NetLogo and security - NetLogo/NetLogo GitHub Wiki

Occasionally, we receive questions about the security of NetLogo. Like any programming environment, NetLogo certainly has the potential for abuse and insecurity. Programming languages like NetLogo are designed to be able to do a variety of tasks, including many tasks which might be "dangerous", because danger is often a matter of context. Writing text to a file is typically innocent, but if the file already contains valuable data, overwriting that data becomes a malicious act. The information on this page is designed to help users understand what NetLogo does behind the scenes as well as the potential risks and ways to mitigate these risks.

Terminology

When discussing software security, it's worth considering the level of risk that can be tolerated. Some systems are much more valuable than others and will have correspondingly lower risk thresholds. While there are a lot of ways this can be divided up, this page will consider three tiers of security-consciousness:

  • Elevated: A system in which a security breach would cost large amounts of time or money or life-critical systems. Examples of these systems include database servers and computers connected to critical control systems.
  • Normal: A system in which a security breach may cost time or money. Most personal computers would fall under this category if they contain unencrypted sensitive information or the data they contain is not backed-up properly.
  • Low: A system in which a security breach would be an annoyance or inconvenience. Computers which are wiped on logon/logoff or one-time use cloud systems (with no important data) fall into this category.

NetLogo Security Risks

NetLogo As Installed

If you only plan to install NetLogo and run library models, the security threat posed by NetLogo is very low. The library models included with NetLogo are not malicious. Out of the box NetLogo (including bundled extensions and models library models) can:

  • Open network connections (for HubNet)
  • Overwrite user files (when prompted or running appropriate NetLogo code. We don't do this in any library models without asking the user first)
  • Open and use a computer's webcam
  • Start additional java processes (running extension code)

If you use the R Extension or Mathematica Link, the security risk is higher due to the power of interfacing with these more fully general-purpose programming environments.

NetLogo and Extensions

NetLogo gets considerably more powerful when using various extensions listed on the [Extensions] page. These extensions enhance the capabilities of NetLogo to perform the following tasks (among others):

  • Open and use a database connection
  • Create arbitrary processes (shell out)
  • Overwrite user files

NetLogo and Malicious Extensions

Malicious extensions need not be installed to NetLogo's extension directory to be used by models. NetLogo loads extensions from the folder in which a model resides, so it is possible for a malicious model in a zip file to provide a malicious extension along with NetLogo code. NetLogo extensions are not signed, so the NetLogo code could even appear to be using a built-in or pre-installed extension. Malicious extensions could theoretically do any of the following:

  • Create arbitrary processes (shell out)
  • Change system settings
  • Open arbitrary Java code
  • Load and run native libraries

NetLogo Startup

Malicious models pose a substantial risk due to the startup procedure, which is always run as the NetLogo model is opened. This procedure runs without user intervention, but is capable of doing anything that any other NetLogo procedure can do. When reviewing a new model before opening, look carefully at what a startup procedure does.

Risk Mitigation

Mitigation steps are organized by the level of security-consciousness. It is recommended that users follow all of the precautions listed under "Normal".

Low

  • Run the latest version of NetLogo. Since NetLogo 5.3, we've bundled the latest version of Java available (at the time that version was built) with each new release, ensuring that every release contains Java patches and fixes.
  • Download NetLogo only from https://ccl.northwestern.edu/netlogo (we don't publish checksums, but we're happy to provide them upon request).
  • Never run NetLogo with elevated (root/admin) privileges.

Normal

  • Follow all precautions listed above under "Low"
  • Consider using NetLogo Web to run or distribute your model. It replicates many of the language features of NetLogo Desktop faithfully and is continuing to grow and improve. Because modern browsers have a rigorous Javascript sandbox, NetLogo Web models pose virtually no security risk.
  • Be very cautious when opening a model from a user you don't know. If you're unsure what a model does or what extensions it uses, ".nlogo" files should be opened for inspection using a text editor before opening them in NetLogo. In addition to looking at what extensions an unknown model loads, look carefully at whether the model contains a startup procedure and what that procedure does.
  • Treat models which load non-bundled extensions with caution.

Elevated

  • In general, avoid running NetLogo
  • If you must run NetLogo, follow all precautions listed under "Normal"
  • If you must must run NetLogo on a security-critical system, sandbox NetLogo using OS-Level tools, just as you would for any other "potentially dangerous" program. Here are some general ways you might do that:
    • Creating a separate user just to run NetLogo. This ensures that NetLogo will not have access to your user files.
    • (Linux only) Run NetLogo in a lxc or Docker container or in a chroot environment.
    • Run NetLogo on a virtual machine. NetLogo will run quite happily in a minimal linux VM (we test on Ubuntu) setup inside VirtualBox or VMware. VirtualBox is free and easy to use.