“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Status and Challenges of Security in Distributed Computing Stefan Lüders CHEP 2010 Taipei (TW), October 20 th 2010

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Benefits of Distributed Computing Distributed computing is valuable to attackers: ► Large number of distributed hosts & users ► High availability ► High inter-connectivity & throughput networks Shared users: Fast attack propagation across different sites Shared resources: Only one compromised user can affect others Transparent access: One malicious user can run malicious code across different sites NEW! Shared VM images: An attacker might bring a complete tool suite with him!

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Overview

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 GRID Security Philosophy WLCG/EGI security governed through policies: ► High-level “Grid Security Policy” ► For users: “Grid Acceptable Use Policy” (AUP) ► For sites: “Grid Site Operations Policy” ►...plus many more Foster collaboration: ► …between users and security people ► …between all Grid sites: EGI/NGIs, WLCG, TeraGrid, OSG,… ► Information sharing essential! (incident forensics, vulnerabilities, good practises, policies) EGI Policy Group:

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Security incidents affecting WLCG sites: An attack against the academic community since 2008: ► Exploitation of vulnerable (unpatched) hosts somewhere in the community → Installation of a rootkit (hidden code) → Compromised account(s), i.e. stolen passwords, keys, certificates ► Attack against other hosts, also at other sites → SSH into other sites e.g. listed in known_hosts file → Trying for root privilege escalation via known vulnerabilities → Also checking for traditional injection techniques e.g. through /dev/mem or via loadable kernel modules (LKM) → More compromised hosts & accounts ► Periodic rootkit updates and new versions ► Difficult to contain since this requires all sites to be clean & patched  ► Difficult to detect (but we learn, too ) 1. Exploiting Trust: SSH attacks

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Several critical vulnerabilities published recently, e.g.: ► CVE (2009/8): bug in SOCKOPS_WRAP macro ► CVE (2009/8): bug in udp_sendmsg() ► CVE (2009/11): kernel NULL pointer dereference ► CVE (2010/9): possibility to stack underflow ► All allowed for privilege escalation (i.e. becoming root owning the host) ► Exploits out quickly after CVE announcement → Need to patch immediately #3081 took two days to patch: ► ~60 LXPLUS nodes: kick-off & patch ► ~2800 LXBATCH nodes: drain/kill & patch ► …and then are there all the Linux-based control systems for the LHC 2. Defence!!! “Thou shall patch!” Pakiti:

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Multi-Tier architecture: ► 11 Tier-1s, >100 Tier-2s,... ► Traffic & firewalls easy to control; #connected sites known & constant Tendency to move to P2P: ► Direct access between Tier’s and to Tier-0 from Tier-2s/Tier-3s ► Increasing firewall complexity ► Frequent changes (“dynamic firewall punching”) ► Traffic load spikes amplified 3. Go Cloud: From Tier to P2P

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 4a. Virtualization: Inherent Risks Increasing the attack surface & enabling new attack vectors: ► Additional abstraction layer: new code, new interfaces, new challenges ► New things to worry about (break out of VM, …into hypervisor, …into host OS, …into other VMs) ► Lots of new complexity: Nothing fundamentally challenging, but many issues to consider. There are lots of benefits from virtualization, too: ► Security perhaps isn't the strongest. ► In the end, no big difference for security: if you have one server with ten virtual instances or ten servers… J. Iven Hepix2009

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 4b. Virtualization: Image Distro Submit complete VM images and pull in analysis jobs: ► Stripped-down O/S plus analysis code ► Functionality & stability: Need of frozen releases Security, anyone? ► How to enforce patching? ► How to deploy “syslogging”? What about tight local firewall rules? ► How to keep local (root) credentials unique/secret? ► How to do forensics??? Can I run random VMs at your home? ► Do we need image certification, tracking, revoking & inventory? → Slow certification and even slower patching…? ► Or do we need to change our security model? HEPiX Virtualisation Working Group “Policy on the Endorsement of Virtual Machine Images”

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP One step more? Go Amazon! S. Bradshaw, C. Millard, I. Walden “Contracts for Clouds: Comparison and Analysis of the Terms and Conditions for Cloud Computing Services” Loss of ownershipLoss of availabilityLoss of guaranteesStill 100% responsible for security

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 Summary Grid/Cloud Computing comes with lots of functional benefits and users conveniences. Security must not be neglected… …but remain inherent part of it. ► This is not you or me: It is us together !!! ► Enable controlling the network of trust ► Enforce fast patching mechanisms ► Keep it simple (the “KISS”-principle) ► Understand the risks of virtualization… ► …and of fully outsourcing into the cloud! 谢谢

“Status and Challenges of Security in Distributed Computing” — Stefan Lüders — CHEP2010 A little bit of password phishing Which URL leads you to ? %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d ► ► co_partnerid=2&usage=0&ru=http%3A%2F%2Fwww.ebay.com&rafId=0 &encRafId=default ►