120 likes | 258 Views
Fletcher Liverance, 5 May 2009. Grid Computing Security. A Taxonomy. IEEE Security & Privacy, 2007 Anirban Chakrabarti Anish Damodaran Shubhashis Sengupta. Overview. What is Grid Computing? Pie in the sky Host-level issues and solutions Architecture-level issues and solutions
E N D
Fletcher Liverance, 5 May 2009 Grid Computing Security A Taxonomy IEEE Security & Privacy, 2007 Anirban Chakrabarti Anish Damodaran Shubhashis Sengupta
Overview • What is Grid Computing? • Pie in the sky • Host-level issues and solutions • Architecture-level issues and solutions • Credential-level issues
What is Grid Computing? “geographically distributed heterogeneous resources are virtualized as a unified whole.” • Web 2.0 • Scalable Link Interface (SLI) • Virtualization • Software as a service • Folding@home • Peer to peer • Cluster computing • Cloud computing • Distributed computing
Pie in the sky • IBM Roadrunner • 6,480 AMD dual core • 12,960 IBM PowerXCell • Hewlett-Packard • 300,000 employees • 600,000 processors • 600 TB of RAM • 120,000 TB of Storage • World wide • One billion PCs • 95 million consoles • Two billion cell phones
Host-level issues and solutions • Data Protection • Application-level sandboxing • Proof-carrying code • Rules guaranteeing safe execution • Code producer responsible for safety • Does not scale • Virtualization • VMware GSX/ESX/Workstation • Paravirtualization • Xen • IA-32 architecture is non-virtualizable
Host-level issues and solutions • Data Protection • User-space sandboxing • TRON – Process-level discretionary access control system • Simple, but requires system call reimplementation • Call chaining issues • Incomplete context • Flexible kernels (Kernel-level sandboxing) • Exokernel OS, MIT • Zones, Sun Solaris 10 • Application containers
Host-level issues and solutions • Job starvation • Advanced reservation techniques • Request resources from grid scheduler • Non-transparent • Requires advanced scheduling techniques • Priority-reduction techniques • Local priority reduction • Sun Grid engine • Ad hoc mechanism • Unpredictable behaviour, lower QoS performance • Example: Peer to peer
Architecture-level issues and solutions • Information security • Grid Security Infrastructure (GSI) • Secure communication • Transport level security - SSL/TLS • Message level security – Web Services Security (WSS) via SOAP • Authentication • CA Certificates • User/password over SOAP with WSS • GSI-to-Kerberos gateway • Single sign-on and delegation • Timed proxy
Architecture-level issues and solutions • Policy-mapping issues • Resource level • Akenti – Distributed access control mechanism • Use-condition certificates • Attribute certificates • Virtual Organization level • Community Authorization Service (CAS) • Role based access control • DoS • Preventative solutions • Application filtering • Snort - Intrusion Detection System • Reactive solutions • Link testing • Logging
Credential-level issues • Credential repositories • Take responsibility for credential storage • MyProxy Online • Credential federation systems • “Manage credentials across multiple systems, domains, and realms.” • KX.509 • Circle of trust • Shibboleth
Conclusions “Grid security’s ultimate goal is to make the grid infrastructure seamless and protect it against both known and unknown security attacks.” • Identify vulnerabilities • Develop threat models • Develop countermeasures to threat models • Evaluate counter measures • (repeat ad nauseam)