100 likes | 284 Views
Making your workspace secure: establishing trust with VMs in the Grid. Wei Lu 1 , Kate Keahey 2 , Tim Freeman 2 , Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab welu@cs.indiana.edu , {keahey,tfreeman,franks}@mcs.anl.gov. Virtual Workspace (VW)
E N D
Making your workspace secure: establishing trust with VMs in the Grid Wei Lu1, Kate Keahey2, Tim Freeman2, Frank Siebenlist2 1 Indiana University, 2 Argonne National Lab welu@cs.indiana.edu, {keahey,tfreeman,franks}@mcs.anl.gov
Virtual Workspace (VW) Definition: Workspace is an execution environments that can be made available dynamically in the Grid Software environment Resource allocation Examples: A physical machine configured as a “service node” (e.g., headnode) for a community cluster A set of virtual machines configured as an Open Science Grid cluster A set of physical machines configured with Xen hypervisor Virtual machines (VMs) as workspace implementation Good isolation properties Customizable software Fine-grained enforcement of resource allocation Ability of serialization and migration Acceptable performance cost (Xen) App App Guest OS Guest OS Hypervisor Hardware Virtual Workspace in the Grid
VW Hosts prohibit VMs from misusing resource maliciously; For example, a badly configured VM might get compromised and used to launch a DOS from a site VW Owners concern the integrity and confidentiality of the VM image, that is the VM image does not get used or otherwise compromised by un-trusted parties storing or transferring that image. The VM image is usually composed of multiple partitions, each partition may be provided by a different "issuer" and be associated with different security requirements concern that VM execute only on trusted hosts and the host won't jeopardize data or computations taking place inside the VM. VW Users how do I establish trust with a running VM? trust in the VM has to be rooted in both VM image (owner) and VM host Security Challenge ofVirtual Workspace
Implementation Xen, Globus Toolkit 4 GSI provides the basic infrastructure for authentication and authorization Workspace Meta data XML document: containing the hardware, software, networking, security and other configuration of a VW request a workspace VW Configuration Service Workspace Meta-data Owner of VW Workspace Service Deploy Manage monitor manage activities within the workspace User of VW Workspace System Architecture
A Virtual Machine consists of several files (VM disk partitions, RAM image, configuration files), each of them may have different security requirements (Integrity, Confidentiality or Open) Be provided by different entities, e.g. A “community partition” may be issued by a given community and contain a specific version of community software An “application partition” may be provided by an application developer A “data partition” may be provided by a special interest group and be confidential Be used as part of many images Stored and transported through potentially un-trusted areas Meta-data for partition is extended with XML Signature or Encryption element to represent the signature and related key or certificate of the protected A resolvable URI that can be used to locate a partition Security Meta-data makes the security of a VW image be independent of the intermediate storage service and transferring layers. VW Security Meta-data …
<virtualWorkspace> Http <partition> <Signature> <SignInfo>…</> <SignatureValue> <KeyInfo></Signature> OSG Software version Application </partition> <partition> GridFTP <EncryptedData> <KeyInfo> <CipherData> …</></Signature> Key partition Application data Virtual Workspace Partitions </partition> </virtualWorkspace> Virtual Workspace Meta-Data VW Security Meta-data
How do we assign credential to the VM? Trust has to be rooted in both the VM image (VM owner) and the VM host (hypervisor) Scheme 1: Assign a static credential to a VM image VM issuer provides a “credential partition”, always encrypted Partition can be decrypted only by a host from a trusted set Credential does not change during VM lifetime Scheme 2: Generate a credential on deployment Name the VM as “VM X on resource Y” Resource Proxy Certificate: which is a short term GSI X509 proxy Certificate generated dynamically by the hypervisor at deployment time based on verifying the VM attestation After migration, the certificate is revoked at old host and regenerated at new host. user can attest the virtual machine and the host machine. VW Host Credential
Third-Party Storage Services 4 5 6 1 VW Owner Control flow 2 Data flow 7 3 1: owner builds authen & author with Workspace service 2: sends the VW meta-data 3: checks the integrity of the meta data 4: loads each partition of the VW to local site according the security meta-data 5: loads the key or certificate according the security metadata 6: verifies the partition signature or decrypts the partition 7: generates the proxy cred for VW 8. builds and starts the VW. 9: user builds authen,& author with VW 10: user accesses VW Signature Verification Partition Decryption Partition Load Metadata Verification Key Load Creds Assign Workspace Service Host Creds 8 9 VW User VW Creds 10 Private key partition OSG software partition Hypervisor Virtual Workspace App data partition App software partition Deploying a Secure VW
Security Configuration No-security conf: all the partitions are not protected Signed partitions conf: all the partitions are signed by providers Private data conf: all the software partitions are signed by providers, except the user data partitions encrypted by the user self Private key conf: all the partitions are signed by providers, except the VW key partition is encrypted by the VW owner. PerformanceImpact
Conclusion • GSI provides the mechanism to build trust between VW host and VW owner • Security meta-data is an End-to-End VW data integrity and confidentiality solution between the VW host and VW owner without any dependence on the transportation and storage system. • With Resource Proxy Certificate user can attest the VW and the running host. • Performance impact to the VW deployment brought by the security functionality is significant, but still acceptable (deploying a VW with 3G signed partitions needs no more then 3 mins) • The performance impact mainly caused by the partitions with big size, and Encryption is much more expensive than the signature calculation. • To minimize the overhead, it is desirable • Reduce the granularity of a partition • keep the big software partition be read-only and on site for reusing. • the encryption would better be applied on small size data partitions. • Further optimization will be developed based on fast security implementation, cache and differentiate transferring • For more information visit http://workspace.globus.org/