BOINC and Security

security concerns related to BOINC and its projects

Installation

This is the very most important part of this article, so please be sure to read and follow the instructions in sake of your security! Never run BOINC under the user ID of an administrator, system account, power user, and preferably not even under your own user ID or under an ID of any other real user of your computer!

On Windows machines (at least on XP PRO, 2000, 2003, NT4) you should follow these steps. Older Windows systems or Windows XP Home have limited possibility of protection, but at least at XP Home, you have the possibility to switch to advance directory protection mode (in Windows Explorer options), so you may be able to follow these steps too (I have no XP Home system for testing right now, but will be happy to add XP Home-specific instructions if I get some feedback from other users):

1. Create a new user account specifically for BOINC: Start » Control Panel » User Accounts » Add. Make sure to grant it the lowest possible permissions - depending on the OS version use either the Guests (better) or Users template
2. Assign a strong password to the account (at least 8 characters including some digits and special characters)
3. You can explicitely forbid any access (including read permissions) from all your drives for the BOINC user ID or its group: right click on the drive, select Sharing and Security... » Security, add the BOINC user, enable all checkboxes in the Deny column, click the Advanced button, and enable the checkbox Replace permission entries on all child objects
4. In Windows Explorer, find the BOINC directory (typically C:\Program Files\BOINC\), and in the same way as above, in the security properties allow read/write/modify access to the BOINC user ID. In the Advanced menu, enable also the checkbox for child processes but disable the first checkbox allowing to override inherited permissions.
5. If you do not run BOINC as service, reinstall BOINC with the official installer (it is a very quick proces not taking more than few tens of seconds), making sure it is installed as service in the prepared dir and using the user ID and password you created. I recommend unchecking both launching BOINC Manager at startup and the screensaver (it is unnecessary and just takes resources). You can always start it manually when needed.
6. If you aready use BOINC in service mode, right click on My Computer, select Manage » Services and Applications » Services » BOINC » Log On and enter the new user ID and password. Do not use the Local System Account option! Then restart the service.
7. You should also consider removing the executable permssion for any other user ID than the dedicated user boinc - to avoid mistakenly starting BOINC or project applications under a user ID with higher privileges and giving so the applications unrestricted access to your data and system resources. Removing all permissions of plain users is also important - it can avoid that a virus launched or intruder accessing the computer in a standard user account cannot modify any files within the BOINC directory tree.

1. Create a new user and group boinc with maximally restricted access (nologin): adduser
2. Then change the original ownership to the new one:
   chown -R boinc:boinc /var/db/boinc/
chown -R boinc:boinc /usr/local/lib/boinc/
3. You may setuid the binaries (boinc and projects) to the restricted user ID (though, this is norally not necessary, because if you use the default starting shell script boinc.sh, it already contains the su command for starting the client under the right user ID): chmod 4500 /usr/local/lib/boinc/boinc-client. Though, you can consider changing the permissions to 500 (readable and executable by the owner only), to avoid starting it accidentally manually under another user id.

Remote Control and Monitoring - RPC

When you use the built-in RPC feature for the remote control or monitoring of your computer from other host(s), you need to enable it either by the command line option -allow_remote_gui_rpc or by adding list of allowed host names or IP addresses into the file remote_hosts.cfg. Read more about RPC in BOINC WiKi

The need to protect the RPC access is more important than you may think at the first glance. You may think that if someone gains the RPC access, he can maximally see your results and mess up with your settings. Unfortunately it is not the full truth: an intruder having RPC access to your BOINC client can attach a new project URL - for example one he created himself for this specific purpose, what can be done very easily. The client then downloads the project application from the remote address and launches it. And of course, the application can contain whatever the intruder wishes - keylogger, adware, virus, remote control, proxy server for forwarding hack attacks, password sniffer, FTP server for spreading illegal files, mail server for distributing spam, etc, etc. For this very reason it is extremely important that BOINC runs with very limited privileges in the limited sandbox as explained above, and that the RPC access is limited as much as possible.

For the security, it is definitely better using the remote_hosts.cfg file allowing RPC access to a limited number of hosts only, than opening the RPC port globally to anyone with the command line option. You can use IP addresses, full domain names of the host, or netbios host names. In case of need to allow the access from a host with a dynamic IP address, I recommend using dynamic domain name, such as for example from DynDNS.org (but there are many other providers). When you need to allow the RPC to a bigger number of IP addresses on the same subnet, with the current official client it is quite uncomfortable - you need to list each IP address separately. Therefore I included the possibility to add entire blocks of addresses with the help of network mask. See the description of the feature network masks on the Calibrating BOINC Client page. There is also another feature in the modified client that helps to keep your computer safer in case of using multiple network interfaces (i.e. Ethernet + WiFi): the possibility to limit the RPC access to one network interface only (for example access by Ethernet, but not the WiFi). See the description of the option rpc_port on the Calibrating BOINC Client page

Additionally, you can (and you should) restrict the access to the RPC port in your firewall.

3^rd Party Software - Optimized Clients and Applications

When installing any unofficial clients or project applications, you should be maximally careful. I strongly advice against installing such software from developers who are not willing to share the source code with their modifications, that can be scrutinized and recompiled to compare the resulting binary with the original. If you are installing BOINC on computers that do not belong to you, you should be even more careful, regardless if you do it with permission, and either installing only the official versions, or software self-compiled from the available source code, that you carefully checked, or asked another developer to verify it.

Due to the open character of BOINC (and some projects), it is actually very easy to recompile the clients or applications after adding some malicious or illegal functionality. Such modified software can do just minor damage (like for example resending some work units under the user ID of the author), but it can also contain much more dangerous functionality - Trojan horses, keyloggers, password or email address sniffers, mail servers for spam relaying, remote control, proxy server for crackers/hackers identity hiding, FTP server for distributing illegal files,... and much more. Since BOINC became a very widely used platform, and because it is an Open Source project, you can be sure that sooner or later it will attract the interest of malicious and dishonest people who certainly see the immense potential to abuse it for their possibly illegal activity.

Please note that I do not suggest that such 3^rd party clients or applications already exist. I do not know if they exist, but I consider the probability that they appear for rather high. However, I already do know about dishonest BOINC members not hesitating to abuse the system, writing software for stealth installations on computers without the consent of the owner (see the section BOINC Trojan below), or artificially bloating the benchmarks so that the claimed credit is several times higher than the average, or submitting work units under another user ID - these all are dishonest modifications with the poor intend just to gain more credits. You can certainly imagine that real criminals who are capable to gain millions of dollars with criminal activity such as spamming, stealing CC numbers, phishing, or distributing illegal content, will not hesitate to modify BOINC software if they see it can bring them more profit.

Very likely, common antivirus software would not detect any of such functionality. Some of the illegal activity could be detected by a personal firewall or malware watchdog software if it were carefully configured and monitored by an experienced and vigilant user, but most people would very likely not easily discover anything suspicious at all.

Hence, be careful! Be very careful! Do not use any software from anonymous sources. Do not use software coming from sites with no possibility to track back the owner, or being located in lands with no laws that could protect you. Be maximally careful with sites having no privacy statements, no terms of use, or other legal warranties. Try avoiding downloading any software from authors not offering the source code. And if you are installing software on corporate computers or otherwise sensitive machines, only install official versions, or self-compiled software after carefully studying the source code - or at least looking at the changes from the official version (that's usually not too difficult, and even an average C programmer can do it easily and quickly). Set up your firewall to allow the applications outside connections to the expected servers only (BOINC main server, and the project server), and open only the necessary ports: HTTP port 80 is used for the communication with project servers, and the RPC port does not need to be open, unless you want to control the machine externally.

Also, do not forget to follow the steps and advices shown above in the first part about installation. If BOINC runs under unprivileged user ID in a restricted sandbox, it can reduce the damage of such potentially malicious software, and it limits the access to local, system and network resources and data.

And of course, what was told above, must be applied to any other piece of software you launch or install on your computer. Installing freeware, shareware, trial and demo versions of software of unknown or dubious proveniance, or from a company or a developer with no historical track and no physical address, is always an act of the most extrem risk. Scanning it with antivirus software will only rarely reveal any risk. This is, though, another topic and if you are interested, you will certainly find a lot of resources about computer security on the web or in a book store.

Project Selection

The same arguments written above when discussing the installation of 3^rd party software, are valid for attaching to new projects, too. BOINC is an open platform that can be used by anyone in need of the capacity and possibilities of the distributed system. There is no reason to believe that only honest people and organizations will use the advantage of distributed computing, and the availability of such huge user base.

Once you join a project and connect to the project server with your BOINC client, it downloads the project application and starts it. If you do not follow the advices mentioned in the top part about BOINC installation, the application may have access to all your personal data, or even worse to the entire system, or even the whole LAN. But even if you restrict it as advised, the application still can do a lot of damage, or perform illegal activities. Limiting its network access to just its own server, and just the port 80, may help to limit some types of abuse (i.e. spam relaying, proxying, distribution of illegal files ...), but to some extend the system can still be used for spying your activity or for other malicious purposes. Possibly there may be also other ways of abusing your system. Calculation of other tasks than pretended is the most obvious way of abuse. Another very simple way of abusing the BOINC system for the profit of the author is very easy and quick to build: such a project can pretend to be working on some attractive issue, but in fact all it does is simply forwarding work units of another project, letting them calculate by others, and then forwarding them to the original project server under his/her own account, gaining so big amounts of credits.

Again, the same hints as mentioned in the previous section, should be followed when you are selecting a new project. Personally, I advise joining only Open Source projects, or projects backed by well known and reliable institutions. I do not suggest that any of the currently available projects have some malicious functionality built in. I only want that you understand there there is currently no automated mechanism in BOINC, that would protect you, and there is no official authority that would approve and certify projects or their applications. Anyone (including the bad guys) can create a new BOINC project without any negotiation with the BOINC team in Berkeley. You are entirely in mercy of the authors of the projects that you are connecting to.

BOINC Trojans

Not only the greed of criminals who profit from stealing data, spamming, and other illegal activity, but also as stupid thing as greed for the completely virtual BOINC credits, tempts some people to trespass given rules, etiquette, and often even violating laws.

I do not want to discuss the topic of people installing BOINC without permission on computers of their employers, friends, customers, or even worse on publicly accessible machines. Personally, I strongly disagree with it. It violates the official policy (see for example S@H terms & policies), it is unethical, in many cases illegal, and can cost the person his/her job or bring other troubles. What I want to discuss here though, are the cases of "infecting" computers with BOINC through Trojan horses, viruses, worms, buffer overflows, remote attacks, or other automated or remote means.

Unfortunately, the trespassing of the given rules happened often already with the older SETI@home Classic system. Although the credit-cheating and sending of invalid results, so common under the old platform, was greatly eliminated under the BOINC platform, certain users do not hesitate spending their time in inventing ideas increasing their credits anyway.

The best known is the case of Carsten Giese(*), originally from SETI.Germany, later ESC-Consult team. Although it was officially never revealed what exactly happened and how, someone probably wrote a Trojan horse program or a virus that was automatically installing BOINC on infected computers worldwide, without the knowledge or consent of their owners. In the known case, the boinc.exe core client was masked as Windows update service, and it was hidden inside of the Windows system32 directory. It was first reported by Fred_G from Team Starfire on the SETI@home forum. The thread is quite long, but there is more information about the case, and also other people confirming the claims, or reporting similar cases. The account of Carsten Giese(*) was investigated by the S@H/BOINC developers and after his approval, it was completely removed. For privacy reasons, no further details were published. AFAIK, the credit Carsten Giese(*) possibly illegally gained for his former team when being a member of SETI.Germany (around 5-6 millions) was not removed though.

It was speculated that there may be also other users who wrote Trojan horse applications, or other tools for illegal spreading of BOINC clients. Up to date, there was no other specific case reported yet, but since BOINC did not introduced any mechanism or measures to prevent such behavior, and because they do not have sufficient means for supervising such abuses, we can be relatively sure, that similar cases will be more and more frequent in the future. Such successful illegal behavior may be motivating for many others, in spite of being criminal act in big part of the world, especially because the credit gained for the original team was not removed. New abusers will also certainly invent new ways how to prevent easy detection, and may hide their tracks better than the abuser in the incident of Carsten Giese(*).

As mentioned, in this specific case, BOINC was installed in the directory C:\\Windows\system32, which then contained all BOINC subdirectories and files. Another user found such installation on his computer running concurrently with his own installation, pulling half of the CPU power for the calculation under the other account. I recommend that you check your computers for the presence of any BOINC files in the system32 dir. Better yet, you search all your drives for the presence of some typical BOINC files. In the documented case, probably only the boinc.exe file was renamed, so for example the all the xml files or libraries could be easily located. However, it does not mean that another version of such stealth installation does not rename more files. It can also manage to hide the files better. Therefore looking up running tasks in Task Manager may also help, although also there are certain possibilities for hiding the processes. If you see that your own legally installed copy of BOINC project does not pull the expected CPU load (usually over 90% at single CPU systems), then you may consider asking experienced friend, or an expert to check your computer, or to ask the community on the message boards for help.

Some links to BOINC forums discussing the case of Carsten Giese(*) and related topics:

• http://setiathome.berkeley.edu/forum_thread.php?id=27739
• http://setiathome.berkeley.edu/forum_thread.php?id=27913
• http://boinc.berkeley.edu/dev/forum_thread.php?id=542
• http://orbit.psi.edu/forum_thread.php?id=142

I firmly hope that the BOINC developer team will introduce at least some measures making such illegal activity more complicated, but am afraid that it will never completely scare off this type of people from violating the rules anyway. I plan to add some security features into my own BOINC client too, and hope it can help to prevent or detect at least some cases of abuse. In any case: if you hapen to detect any such illegal activity, please be sure to report it either to the BOINC team, or to the message boards (i.e. the SETI@home forum).

(*) please note, that it was officially neither denied, nor confirmed that Carsten Giese was himself behind the illegal activity, or even whether he was aware of it at all. Although from his public posts it is evident he was well following his ranking and RAC, and hence likely well aware of the incredible RAC of over 200000, I feel it might be improper to suggest his role in this abuse case publicly.

Account Hijacking

One of the participants in the discussion thread about the case of Carsten Giese (see details in the previous section), mentioned that he discovered his computer crunched several months under the account of another user. Unfortunately the user did not come back to the thread, and did not answer questions that were asked, so we do not know if the other account was also the account of Carsten Giese, if his own BOINC installation was hijacked, or if there were two concurrently running installation. We have to face, though, the possibility that there is another malicious tool (or it may be the same as in the previously described case) that instead of installing new BOINC instance, simply hijacks the one already present on the system, replacing the account info for another one.

In this case again, just like in the previous cases, the correct installation with permissions on the BOINC directories strongly restricted, can reduce the risk also with this type of intrusion (unless the intruder gains administrator privileges). The damage of calculating under another account is not too bad - the work done would be valid anyway. You only lose the credits. On the other hand already the fact that someone could modify the account on your computer is much more alarming than the effect of lost credits. If the intruder could modify files in your BOINC installation, possibly he could also modify or steal others.

Regular or at least random verifying of your results in your BOINC project web accounts can help to detect such security issue before it grows worse. Again: if you discover such case, please do not hesitate to report it to the developers or to the community immediately.