Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.
A Scalable Approach to Deploying and Managing Appliances Kate Keahey Rick Bradshaw, Narayan Desai, Tim Freeman Argonne National Lab, University of Chicago.
Virtualization, Cloud Computing, and TeraGrid Kate Keahey (University of Chicago, ANL) Marlon Pierce (Indiana University)
On-Demand Virtual Workspaces: Quality of Life in the Grid Kate Keahey Argonne National Laboratory.
Virtual Appliances for Scientific Applications Kate Keahey Argonne National Laboratory University of Chicago.
Virtualization: Towards More Flexible and Efficient Grids Kate Keahey Argonne National Laboratory.
Working Spaces: Virtual Machines in the Grid Kate Keahey Argonne National Laboratory Tim Freeman, Frank Siebenlist
Enabling Cost-Effective Resource Leases with Virtual Machines Borja Sotomayor University of Chicago Ian Foster Argonne National Laboratory/
Workspaces for CE Management Kate Keahey Argonne National Laboratory.
The VM deployment process has 3 major steps: 1.The client queries the VM repository, sending a list of criteria describing a workspace. The repository.
Division of Labor: Tools for Growing and Scaling Grids Tim Freeman, Kate Keahey, Ian Foster, Abhishek Rana, Frank Wuerthwein, Borja Sotomayor.
From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.
Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.
GT4 Architectural Security Review December 17th, 2004.
Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
MyProxy: A Multi-Purpose Grid Authentication Service
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
VIRTUALISATION OF HADOOP CLUSTERS Dr G Sudha Sadasivam Assistant Professor Department of CSE PSGCT.
ProjectWise Virtualization Kevin Boland. What is Virtualization? Virtualization is a technique for deploying technologies. Virtualization creates a level.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.
Cloud Computing & Security Issues Prepared by: Hamoud Al-Shammari CS 6910 Summer, 2011 University of Colorado at Colorado Springs Engineering & Applied.
Digital Object Architecture
Improving Network I/O Virtualization for Cloud Computing.
1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Identity-Based Secure Distributed Data Storage Schemes.
Large Scale Sky Computing Applications with Nimbus Pierre Riteau Université de Rennes 1, IRISA INRIA Rennes – Bretagne Atlantique Rennes, France
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]
Ian Gable University of Victoria 1 Deploying HEP Applications Using Xen and Globus Virtual Workspaces A. Agarwal, A. Charbonneau, R. Desmarais, R. Enge,
Security Vulnerabilities in A Virtual Environment
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Trusted Passages: Managing Trust Properties of Open Distributed Overlays Faculty: Mustaque Ahamad, Greg Eisenhauer, Wenke Lee and Karsten Schwan PhD Students:
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
Super Computing 2000 DOE SCIENCE ON THE GRID Storage Resource Management For the Earth Science Grid Scientific Data Management Research Group NERSC, LBNL.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.
© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.
Towards Dynamic Database Deployment LCG 3D Meeting November 24, 2005 CERN, Geneva, Switzerland Alexandre Vaniachine (ANL)
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Workspace Management Services Kate Keahey Argonne National Laboratory.
Key management issues in PGP
Presented by Edith Ngai MPhil Term 3 Presentation
Chapter 6: Securing the Cloud
Bentley Systems, Incorporated
Grid Computing Security Mechanisms: the state-of-the-art
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Presentation transcript:

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab Making your workspace secure: establishing trust with VMs in the Grid

Virtual Workspace in the Grid Virtual Workspace (VW) Definition: Workspace is an execution environments that can be made available dynamically in the Grid Software environment Resource allocation Examples: A physical machine configured as a service node (e.g., headnode) for a community cluster A set of virtual machines configured as an Open Science Grid cluster A set of physical machines configured with Xen hypervisor Virtual machines (VMs) as workspace implementation Good isolation properties Customizable software Fine-grained enforcement of resource allocation Ability of serialization and migration Acceptable performance cost (Xen) Hardware Hypervisor Guest OS App Guest OS App

Security Challenge of Virtual Workspace VW Hosts prohibit VMs from misusing resource maliciously; For example, a badly configured VM might get compromised and used to launch a DOS from a site VW Owners concern the integrity and confidentiality of the VM image, that is the VM image does not get used or otherwise compromised by un-trusted parties storing or transferring that image. The VM image is usually composed of multiple partitions, each partition may be provided by a different "issuer" and be associated with different security requirements concern that VM execute only on trusted hosts and the host won't jeopardize data or computations taking place inside the VM. VW Users how do I establish trust with a running VM? trust in the VM has to be rooted in both VM image (owner) and VM host

System Architecture Implementation Xen, Globus Toolkit 4 GSI provides the basic infrastructure for authentication and authorization Workspace Meta data XML document: containing the hardware, software, networking, security and other configuration of a VW VW Configuration Service Workspace Service request a workspace Workspace manage activities within the workspace Owner of VW User of VW Workspace Meta-data Deploy Manage monitor

VW Security Meta-data A Virtual Machine consists of several files (VM disk partitions, RAM image, configuration files), each of them may have different security requirements (Integrity, Confidentiality or Open) Be provided by different entities, e.g. A community partition may be issued by a given community and contain a specific version of community software An application partition may be provided by an application developer A data partition may be provided by a special interest group and be confidential Be used as part of many images Stored and transported through potentially un-trusted areas Meta-data for partition is extended with XML Signature or Encryption element to represent the signature and related key or certificate of the protected A resolvable URI that can be used to locate a partition Security Meta-data makes the security of a VW image be independent of the intermediate storage service and transferring layers. …

GridFTP Http … … Virtual Workspace Meta-Data OSG Software version Key partition Application Application data Virtual Workspace Partitions VW Security Meta-data

VW Host Credential How do we assign credential to the VM? Trust has to be rooted in both the VM image (VM owner) and the VM host (hypervisor) Scheme 1: Assign a static credential to a VM image VM issuer provides a credential partition, always encrypted Partition can be decrypted only by a host from a trusted set Credential does not change during VM lifetime Scheme 2: Generate a credential on deployment Name the VM as VM X on resource Y Resource Proxy Certificate: which is a short term GSI X509 proxy Certificate generated dynamically by the hypervisor at deployment time based on verifying the VM attestation After migration, the certificate is revoked at old host and regenerated at new host. user can attest the virtual machine and the host machine.

Deploying a Secure VW Host Creds VW Creds Virtual Workspace Hypervisor VW User Third-Party Storage Services VW Owner Metadata Verification Partition Load Signature Verification Partition Decryption Private key partition OSG software partition App data partition App software partition Creds Assign Key Load Workspace Service Data flow Control flow 1: owner builds authen & author with Workspace service 2: sends the VW meta-data 3: checks the integrity of the meta data 4: loads each partition of the VW to local site according the security meta-data 5: loads the key or certificate according the security metadata 6: verifies the partition signature or decrypts the partition 7: generates the proxy cred for VW 8. builds and starts the VW. 9: user builds authen,& author with VW 10: user accesses VW 8

Performance Impact Security Configuration –No-security conf: all the partitions are not protected –Signed partitions conf: all the partitions are signed by providers –Private data conf: all the software partitions are signed by providers, except the user data partitions encrypted by the user self –Private key conf: all the partitions are signed by providers, except the VW key partition is encrypted by the VW owner.

Conclusion GSI provides the mechanism to build trust between VW host and VW owner Security meta-data is an End-to-End VW data integrity and confidentiality solution between the VW host and VW owner without any dependence on the transportation and storage system. With Resource Proxy Certificate user can attest the VW and the running host. Performance impact to the VW deployment brought by the security functionality is significant, but still acceptable (deploying a VW with 3G signed partitions needs no more then 3 mins) The performance impact mainly caused by the partitions with big size, and Encryption is much more expensive than the signature calculation. To minimize the overhead, it is desirable –Reduce the granularity of a partition –keep the big software partition be read-only and on site for reusing. –the encryption would better be applied on small size data partitions. Further optimization will be developed based on fast security implementation, cache and differentiate transferring For more information visit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.