BOINC Security

From BOINC

BOINC downloads programs over the Internet and runs them on your PC. You may be concerned that BOINC could be exploited by hackers to run malware on your PC ("malware" is software that does malicious things such as stealing private data).

Is BOINC safe? The short answer: in practice, yes. After 16 years, running on millions of PCs, there have been no security incidents due to BOINC.

However, the lack of incidents does not mean that none are possible. All software has security risks, and BOINC is no exception. We will now explain

  • How BOINC eliminates the most obvious risks.
  • How you can reduce the remaining risks.

Code signing

Suppose you volunteer for a project, and hackers break into that project's server and replace its programs with malware. Will the malware be downloaded and run on your PC?

BOINC uses a mechanism called code signing that makes this impossible, as long as projects use proper practices.

Code signing is based on *public-key cryptography*. Each project has a code-signing key pair consisting of a public key and a private key. The public key is sent to your client when you add the project. The private key is used to create "signatures" for programs. The BOINC client will only run programs with valid signatures.

Projects are instructed to keep the private key only on a computer that is never connected to a network, and that is physically secure. This computer is used to create signatures. As long as these instructions are obeyed, hackers cannot sign malware, even if they break into the project's server. Therefore they cannot trick BOINC into running malware.

Most BOINC projects follow these practices. However, some projects are lazy and keep their code-signing key on network-connected computers. This undermines the mechanism.

So, if you're concerned about security (and you should be!) don't attach to a project unless it can convince you that it follows the code-signing procedure correctly. Ask project administrators to describe how they do code signing.

Account-based sandboxing

BOINC's second line of defense is called account-based sandboxing. Operating systems (Windows, Mac OS X, Linux) have a notion of user accounts. Each file and running program is associated with a user account. An unprivileged account is one that has access only to its own files; a program running under such an account is not able to access or modify any other data on the computer.

BOINC can be configured to use account-based sandboxing - that is, to run project applications under an unprivileged account. This is the default on Android, Mac OS X and on the installers provided by Linux distributions. Currently, it is not the default on Windows because GPU applications can't run under unprivileged accounts. However, you can enable it on Windows by checking the Protected execution mode or Service install box during installation (depending on the version of BOINC).

Virtual Machine-based sandboxing

An even stronger form of sandboxing is provided by a technology called virtual machines. Programs running in virtual machines cannot access any files on your computer.

Some projects - such as Cosmology@home - use virtual machines for their applications.

Rogue and spoof projects

The BOINC server software is freely available; anyone can use it. So hackers can create BOINC projects of two sorts:

  • Rogue projects: the web site claims to do good-of-humanity research, but its programs are malware.
  • Spoof projects: the web site mimics that of an established project, but its programs are malware.

BOINC provides some protection again rogue and spoof project: the projects shown in the BOINC Manager's Add Project dialog are known to us (the BOINC project) to be legitimate.

However, if you add a project not on this list (by entering its URL in the form) it's up to you make sure it's legitimate. Some things you can do to check:

  • If a project claims to be academic, its URL should be in the .edu domain (or its equivalent outside the U.S.).
  • If a project claims to be from an institution such as a university, you can contact the institution to verify this.
  • Go on the BOINC message boards, see what other people say about the project, and see how long it's been operating.

Client download security

The above mechanisms assume that your BOINC client software is valid. What if hackers break into the BOINC server and replace the BOINC installers with malware?

On Windows, you are protected from this by another form of code signing. When you run the BOINC installer on Windows, the first thing you should see is:

Win code sign.png

(Note: the version number may be different). This verifies that the installer is valid.

On Mac OS 10.8 and later, you can select your security settings in system preferences to allow running only applications from the App store or those signed by trusted developers registered with Apple. BOINC installers for the Mac are code signed with credentials provided by Apple, so OS X will accept them after warning you they have been downloaded from the Internet (as long as you have set your security preferences in this way.)

On Linux, code signing is not used.

Building your own software

For the ultimate in security, you can build everything yourself.

BOINC is open source software. You can download the source code, inspect it, then build it for your computer.

In addition, many BOINC-based projects make their application source code available. You can download and inspect the source code from their web site, build it for your computer, then use BOINC's Anonymous platform system to run the resulting executables from the BOINC client.