For Science! Steps for Safe Volunteer Computing

The old adage that time is money is proven once again when it comes to volunteer computing. According to The New York Times, anyone can use the Berkeley Open Infrastructure for Network Computing (BOINC) platform to donate processing power, storage or other unused resources to the advancement of scientific endeavors. Anyone with a PC can scour the sky for aliens, help cure disease, map radiation or perform any number of other philanthropic activities.

To make this work, you download software from the project you choose and run it on your machine. Obviously, security is a critical consideration in doing that safely. For the attacker, a large pool of computing power, storage or bandwidth is a potential gold mine. These resources can facilitate all kinds of cybercriminals efforts, from botnets to bitcoin mining to brute-forcing cryptographic keys.

Safety Tips for Volunteer Computing

I’m not bringing this up to scare users off. Users are generally pretty safe participating in BOINC projects. In fact, its website claims that no security incidents have been attributed to BOINC. That said, just because something hasn’t happened yet doesn’t mean you shouldn’t take reasonable precautions.

While there are some safety and security measures built into the platform, it’s important for users to be aware of potential cyberthreats and improve their online hygiene to participate in these projects safely.

Know the Project

First and foremost, it is critical that individuals understand the volunteer computing projects in which they intend to participate. The BOINC platform provides a mechanism to digitally sign code that is delivered by projects, but it’s still important that users educate themselves.

Signing the code provides assurance of the signer’s identity, but does the participant really know who that is? The BOINC platform is open to all, so users will likely encounter malware dressed up as research — rogue projects — or fake sites designed to look like known projects — spoof projects. These are not commonplace, but it’s vital to make sure the volunteer project you connect to is legitimate.

Code signing relies on the security of a project’s private key. Otherwise, the security of the process can be circumvented. If you think this doesn’t happen, consider that attackers specifically targeted Adobe’s code signing repository to sign malware. Additionally, attacker groups have stolen certificates to sign code.

It happens accidentally, too. D-Link, for example, accidentally posted its code-signing keys on the internet. Ask yourself, is the project taking the right measures to project its participants? If the answer is negative or unknown, you may want to select something different.

Understand the Software

You may wish to investigate what other guidance or features the project and platform offer. The IBM World Community Grid security page, for example, outlines steps to audit both the BOINC agent and project software included in the Community Grid. It also explains how to further reduce the attack surface by suppressing IP information, refraining from connecting to reference sites and prohibiting the BOINC client from attaching to additional projects.

Users must understand the security model of the software itself by reading the manual, or at least the parts of it that pertain to security. BOINC uses nonprivileged accounts to sandbox the project from the rest of the operating system. This is the default for every platform except Windows. If you’re running Windows and you want to enable sandboxing, you need to take specific steps when installing.

Consider Enhanced Measures

Lastly, it can be beneficial to investigate a few enhanced security measures. You might choose to limit the software you run to that which you compile yourself. If you’re an experienced programmer or have access to a code-scanning tool, this might give you additional confidence. Alternatively, you might consider running the client inside a disposable virtual machine within a hypervisor. Such a mechanism creates further isolation between the agent and project software and the host system.

There are options available to you from a security standpoint. Just like you would practice appropriate security hygiene in all the other activities you undertake, it’s useful to do so for volunteer computing as well.

Share this Article:
Ed Moyle

Director, Emerging Business and Technology, ISACA

Ed Moyle is currently Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was Senior Security Strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 15+ years in information security, Ed has held numerous positions including: Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.