EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in EGEE-II Dr Linda Cornwall, Rutherford Appleton Laboratory, Chilton, Didcot, Oxon, England ISGC2007, 28 th March 2007
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 2 Contents Why we setup the Grid Security Vulnerability Group (GSVG) The EGEE-II Security Co-ordination Group (SCG) –How the GSVG fits in The Vulnerability Task in EGEE-II Issue Handling Risk Assessments Disclosure policy Other Grid Security Vulnerability work in EGEE-II
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 3 Why the Grid Security Vulnerability Group (GSVG) was set up GSVG started work before the beginning of EGEE-II using GridPP funded effort A lot was being done concerning Grid Security Functionality –Authentication, Authorization Not much was being done to ask “Is the Grid Secure” The software isn’t perfect – Some vulnerabilities are in the process of being fixed – Some are probably waiting to be exploited It will be really embarrassing if when the Large Hadron Collider comes on line at CERN we get a serious attack which prevents data being stored or processed Could be more than embarrassing if Grids were used to attack other systems or carry out illegal activities Hackers Conference HOPE mentioned Grids –Unfriendly people without credentials aware of us –Cannot rely on security through obscurity Real Grids are being deployed –No longer a research/proof of concept activity
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 4 The EGEE-II Security Co-ordination Group (SCG) EUGridPMA Joint Security Policy Group MiddleWare Security Group Policies Architecture gLite Security Trust anchor IGTF chair Grid Security Vulnerability Group Operational Security Coordination Team Operations
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 5 The Vulnerability Task in EGEE II In EGEE II there is manpower for the “Grid Services Security Vulnerability and Risk Assessment” Task The aim is “to incrementally make the Grid more secure and thus provide better availability and sustainability of the deployed infrastructure” –This is recognition that it cannot be made perfect immediately GSVG aims to prevent Grid Security incidents –Grid security incidents are handled by the EGEE incident handling process, not GSVG –GSVG may help handle a vulnerability issue that lead to an incident Handling of Specific Security Vulnerability issues is the largest activity in this task –Issues may be reported by anyone –Most issues are software vulnerabilities –Issues arising from lack of functionality and operational problems may also be reported
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 6 Setup of the issue handling in EGEE II The GSVG issues group in EGEE II consists of Core Group Members –Run the general process –Ensure information is passed on –1 on duty each working day Risk Assessment Team (RAT) –Carry out Risk Assessments –At present 8 full RAT members –Plus 4 others which confine their work to their own area of expertise RAT people are security experts, experienced system administrators, deployment experts and developers
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 7 What we do - to first order Issue is submitted –Anyone can submit an issue The GSVG then carries out a Risk Assessment –At least 3 RAT members assess each issue –Target Date (TD) for resolution is set according to Risk –Mirror bug entered in EGEE middleware bug handling system –Aim to complete this within 2 working days of issue being submitted The issue is then in the hands of the Developers and the Engineering Management Team (EMT) –EMT co-ordinates fixing the issue and the release An advisory is issued when the problem is fixed or on the Target Date, whichever is the sooner. –When the issue is fixed the advisory is included in the release notes
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 8 Risk Assessment Strategy An agreed strategy where risk assessments are objective not subjective is required Site security officers most fear an attack that gives access to the whole site –Especially if it can be carried out anonymously –DoS tends to be considered no more than medium risk A vulnerability that can be exploited by an authorized user is considered by most less serious than one that can be exploited without credentials –Especially if their actions are clearly logged We can’t ignore the possibility that credentials may be stolen Issues that can be exploited trivially and reliably are considered more serious than those that are harder to exploit and can only be exploited in rare circumstances Decided on 4 risk categories –Extremely Critical –High –Moderate –Low
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 9 4 Risk Categories Extremely Critical –Examples Trivial Grid Wide DoS with no Credentials Remote Root access with or without Credentials –Target Date – 2 days High –Examples Identity theft or impersonation Exploit against MW component that gives elevated access Grid-wide disruption Information leakage which is illegal or embarrassing –Target Date – 3 weeks
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 10 4 Risk Categories (contd) Moderate –Examples Confidential issues in user information Local DoS Potentially serious, but hard to exploit problem. E.g. hard to exploit buffer overflow –Target Date = 3 months Low –Examples Small system information leak Issue which is only exploitable in unlikely circumstances, or where an exploit cannot be found Issue where impact on service minimal –Target Date = 6 months
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 11 Disclosure Policy and Target Date By carrying out Risk Assessments and setting a TD we are allowing the resolution of issues to be prioritized The TD can also be seen as the maximum length of time the issue can be lived with, without taking action We are moving to a responsible public disclosure policy On Target Date, information on the issue is made public –Regardless of whether a fix is available –This only applies to EGEE software This is to ensure confidence in the system –People less likely to discuss issues on public mailing list rather than use our system Public disclosure ensures all those who install the software have access to information on known vulnerabilities
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 12 Issues that do not result in software bugs Some issues are purely operational –The Operational Security Co-ordination Team (OSCT) are informed –Risk Category not necessary Some issues are due to missing functionality –The EGEE Technical Co-ordination Group (TCG) and the EGEE Security Co-ordination Group (SCG) are informed Some issues are more general concerns –Discuss with TCG and SCG
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 13 GSVG Users sysadmins Developers Anyone! Submit issue OSCT TCG SCG EMT/JRA1 disclosure Operational issue Patch available with advisory Patch not available on TD Security bug in middleware (most issues) Missing functionality and other concerns
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 14 Other Vulnerability Work Programming guidelines –By producing developers guidelines developers should be helped to write in a secure manner so as not to introduce new vulnerabilities into their code. –Checklist for developers produced (prior to EGEE-II) Certification and vulnerability testing –The EGEE Integration, Testing and Certification activity carry out certification testing before software is released. This may include testing to ensure that a vulnerability that has been fixed is no longer present –Vulnerability testing is carried out by the Security Team at Poznan Penetration testing –Price Waterhouse Cooper (Switzerland) are a Business associate for EGEE-II –Carrying out penetration testing using their own tools - initially on VOMS
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 15 More information The GSVG web page summarizes the activities of the group Details of the issue handling process are available at pdf pdf The GSVG has produced the EGEE EU deliverable DSA 1.3, "Grid Services Security Vulnerability and Risk Analysis" document. This is available at
Enabling Grids for E-sciencE EGEE-II INFSO-RI ISGC Linda Cornwall - Grid Security Vulnerabilities 16 Questions/Discussion ???