Project Jupyter Security Subproject

Hi everyone! We’d like to announce the formation of a new Jupyter Subproject to manage and handle the different security-related aspects of the project. The group’s team compass will reside here: GitHub - jupyter/security

Rick Wagner and Rollin Thomas have been working in this space including a community workshop about security and this is the next step in forming a coherent project-wide place to handle issues that arise.

They will be making the rounds to different community calls to announce this initiative and to recruit people to join. Thanks so much for taking this on!

11 Likes

I just wanted to add to this a big thank you to Rollin, Rick and others who stepped up to organize a more public/structured effort on this topic. For years many on the team have done a quiet but intense amount of work handling security concerns (@carreau, @minrk, @takluyver deserve special kudos for lots of fast-response events!), but we really need to have a more visible and understandable landing point for this topic.

Everyone interested in this topic should feel free to ping here, or open issues in the repo, to start participating! This is not a closed effort, quite the opposite, so we hope nobody feels left out. We simply jumped on the opportunity that Rollin came to the Friday governance call and decided to quickly put up the scaffolding (github repo and team, and this thread) for others to aggregate.

Thanks again, both to all who have done so much hard in the past, and to Rollin and Rick for stepping up now.

We look forward to the upcoming Jupyter Community Workshop on Security as a great rallying point for all interested parties. They will follow up with more details.

4 Likes

A few resources for this thread or issue 2+ in the new repo:

From NIST Samate – Source Code Security Analyzers | Hacker News :

Additional lists of static analysis, dynamic analysis, SAST, DAST, and other source code analysis tools:

OWAP > Source Code Analysis Tools: Source Code Analysis Tools | OWASP

https://analysis-tools.dev/ (supports upvotes and downvotes)

analysis-tools-dev/static-analysis: GitHub - analysis-tools-dev/static-analysis: A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

analysis-tools-dev/dynamic-analysis: GitHub - analysis-tools-dev/dynamic-analysis: A curated list of dynamic analysis tools for all programming languages, binaries, and more.

devsecops/awesome-devsecops: GitHub - devsecops/awesome-devsecops: An authoritative list of awesome devsecops tools with the help from community experiments and contributions. , GitHub - TaptuIT/awesome-devsecops: Curating the best DevSecOps resources and tooling.

kai5263499/awesome-container-security: GitHub - kai5263499/awesome-container-security: Awesome list of resources related to container security

DevOps - Wikipedia

DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. The traditional centralised security team model must adopt a federated model allowing each delivery team the ability to factor in the correct security controls into their DevOps practices.

awesome-safety-critical: awesome-safety-critical — awesome-safety-critical 0.1 documentation

2 Likes

Possible topics for discussion:

TOPIC: How much security complexity can JupyterLite solve for in moving computation to a tab in the client’s browser? What about remote data?

Methods for remotely accessing/paging data in from a client when a complete download of the dataset is unnecessary:


TOPIC: Launching remote notebooks within my org’s Jupyter resources

FWIU, JupyterLite bundles in jupyter extensions with the static archive build. How is this best done with repo2docker? Will repo2docker always install the latest jupyterlab and dependencies (in a container layer) after the user installs whichever jupyter extensions are specified in e.g. a REES-compatible repo with a requirements.txt, environment.yml, and/or postInstall? Should there be a warning about things being out of date; like pip warns when pip is out of date?

If I deploy notebooks and their dependencies to WASM with JupyterLite like this, how will people then open this repo outside of a browser tab? With repo2docker locally? With a binderhub and/or a jupyterhub and/or locally (possibly with e.g. nbhandler)? With a Rocket Ship launch icon like jupyter-book? With a ‘launch in notebook platform _____’ badge? With a button on {github, gitlab, } that lets users select from various hosted notebook platforms? And then that then trusted code runs in a cloud instance or in a browser tab or locally as a local user with or without monitoring, logging, and [per-opcode] accounting.

pip install --pre jupyterlite
jupyter lite init
jupyter lite build
jupyter lite archive

An action for jupyter-lite just could build archives on GitHub’s resources using your GitHub Actions user/org quotas just like GitHub - jupyterhub/repo2docker-action: GitHub Action for repo2docker builds containers on resource-constrained cloud server vm container instances.


TOPIC: Realtime collaboration and Jupyter Security


TOPIC: Jupyter, Capabilities, and free VMs and/or Containers

e.g. WASM (and thus Jupyter-Lite) does not include raw socket network access (but does support WebSockets and WebRTC). Hosted Jupyter solutions have various policies for free resource quotas and maybe network access. Which of these tasks are realistic needs for Jupyter containers?:

What does Falco check for?
Falco ships with a default set of rules that check the kernel for unusual behavior such as:

  • Privilege escalation using privileged containers
  • Namespace changes using tools like setns
  • Read/Writes to well-known directories such as /etc , /usr/bin , /usr/sbin , etc
  • Creating symlinks
  • Ownership and Mode changes
  • Unexpected network connections or socket mutations
  • Spawned processes using execve
  • Executing shell binaries such as sh , bash , csh , zsh , etc
  • Executing SSH binaries such as ssh , scp , sftp , etc
  • Mutating Linux coreutils executables
  • Mutating login binaries
  • Mutating shadowutil or passwd executables such as shadowconfig , pwck , chpasswd , getpasswd , change , useradd , etc , and others.
1 Like

Many of these blog posts are about Jupyter security:

Are there multiple {CVE, } Identifiers for the various jupyter/, jupyterhub/, and JupyterLab/ accounts?

  • What does OSV have for ?q=“Jupyter”?
  • CVEdetails also lists CWE (Common Weakness Enumeration) numbers; this is a really good security practice for Disclosures/Issues, PullRequests,
    Jupyter : Security vulnerabilities

Will there be a static security page that could be pulled into https://jupyter.org and/or the docs (which already have certs)?

Is there a Bounty program through e.g. HackerOne?
HackerOne - Wikipedia discusses pros/cons

1 Like

Many thanks Fernando, I also want to put highlight Steve silvester contribution, he is often extremely fast at fixing the issues and publishing new releases.

Looking forward to more public work on the security front.

7 Likes

On behalf of Rollin, Tiffany, and myself, I want to share our thanks for this opportunity to help the Jupyter community. In addition to our existing goal of hosting the workshop, we look forward to working with others on how to reduce the risk of using, deploying, operating, or developing Jupyter software.

Like other Jupyter Subprojects, we will establish open and inclusive processes to manage this effort, like a regular community meeting, meeting agendas, minutes, etc. As much as possible, we will join other meetings to learn about the needs of the rest of the community and inform them of this work.

While we establish a routine for the Security Subproject, please continue to post your thoughts and ideas in this topic, or as issues in the Jupyter security repository.

5 Likes

Hi everybody,

We’re looking to start regular meetings on the security topic. We’re proposing to start by holding biweekly “Jupyter Security” meetings on Fridays. I’d like to propose we hold the first such meeting will be Friday, August 13 at 9-10 AM PDT. If we need to change when the meeting happens or how often it does, we can do that. Any thoughts?

We’d like to get this onto the Jupyter calendar, along with virtual meeting coordinates and a HackMD agenda link. Maybe @afshin might be able to point us in the right direction on the calendar and meeting setup?

Discussion about specific technical security issues related to Jupyter is probably not going to be the main focus of the meeting, it seems like that is best handled through other channels, but planning coordination around such issues might be a good topic. What we’re hoping to do is provide a space to have conversations about best security practices for Jupyter and communicating to them to Jupyter stakeholders (users, developers, administrators in various contexts).

3 Likes

I’m trying to get access to the Jupyter Event Calendar.
when I get access to it, I’ll can see with creating a meeting and delegating access to the calendar to more people so that it can be more easily manged.

1 Like

I got access to the Jupyter gmail account but the events seem to not have been created by this account.
Maybe @Zsailer know which account is tied to this calendar ?

1 Like

@rcthomas, I’ve added the meeting to the Jupyter Calendar with a link to the Jupyter Zoom channel. Here’s a prepared hackmd file I’ve also added to the calendar invite: Jupyter Security Bi-weekly Meeting - HackMD

@carreau, pinging you on Gitter to get the Jupyter email account. I can add it to the list of accounts with admin access.

1 Like

Thanks @Zsailer ! I’ve started filling in a few agenda items for the first meeting but others are welcome to contribute!