On most computers, CHARM++ programs are simple binaries, and they pose no more security issues than any other program would. The only exception is the network version net-*, which has the following issues.
The network versions utilize many unix processes communicating with each other via UDP. Only a simple attempt is currently made to filter out unauthorized packets. Therefore, it is theoretically possible to mount a security attack by sending UDP packets to an executing CONVERSE or CHARM++ program's sockets.
The second security issue associated with networked programs is associated with the fact that we, the CHARM++ developers, need evidence that our tools are being used. (Such evidence is useful in convincing funding agencies to continue to support our work.) To this end, we have inserted code in the network charmrun program (described later) to notify us that our software is being used. This notification is a single UDP packet sent by charmrun to charm.cs.uiuc.edu. This data is put to one use only: it is gathered into tables recording the internet domains in which our software is being used, the number of individuals at each internet domain, and the frequency with which it is used.
We recognize that some users may have objections to our notification code. Therefore, we have provided a second copy of the charmrun program with the notification code removed. If you look within the charm bin directory, you will find these programs:
The program charmrun.silent has the notification code removed. To permanently deactivate notification, you may use the version without the notification code:
The only versions of CHARM++ that ever notify us are the network versions.
April 10, 2012
Charm Homepage