250 likes | 383 Views
G-PASS: Security Infrastructure for Grid Travelers. Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong. Outline. Problems & Methodology Introduction to G-PASS Application – G-JavaMPI Experiment Results. Grid Travelers.
E N D
G-PASS: Security Infrastructure for Grid Travelers Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong
Outline • Problems & Methodology • Introduction to G-PASS • Application – G-JavaMPI • Experiment Results
Grid Travelers • A Grid Traveler is a process that can move itself across the boundary of organizations during the runtime. • Two types of Grid travelers • Mobile agent • Migrate-able process • Organization = Policy space • Security policy (identity, access control) • Other policies
Security Issues for Grid Travelers • Protect Grid travelers from malicious hosts • Eavesdropping • Integrity compromising • Protect hosts from malicious travelers • Illegal resource accessing • Deliver fake information • DoS attack (replay) • Protect from network eavesdropping • Use security transfer
Under a Grid Scenario (1) • Complex authorization relationship • Multiple policy spaces concerned • Identity mapping • Reputation system • Most of existing mechanisms are less general purpose
Under a Grid Scenario (2) An example scenario of a Grid traveler who wants to access resources in other organization. Please note this example will be the simplest one in Grid Policy space ! Exception Identity mapping Organization Warranted Organization Reputation Dispatcher Warrantor
Problems • How to carry and proof the authorizations and warrants? • How to record and track the history events? • How to do the identity mapping? • How to propagate the security exception and reputation?
Grid Fashion • Infrastructure • General purpose (not application specific) • Providing fundamental information and control mechanisms • Weak defense • Monitoring instead of preventing • Stable information • Reputation system
Relative Information • Distributed Trust Model • Authorization • Delegation • Warrant • Events • Migration • Resource consuming / job submission • Exceptions
GSI – Not Enough for Grid Traveler • Providing fundamental establishment derived from conventional distributed trust • PKI • X.509 • Global DN -> Local user • Job service • Delegation • Proxy • The X.509 delegation is unsuitable for Grid traveler • Scalability – will form a certificate chain • Delegation abusing in full delegation protocol • Cannot deal with a complex identity mapping
Traveler in Reality The example shows how a traveler can be permitted to visit an unacquainted country and do some critical operations Visa $
G-passport • G-passport is a list of certificates and proved security information • Records and proofs • Transit • Privilege betaken • Security exception • Contracts • Double linked traceable list
G-passport Example A Grid traveler’s recorded history: Birth -> Initiation -> Migration -> Warranted -> …
Instance-Oriented Delegation • Security transaction • Separation of responsibility • Security instance • Binding transaction with its valid specification • Issuer sign on it • Different with capability • Representing delegation but not direct authorizations on resource
Across the Organization Boundary • Global identity cannot be recognized by local resources • Mapping: G-passport -> Local privilege table • Role-based: RBAC3
Position of G-PASS • Under the application layer • Can access resource layer • Based on GSI
Application: G-JavaMPI • Grid based Java MPI • Support for process migration • Four reasons of migration • Availability • Searching better resource • Load balancing • Optimizing program by removing the bottleneck caused by communication
JmpiBLAST • A BLAST program on G-JavaMPI • Four universities sharing CPU cycles and local bio-databases • Funded by two organizations • MPI VO coordinates their resources together
HKU Gideon 300 Cluster • Pentium 4 2.0 GHz w/ 512 Kbytes L2 cache • 512 Mbytes (PC2100) DDR SDRAM • Fast-Ethernet adaptors x 2 • 40 GB IDE hard disk • Linux OS (RedHat 7.3/8.0) • High-performance network (for inter-process communication) • Foundry Networks' Fast-Ethernet switch with 312 ports • Hierarchical management network (for I/O access and cluster management) • 24-port Gigabit-Ethernet switch x 1 • 24-port Fast-Ethernet switch (with Gigabit-Ethernet uplink) x 13 • UTP network cables x 620
HKGrid provides a platform for its members to experiment with various research prototypes and pilot applications Hong Kong Grid
Environment Setting • JmpiBLAST setting • Application: Blastp • Database: nr (687MBytes) • Segment: 1MBytes (687 segs) • Experiment setting • Three Blastp programs, total 18 processes (8,6,4 respectively) • Global scheduling: GA vs. Min-Min • Original nodes: 5 • Event 1: 2 nodes join in • Event 2: 2 nodes quit
Data Reports • In task 1 & 2, the GA is better than Min-Min • In task 3, Min-Min generates a better result • Scheduling by GA in task 1 has fully utilized the addi-tional 2 nodes, and has provided maximal through-put during the fixed time interval between event 1 and event 2.
Security Overhead G-PASS overhead Affordable
Results from HKGrid Under all circumstances, the security overhead will be less than 50%
Thank You! Q&A? Web site: http://www.cs.hku.hk/~tcma/GPASS http://www.cs.hku.hk/~lchen2/research/G-JavaMPI/doc/readme.html