1 / 25

G-PASS: Security Infrastructure for Grid Travelers

G-PASS: Security Infrastructure for Grid Travelers. Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong. Outline. Problems & Methodology Introduction to G-PASS Application – G-JavaMPI Experiment Results. Grid Travelers.

Download Presentation

G-PASS: Security Infrastructure for Grid Travelers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. G-PASS: Security Infrastructure for Grid Travelers Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong

  2. Outline • Problems & Methodology • Introduction to G-PASS • Application – G-JavaMPI • Experiment Results

  3. Grid Travelers • A Grid Traveler is a process that can move itself across the boundary of organizations during the runtime. • Two types of Grid travelers • Mobile agent • Migrate-able process • Organization = Policy space • Security policy (identity, access control) • Other policies

  4. Security Issues for Grid Travelers • Protect Grid travelers from malicious hosts • Eavesdropping • Integrity compromising • Protect hosts from malicious travelers • Illegal resource accessing • Deliver fake information • DoS attack (replay) • Protect from network eavesdropping • Use security transfer

  5. Under a Grid Scenario (1) • Complex authorization relationship • Multiple policy spaces concerned • Identity mapping • Reputation system • Most of existing mechanisms are less general purpose

  6. Under a Grid Scenario (2) An example scenario of a Grid traveler who wants to access resources in other organization. Please note this example will be the simplest one in Grid Policy space ! Exception Identity mapping Organization Warranted Organization Reputation Dispatcher Warrantor

  7. Problems • How to carry and proof the authorizations and warrants? • How to record and track the history events? • How to do the identity mapping? • How to propagate the security exception and reputation?

  8. Grid Fashion • Infrastructure • General purpose (not application specific) • Providing fundamental information and control mechanisms • Weak defense • Monitoring instead of preventing • Stable information • Reputation system

  9. Relative Information • Distributed Trust Model • Authorization • Delegation • Warrant • Events • Migration • Resource consuming / job submission • Exceptions

  10. GSI – Not Enough for Grid Traveler • Providing fundamental establishment derived from conventional distributed trust • PKI • X.509 • Global DN -> Local user • Job service • Delegation • Proxy • The X.509 delegation is unsuitable for Grid traveler • Scalability – will form a certificate chain • Delegation abusing in full delegation protocol • Cannot deal with a complex identity mapping

  11. Traveler in Reality The example shows how a traveler can be permitted to visit an unacquainted country and do some critical operations Visa $

  12. G-passport • G-passport is a list of certificates and proved security information • Records and proofs • Transit • Privilege betaken • Security exception • Contracts • Double linked traceable list

  13. G-passport Example A Grid traveler’s recorded history: Birth -> Initiation -> Migration -> Warranted -> …

  14. Instance-Oriented Delegation • Security transaction • Separation of responsibility • Security instance • Binding transaction with its valid specification • Issuer sign on it • Different with capability • Representing delegation but not direct authorizations on resource

  15. Across the Organization Boundary • Global identity cannot be recognized by local resources • Mapping: G-passport -> Local privilege table • Role-based: RBAC3

  16. Position of G-PASS • Under the application layer • Can access resource layer • Based on GSI

  17. Application: G-JavaMPI • Grid based Java MPI • Support for process migration • Four reasons of migration • Availability • Searching better resource • Load balancing • Optimizing program by removing the bottleneck caused by communication

  18. JmpiBLAST • A BLAST program on G-JavaMPI • Four universities sharing CPU cycles and local bio-databases • Funded by two organizations • MPI VO coordinates their resources together

  19. HKU Gideon 300 Cluster • Pentium 4 2.0 GHz w/ 512 Kbytes L2 cache • 512 Mbytes (PC2100) DDR SDRAM • Fast-Ethernet adaptors x 2 • 40 GB IDE hard disk • Linux OS (RedHat 7.3/8.0) • High-performance network (for inter-process communication) • Foundry Networks' Fast-Ethernet switch with 312 ports • Hierarchical management network (for I/O access and cluster management) • 24-port Gigabit-Ethernet switch x 1 • 24-port Fast-Ethernet switch (with Gigabit-Ethernet uplink) x 13 • UTP network cables x 620

  20. HKGrid provides a platform for its members to experiment with various research prototypes and pilot applications Hong Kong Grid

  21. Environment Setting • JmpiBLAST setting • Application: Blastp • Database: nr (687MBytes) • Segment: 1MBytes (687 segs) • Experiment setting • Three Blastp programs, total 18 processes (8,6,4 respectively) • Global scheduling: GA vs. Min-Min • Original nodes: 5 • Event 1: 2 nodes join in • Event 2: 2 nodes quit

  22. Data Reports • In task 1 & 2, the GA is better than Min-Min • In task 3, Min-Min generates a better result • Scheduling by GA in task 1 has fully utilized the addi-tional 2 nodes, and has provided maximal through-put during the fixed time interval between event 1 and event 2.

  23. Security Overhead G-PASS overhead Affordable

  24. Results from HKGrid Under all circumstances, the security overhead will be less than 50%

  25. Thank You! Q&A? Web site: http://www.cs.hku.hk/~tcma/GPASS http://www.cs.hku.hk/~lchen2/research/G-JavaMPI/doc/readme.html

More Related