G-PASS: Security Infrastructure for Grid Travelers Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

GT 4 Security Goals & Plans Sam Meder

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

High Performance Computing Course Notes Grid Computing.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

Parallel Programming on the SGI Origin2000 With thanks to Moshe Goldberg, TCC and Igor Zacharov SGI Taub Computer Center Technion Mar 2005 Anne Weill-Zrahia.

Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.

Distributed Process Implementation Hima Mandava. OUTLINE Logical Model Of Local And Remote Processes Application scenarios Remote Service Remote Execution.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

MASY: Management of Secret keYs in Mobile Federated Wireless Sensor Networks Jef Maerien IBBT DistriNet Research Group Department of Computer Science Katholieke.

Thinking about Accounting Matteo Melani SLAC Open Science Grid.

A Lightweight Platform for Integration of Resource Limited Devices into Pervasive Grids Stavros Isaiadis and Vladimir Getov University of Westminster

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

X-Road – Estonian Interoperability Platform

Cluster Computers. Introduction Cluster computing –Standard PCs or workstations connected by a fast network –Good price/performance ratio –Exploit existing.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Scalable Web Server on Heterogeneous Cluster CHEN Ge.

G-JavaMPI: A Grid Middleware for Distributed Java Computing with MPI Binding and Process Migration Supports Lin Chen, Cho-Li Wang, Francis C. M. Lau and.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Module 9: Fundamentals of Securing Network Communication.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Evaluation of Agent Teamwork High Performance Distributed Computing Middleware. Solomon Lane Agent Teamwork Research Assistant October 2006 – March 2007.

InstantGrid: A Framework for On- Demand Grid Point Construction R.S.C. Ho, K.K. Yin, D.C.M. Lee, D.H.F. Hung, C.L. Wang, and F.C.M. Lau Dept. of Computer.

1 4/23/2007 Introduction to Grid computing Sunil Avutu Graduate Student Dept.of Computer Science.

International Directory Network (IDN) Scalability, Security and Interoperability WGISS, 2006 Tom Northcutt Systems Administrator: GCMD September 13, 2006.

Laboratório de Instrumentação e Física Experimental de Partículas GRID Activities at LIP Jorge Gomes - (LIP Computer Centre)

Cracow Grid Workshop October 2009 Dipl.-Ing. (M.Sc.) Marcus Hilbrich Center for Information Services and High Performance.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

The project of application for network computing in seismology --The prototype of SeisGrid Chen HuiZhong, Ze Ren Zhi Ma, Hu Bin Institute.

Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.

Authors: Ronnie Julio Cole David

Computer Science Lecture 7, page 1 CS677: Distributed OS Multiprocessor Scheduling Will consider only shared memory multiprocessor Salient features: –One.

Scalable Grid system– VDHA_Grid: an e-Science Grid with virtual and dynamic hierarchical architecture Huang Lican College of Computer.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Challenges in the Next Generation Internet Xin Yuan Department of Computer Science Florida State University

Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.

Cluster Computers. Introduction Cluster computing –Standard PCs or workstations connected by a fast network –Good price/performance ratio –Exploit existing.

DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

Gang Chen, Institute of High Energy Physics Feb. 27, 2012, CHAIN workshop,Taipei Co-ordination & Harmonisation of Advanced e-Infrastructures Research Infrastructures.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

© 2016 Catalyze, Inc. Go-To-Market Services HIPAA Compliance in the Cloud: Catalyze Provides Microsoft Azure Customers with a HITRUST Certified Platform-as-a-Service.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai Supervised.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Presented by Edith Ngai MPhil Term 3 Presentation

Jean-Philippe Baud, IT-GD, CERN November 2007

Accessing the VI-SEEM infrastructure

Univa Grid Engine Makes Work Management Automatic and Efficient, Accelerates Deployment of Cloud Services with Power of Microsoft Azure MICROSOFT AZURE.

Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.

High Performance Computing Lab.

Introduction to Data Management in EGI

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

From Prototype to Production Grid

TEMPLATE NOTES Our datasheet and mini-case study templates are formatted specifically for consistency of branding at Microsoft. Please do not alter font.

Cluster Computers.

Presentation transcript:

G-PASS: Security Infrastructure for Grid Travelers Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M. Lau The University of Hong Kong

Outline  Problems & Methodology  Introduction to G-PASS  Application – G-JavaMPI  Experiment Results

Grid Travelers  A Grid Traveler is a process that can move itself across the boundary of organizations during the runtime.  Two types of Grid travelers Mobile agent Migrate-able process  Organization = Policy space Security policy (identity, access control) Other policies

Security Issues for Grid Travelers  Protect Grid travelers from malicious hosts Eavesdropping Integrity compromising  Protect hosts from malicious travelers Illegal resource accessing Deliver fake information DoS attack (replay)  Protect from network eavesdropping Use security transfer

Under a Grid Scenario (1)  Complex authorization relationship  Multiple policy spaces concerned Identity mapping Reputation system  Most of existing mechanisms are less general purpose

Organization Identity mapping Reputation Dispatcher Warrantor ! Exception Under a Grid Scenario (2) Policy space Warranted An example scenario of a Grid traveler who wants to access resources in other organization. Please note this example will be the simplest one in Grid

Problems  How to carry and proof the authorizations and warrants?  How to record and track the history events?  How to do the identity mapping?  How to propagate the security exception and reputation?

Grid Fashion  Infrastructure General purpose (not application specific) Providing fundamental information and control mechanisms  Weak defense Monitoring instead of preventing Stable information Reputation system

Relative Information  Distributed Trust Model Authorization Delegation Warrant  Events Migration Resource consuming / job submission Exceptions

GSI – Not Enough for Grid Traveler  Providing fundamental establishment derived from conventional distributed trust PKI X.509 Global DN -> Local user  Job service Delegation Proxy  The X.509 delegation is unsuitable for Grid traveler Scalability – will form a certificate chain Delegation abusing in full delegation protocol  Cannot deal with a complex identity mapping

Traveler in Reality Visa The example shows how a traveler can be permitted to visit an unacquainted country and do some critical operations

G-passport  G-passport is a list of certificates and proved security information  Records and proofs Transit Privilege betaken Security exception  Contracts  Double linked traceable list

G-passport Example A Grid traveler ’ s recorded history: Birth -> Initiation -> Migration -> Warranted -> …

Instance-Oriented Delegation  Security transaction Separation of responsibility  Security instance Binding transaction with its valid specification Issuer sign on it  Different with capability Representing delegation but not direct authorizations on resource

Across the Organization Boundary  Global identity cannot be recognized by local resources  Mapping: G-passport -> Local privilege table  Role-based: RBAC3

Position of G-PASS Under the application layer Can access resource layer Based on GSI

Application: G-JavaMPI  Grid based Java MPI  Support for process migration  Four reasons of migration Availability Searching better resource Load balancing Optimizing program by removing the bottleneck caused by communication

JmpiBLAST  A BLAST program on G-JavaMPI Four universities sharing CPU cycles and local bio- databases Funded by two organizations MPI VO coordinates their resources together

HKU Gideon 300 Cluster  Pentium GHz w/ 512 Kbytes L2 cache  512 Mbytes (PC2100) DDR SDRAM  Fast-Ethernet adaptors x 2  40 GB IDE hard disk  Linux OS (RedHat 7.3/8.0)  High-performance network (for inter- process communication)  Foundry Networks' Fast-Ethernet switch with 312 ports  Hierarchical management network (for I/O access and cluster management)  24-port Gigabit-Ethernet switch x 1  24-port Fast-Ethernet switch (with Gigabit-Ethernet uplink) x 13  UTP network cables x 620

Hong Kong Grid HKGrid provides a platform for its members to experiment with various research prototypes and pilot applications Institutions City University of HK HK Baptist University HK University of Science and Technology The HK Polytechnic University The HK Institute of HPC HKU – Computer Centre HKU – Department of CSIS

Environment Setting  JmpiBLAST setting Application: Blastp Database: nr (687MBytes) Segment: 1MBytes (687 segs)  Experiment setting Three Blastp programs, total 18 processes (8,6,4 respectively) Global scheduling: GA vs. Min-Min Original nodes: 5 Event 1: 2 nodes join in Event 2: 2 nodes quit

Data Reports In task 1 & 2, the GA is better than Min-Min In task 3, Min-Min generates a better result Scheduling by GA in task 1 has fully utilized the addi- tional 2 nodes, and has provided maximal through- put during the fixed time interval between event 1 and event 2.

Security Overhead Affordabl e G-PASS overhead

Results from HKGrid Under all circumstances, the security overhead will be less than 50%

Thank You! Q&A? Web site: JavaMPI/doc/readme.html