, 2009-04-03 at 14:40 -0400, Meredith, Jeremy S. wrote:
> > Are you getting any errors printed to the console?  E.g. something
> about GLX?  (A quick scan through previous error reports shows this as
> one problem that can cause a hang at 98%.)
> >
> > Also, if possible, you might double-check to see if you have ports
> 5600-5610 not blocked by a firewall, just in case it's a networking
> issue.
> >
> > Ah, yes, I see Brad suggested -noconfig and -nowin.  Those are good
> things to try, too.
> >
> > --
> > Jeremy Meredith
> > Oak Ridge National Laboratory
> >
> >
> > > -----Original Message-----
> > > From: Daniel S Spicer [mailto:dsspicer1 at comcast.net]
> > > Sent: Friday, April 03, 2009 2:32 PM
> > > To: VisIt software users community
> > > Subject: Re: [visit-users] Building 1.11.1 svn 5827 problem
> > >
> > > Actually I missed looking into mdserver.1.vlog and found
> > > Loaded full database plugin ZipWrapper version 1.0
> > >  74 Exception: (LostConnectionException) SocketConnection.C, line
> 159:
> > > <The reason for the exception was not described>
> > >  75 catch(LostConnectionException) MDServerApplication.C:288
> > >  76 MDSERVER exited.
> > >
> > >
> > >
> > >
> > > On Fri, 2009-04-03 at 13:53 -0400, Sean Ahern wrote:
> > > > Daniel S Spicer wrote:
> > > > > I have successfully built Visit 1.11.1 svn 5827 on a Intel i7
> with
> > > 8GB
> > > > > of DDR3 memory running Fedora 10. However, when I bring it up
> for
> > > the
> > > > > first time it seems to hang during the "Creating plugin
> > > Windows".OPening
> > > > > window is always at 98% completed. Any suggestions how to
> resolve
> > > this
> > > > > problem? The machine builds Visit in about 20minutes so I'm
> willing
> > > to
> > > > > try another build.
> > > >
> > > > Turn on the debug logs and see what they tell you.
> > > >
> > > > See these two pages:
> > > >
> > > > http://visitusers.org/index.php?title=UserDebug
> > > >
> > > > http://visitusers.org/index.php?title=Debug_logs
> > > >
> > > > -Sean
> > > >
> > > > __
> > > > Sean Ahern
> > > > Oak Ridge National Laboratory
> > > > 865-241-3748
> > > > AIM: ornlsean
> > > > --
> > > > List subscription information:
> > > https://email.ornl.gov/mailman/listinfo/visit-users
> > > > Searchable list archives: https://email.ornl.gov/pipermail/visit-
> > > users
> > > > VisIt Users Wiki: http://visitusers.org/
> > > > Frequently Asked Questions for VisIt:
> http://visit.llnl.gov/FAQ.html
> > > >
> > >
> > > --
> > > List subscription information:
> > > https://email.ornl.gov/mailman/listinfo/visit-users
> > > Searchable list archives: https://email.ornl.gov/pipermail/visit-
> users
> > > VisIt Users Wiki: http://visitusers.org/
> > > Frequently Asked Questions for VisIt:
> http://visit.llnl.gov/FAQ.html
> >
> > --
> > List subscription information:
> https://email.ornl.gov/mailman/listinfo/visit-users
> > Searchable list archives: https://email.ornl.gov/pipermail/visit-
> users
> > VisIt Users Wiki: http://visitusers.org/
> > Frequently Asked Questions for VisIt: http://visit.llnl.gov/FAQ.html
> >
> 
> --
> List subscription information:
> https://email.ornl.gov/mailman/listinfo/visit-users
> Searchable list archives: https://email.ornl.gov/pipermail/visit-users
> VisIt Users Wiki: http://visitusers.org/
> Frequently Asked Questions for VisIt: http://visit.llnl.gov/FAQ.html



More information about the visit-users mailing list