150 likes | 342 Views
Legion - A Grid OS. Object Model. Everything is object Core objects - processing resource – host object - stable storage - vault object - definition of object – class object
E N D
Object Model • Everything is object • Core objects - processing resource – host object - stable storage - vault object - definition of object – class object • Legion provides default implementation, but all system components can be extended, specialized and replaced.
Object Model • Object state Active: hosted within a running process Inert: state/OPR is stored on a persistent storage device OPR: LOID, private key, ACL • Identified by location-independent LOID • LOID include the public key
Legion Runtime Library • Defines generic interfaces to services - message passing - object creation, location, deletion • flexible, configurable protocol stack - adding message privacy is simply a matter of registering the appropriate message processing event handlers into the Legion protocol stack
Two main concerns • User’s concern Protecting the meta-computer’s high-level resources, services, and users from possibly corrupted underlying resources • Administrator’s concern Preserving the security policies of the underlying resources that from the foundation of the meta-computer and minimizing their vulnerability to attacks from the meta-computer level
Features • Flexible simple policy-neutral mechanism build different policy on top of it • Easy to use explore the legion inheritance mechanism • Scalable object authenticate one another directly no centralized key services • Isolated Object isolation & site isolation
Object Management • Object Isolation - isolate system object to user object host object and vault object run in different local account - isolate different user-object from one another native user or generic account • Host object does not run in root account • PCD(Process Control Daemon) does the object activate, deactivate, reactivate under the request of host object
Creating object • Class manager - assigns LOID for the new object - create object’s key - pass the LOID and key to the host object on the machine where the object will run - pass the binary of the object implementation to host object - ask vault object to create directory for the object • Host object - map the LOID to local user account - spawn a process to host the object - pass the LOID and key to the active object - change the ownership of the directory for the object
Credential • A list of rights granted by the credential’s maker can be passed along the call chain • Delegated credentials – what is the right and to who e.g., [object A may call object B’s method M as Alice during the period T] signed Alice • Bearer credentials – what is the right - call chain may branch out - the identity of the final object on the call chain may be unknown by the user - increase the risk • Both have valid period or short time • Authentication credential
Access Control • Each object is responsible for enforcing its own access control policy • MayI for each object implements access control on a per-function basis B b.foo() Object A MayI? foo ok No! • Who decides the security policy of object? • user initiating the object • class object of this object
Scenario 1 • Site isolation Problem: No matter how subverted any external sites in the Legion system might be, no intruder can invoke methods on local Legion resources as Admin Solution: - Local Legion resources should be started as a separate Legion domain - Automated enforcement of no leakage of site critical information off-site by configuring extra event handler e.g., an event handler for message-send event to check whether the ACL of host object is being sent out. If so, the message is block and an exception is raised
Scenario2 • Site-wide required access control Problem: - File object with no restrictions on which user can access the file it represents - a site wishes to enforce the policy that files may not be accessed by outside users Solution: use local host object to control access to local resources. The site administrator can configure the ACL of host object to limit the classes of objects that may run at the site.
Scenario3 • Site selection policy Problem: which resource to execute my job? Solution: encode the site selection policy in the user’s class manager objects
Comparison • Resource proxy vs. host object • Delegate identity vs. delegate right • No object control vs. MayI