1 Security Risks in the Grid UW-Madison July 22, 2010 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin

Slides:



Advertisements
Similar presentations
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
MyProxy: A Multi-Purpose Grid Authentication Service
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
1 Security Risks in Clouds and Grids Condor Week May 5, 2011 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland.
Track 1: Cluster and Grid Computing NBCR Summer Institute Session 2.2: Cluster and Grid Computing: Case studies Condor introduction August 9, 2006 Nadya.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.
1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.
Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Condor Project Computer Sciences Department University of Wisconsin-Madison Grids and Condor Barcelona,
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Security Vulnerabilities in A Virtual Environment
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.
Web Services Security Patterns Alex Mackman CM Group Ltd
Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2008 End-to-end.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
First Principles Vulnerability Assessment Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann Manuel Brugnoli.
Condor Services for the Global Grid: Interoperability between OGSA and Condor Clovis Chapman 1, Paul Wilson 2, Todd Tannenbaum 3, Matthew Farrellee 3,
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
In-Depth Vulnerability Assessment of Middleware Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann.
Manuel Brugnoli, Elisa Heymann UAB
HTCondor Security Basics
Grid Security.
Secure Software Confidentiality Integrity Data Security Authentication
Introduction to Operating System (OS)
THE STEPS TO MANAGE THE GRID
The Scheduling Strategy and Experience of IHEP HTCondor Cluster
Unit 27: Network Operating Systems
HTCondor Security Basics HTCondor Week, Madison 2016
Network Security – Kerberos
Basic Grid Projects – Condor (Part I)
Operating System Security
Operating System Concepts
Designing IIS Security (IIS – Internet Information Service)
Mohammad Alauthman Computer Security Mohammad Alauthman
6. Application Software Security
Presentation transcript:

1 Security Risks in the Grid UW-Madison July 22, 2010 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona

2 Who we are Elisa Heymann Eduardo Cesar Jairo Serrano Guifré Ruiz Bart Miller Jim Kupsch Rohit Koul Wenbin Fang

3 What should you expect ›Users –Understand the risks –Prevention ›Administrators –Understand SW configuration –Manage processes, resources, privileges ›Developers –Secure programming techniques

4 What do we do ›Make grid software more secure ›Make a good assessment more automated ›Teach tutorials: –Security risks –Vulnerability assessment –Secure programming

5 Roadmap ›Introduction: Some fun? ›Talk the talk ›What the bad guys can do to you ›What can you do?

6 Why do we do it

7

8

9

10 Why do we do it ›Machines belonging to a grid site are accessible from the Internet ›Those machines are continuously probed: –Attackers trying to brute-force passwords –Attackers trying to break Web applications –Attackers trying to break into servers and obtain administrator rights

11 Why do we do it ›SW has vulnerabilities ›Grid SW is complex and large ›Vulnerabilities can be exploited by legal users or by others

12 Why do we do it ›Attacker chooses the time, place, method, … ›Defender needs to protect against all possible attacks (currently known, and those yet to be discovered)

13 Security ›Security is a permanent process ›Security cannot be proven ›Security is difficult to achieve and expensive, and only to 100%-ε ›Security involves: –Managers –Developers –Admins –Users

14 Admin Perspective Just to get a feeling … –Condor configured to track processes –When the job exits no processes are left behind SLOT1_USER = condor_user1 SLOT2_USER = condor_user2 STARTER_ALLOW_RUNAS_OWNER = False DEDICATED_EXECUTE_ACCOUNT_REGEXP = condor_user1 || condor_user2

15 Admin Perspective Just to get a feeling … –Depending on how Condor is installed, daemons run as root or as a non-roor user

16 Admin Perspective. Root Install Submit Host Central Manager User submit startd schedd shadow Execute Host startd schedd starter User Job collectornegotiator 1. Job Description File 2. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Host 7. Fork Shadow 8. Establish Communication Path 9. Set policy and fork User Job 4. Negotiation Cycle 7. fork Starter root condor user Real UIDs 4.Negotiation Cycle 5. Report Match 3. Job ClassAd

17 Admin Perspective. Non-Root Install Submit Host Central Manager User submit startd schedd shadow Execute Host startd schedd starter User Job collectornegotiator 1. Job Description File 2. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Host 7. Fork Shadow 8. Establish Communication Path 9. Set policy and fork User Job 4. Negotiation Cycle 7. fork Starter root condor user Real UIDs 4.Negotiation Cycle 5. Report Match 3. Job ClassAd

18 Developer Perspective Just to get a feeling … An example ›Find as many potential vulnerabilities as you can (there may be more than one) ›Assume: –pointer arguments are never NULL –strings are always NULL terminated

19 /* Safely Exec program: drop privileges to user uid and group * gid, and use chroot to restrict file system access to jail * directory. Also, don't allow program to run as a * privileged user or group */ 1.void ExecUid(int uid, int gid, char *jailDir, 2. char *prog, char *const argv[]) 3.{ 4. if (uid == 0 || gid == 0) { 5. FailExit("ExecUid: root uid or gid not allowed"); 6. } chroot(jailDir); /* restrict access to this dir */ setuid(uid); /* drop privs */ 11. setgid(gid); fprintf(LOGFILE, "Execvp of %s as uid=%d gid=%d\n", 14. prog, uid, gid); 15. fflush(LOGFILE); execvp(prog, argv); 18.}

20 Security in a Nutshell Basic Concepts ›Authentication ›Cryptography ›Certificates ›Authorization Delegation

21 Authentication ›Ability to identify each user of the system ›Ability to identify the processes running ›Prove identity using –What you have (key, card) –What you know (password) –What you are (fingerprint, retina pattern)

22 Cryptography ›Limits the potential senders and receivers of a message ›Based on secrets (keys) ›Used for authentication –Enables the receiver to verify that the message was created by some specific sender –Digital signature Allows to check if the message was modified (integrity) Public key, Private key (sender private key and receiver sender’s public key)

23 Cryptography ›Encryption –Enables the sender to ensure that only a specific receiver can read the message (confidentiality) Symmetric encryption (secret shared key) Asymmetric encryption –Public key, Private key (using the receiver’s public key)

24 Certificates ›Obtained and signed from a Certification Authority ›Used to verify the validity of a public key ›Comparable to capabilities –List the access rights of the holder over resources –Identity, attribute, value ›Should be protected by a digital signature ›Hierarchical trust model ›Certificate Revocation List ›Restricted lifetime of certificates

25 Delegation ›Passing identity and access rights from one process to another ›Implemented through a proxy –Token associated to privileges and restrictions ›Chain of delegations

26 User Perspective What the bad guys can do ›Attacks from inside

27 User Perspective What the bad guys can do ›Attacks from outside

28 User Perspective What the bad guys can do ›Gain root access ›Privilege escalation –Gain other user access (admin, condor) ›Hijack machines –Attack the process running there

29 User Perspective What the bad guys can do ›Injections –Command –SQL –Directory traversal –Log ›Denial of Service (DoS)

User Perspective What the bad guys can do ›Hijack machines –Process escapes Condor control: keep forking and exiting to escape detection. Evil Job PID 1 Evil Job PID 2 Evil Job PID 3 fork Evil Job PID n... ? 30

user job ›Hijack machines User Perspective What the bad guys can do startdstarter Condor Execute Host switchboard procd switchboard user job startd starter Condor Execute Host switchboard procd IDLE MACHINE user job 31

User Perspective What the bad guys can do ›Hijack machines startdstarter new user job Condor Execute Host switchboard procd switchboard user job ATTACK 32

User Perspective What the bad guys can do ›Hijack machines (con’d): –Condor believes the job is gone –The remaining process can do anything to new user jobs running on that machine –This is the same problem that the Condor team fixed years ago 33

User Perspective What the bad guys can do ›Denial of Service –An attacker can prevent updates in the Condor- Quill database condor_qedit 1.0 `perl –e ‘print “x”x2001’` foo 34

User Perspective What the bad guys can do ›GRATIA: The OSG Accounting System –Maintains a Grid-wide view of resource utilization. Job Submission (Priority in the batch queue, CPU time, Memory usage) Storage (Disk usage, Tape storage) ›Accounting Information easily available to people (web interface) and to applications (Web Services) 35

User Perspective What the bad guys can do ›Background –Gratia Condor Probe deletes debug files in /tmp, does some computation and then re- creates the debug files in /tmp. –Gratia Condor Probe has weak validation mechanism (does not validate the job parameters properly) –Symbolic links and Open If files are created using O_CREAT without O_EXCL flag and the final component of the file path is a symbolic link, the file is created where the symbolic link points. 36

User Perspective What the bad guys can do ›Background –Gratia Condor Probe deletes debug files in /tmp, does some computation and then re-creates the debug files in /tmp. –Symbolic links and Open If files are created using O_CREAT without O_EXCL flag and the final component of the file path is a symbolic link, the file is created where the symbolic link points. What happens if we create a symbolic link to the pathname after the operation that deletes the files, but before the one that opens and creates them. Can we win this race? 37

User Perspective What the bad guys can do ›Background –Gratia Condor Probe has weak validation mechanism (does not validate the job parameters properly) –Symbolic links and Open If files are created using O_CREAT without O_EXCL flag and the final component of the file path is a symbolic link, the file is created where the symbolic link points. Can we exploit the weakness in validation mechanism to make it write something “meaningful” to a “useful” system file? 38

39 Gratia-Probe

40 Gratia-Probe

What can you do? ›Users –Choose good passwords –Take care of your certificates –Never share identities –Report strange behavior ›Sys Admins –Minimal privileges –Configuration settings –Check log files –Upgrades 41

What can you do? ›Developers –Learn secure programming ›Managers –Prioritize security, invest in it, and have assessment and response strategies 42

43 Security Risks in the Grid UW-Madison July 22, 2010 This research funded in part by Department of Homeland Security grant FA (funded through AFRL). Past funding has been provided by NATO grant CLG , National Science Foundation grant OCI , the National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS and CNS Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona

44 Studied Systems Condor, University of Wisconsin Batch queuing workload management system SRB, SDSC Storage Resource Broker - data grid MyProxy, NCSA Credential Management System glExec, Nikhef Identity mapping service CrossBroker, Universitat Autònoma de Barcelona Resource Manager for Parallel and Interactive Applications Gratia Condor Probe, NCSA Feeds Condor Usage into Gratia Accounting System Condor Quill, University of Wisconsin

45 Studied Systems Wireshark (in progress) Network Protocol Analyzer Condor Privilege Separation, University of Wisconsin (in progress) Restricted Identity Switching Module VOMS Admin, Instituto Nazionale di Fisica Nucleare (in progress) Virtual Organization Management Service