Virtual Workspaces Kate Keahey Argonne National Laboratory.

Slides:

Advertisements

Similar presentations

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.

Advertisements

A Scalable Approach to Deploying and Managing Appliances Kate Keahey Rick Bradshaw, Narayan Desai, Tim Freeman Argonne National Lab, University of Chicago.

From Sandbox to Playground: Virtual Environments and Quality of Service in the Grids Kate Keahey Argonne National Laboratory.

Working Spaces: Virtual Machines in the Grid Kate Keahey Argonne National Laboratory Tim Freeman, Frank Siebenlist

Workspaces for CE Management Kate Keahey Argonne National Laboratory.

The VM deployment process has 3 major steps: 1.The client queries the VM repository, sending a list of criteria describing a workspace. The repository.

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.

Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Intranet, Extranet, Firewall. Intranet and Extranet.

Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

Xen Overview for Campus Grids Andrew Warfield University of Cambridge Computer Laboratory.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

Presented by: Sanketh Beerabbi University of Central Florida COP Cloud Computing.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper

The Entropia Virtual Machine for Desktop Grids Brad Calder, Andrew A. Chien, Ju Wang, Don Yang – VEE-2005 Raju Kumar CS598C: Virtual Machines.

Large Scale Sky Computing Applications with Nimbus Pierre Riteau Université de Rennes 1, IRISA INRIA Rennes – Bretagne Atlantique Rennes, France

CPT 123 Internet Skills Class Notes Internet Security Session A.

Chapter 12 Operating System Security Strategies The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies” Over 85% of.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Chapter 2 Securing Network Server and User Workstations.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Ian Gable University of Victoria 1 Deploying HEP Applications Using Xen and Globus Virtual Workspaces A. Agarwal, A. Charbonneau, R. Desmarais, R. Enge,

SECURING SELF-VIRTUALIZING ETHERNET DEVICES IGOR SMOLYAR, MULI BEN-YEHUDA, AND DAN TSAFRIR PRESENTED BY LUREN WANG.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Security Vulnerabilities in A Virtual Environment

Grid technology Security issues Andrey Nifatov A hacker.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Michał Jankowski, Paweł Wolniewicz, Jiří Denemark, Norbert Meyer,

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

Trusted Operating Systems

Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.

PARALLEL AND DISTRIBUTED PROGRAMMING MODELS U. Jhashuva 1 Asst. Prof Dept. of CSE om.

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

Towards Dynamic Database Deployment LCG 3D Meeting November 24, 2005 CERN, Geneva, Switzerland Alexandre Vaniachine (ANL)

Workspace Management Services Kate Keahey Argonne National Laboratory.

Harvesting Free Windows CPU Cycles for Linux Applications using Sandboxing Rasmus Andersen Dept. of Computer Science, University of Copenhagen, Denmark.

DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S

Chapter 6: Securing the Cloud

THE STEPS TO MANAGE THE GRID

Presentation transcript:

Virtual Workspaces Kate Keahey Argonne National Laboratory

Security Workshop, GGF 12Kate Keahey Why do we need virtual workspaces? l Need a way to configure remote nodes effortlessly, dynamically, flexibly l Need to be able to enforce positive and negative resource usage

Security Workshop, GGF 12Kate Keahey Virtual Workspaces Virtual resource configuration Protection environment Software and file configuration state Execution state Virtual Workspace Grid Middleware Interface Grid client Interface Grid clients Grid middleware interface l Define interfaces and explore a variety of implementations l Virtual machines are a particularly promising technology

Security Workshop, GGF 12Kate Keahey Architecture Client request VW EPR inspect and manage deploy & suspend use existing VW Create VW VW Factory VW Repository VW Manager create new VW Resource VW start program Implemented based on Globus, tested with bioinformatics applications Tim Freeman, Daniel Galron, SC04 poster

Security Workshop, GGF 12Kate Keahey VMs as VWs: the good l Configurability u Allow full stack customization: choose OS, 32 on 64-bit, libraries… l Enhanced security u Primarily better isolation, but also audit forensics, etc. l Managing state u Freezing computation allows migration, suspend and resume operations, etc. l State management/replication tool u Customize once and copy u Potential as distribution tool l Good enforcement potential

Security Workshop, GGF 12Kate Keahey VMs as VWs: the (not so) bad l Overhead from application perspective u Depends on application, VM implementation u In practice very promising l No access to specialized hardware u Simply needs more work l Resource usage overhead u Depends on implementation l Sharing issues and policies u How do we share between VMs l Software maturity

Security Workshop, GGF 12Kate Keahey Networking Issues (wormhole) l What network are the VMs on u Adding a machine to a remote network u Migration problem l Solution u Create a “virtual LAN” hosting the VMs u Redirect traffic to the actual location u Administered by a VO

Security Workshop, GGF 12Kate Keahey VMs and Security: the Good l Protecting users from users u As good as it gets l Protecting resource from a VM u Strong sandboxing u potential for policy-driven resource consumption enforcement l Protecting VM from the resource u Trusted computing: root secure trusted VMMs and attestation: even platform owner cannot break privacy and isolation guarantees u Needs help from hardware u Pretty close to as good as it gets

Security Workshop, GGF 12Kate Keahey VMs and Security: the Challenging l Protecting the VM from the world u VMs are only as secure as the software they run u Who maintains all those VMs? Local administrators would have to maintain too many images… l Protecting the world from the VM u Issue 1: one could use one’s privileges as root on a VM (for example to generate harmful network traffic) u Issue 2: no control over software running on VM means potential vulnerabilities could be exploited (also see above) u Although audit works great by the time the damage is done and it is too late!

Security Workshop, GGF 12Kate Keahey Potential Solutions l VO could do VM certification u Maintenance by the VO makes more sense u Does a VO have enough of a stake in this process? l Ultimately it is the platform owner who is to blame… l Detect when something goes wrong u Hard: traffic of a parallel application can look surprisingly like a denial of service attack! u IDS isolated from the VM: loss of privacy to the user u VO administrator (as well as resource owner) should have the right to stop a suspicious VM l Restricting network traffic u For example: traffic allowed only to VO-owned nodes u Is questionable because the idea is to limit “them”, not us

Security Workshop, GGF 12Kate Keahey Grid Security with VMs l How does a VM authenticate itself? u Can’t put a private key anywhere on the image l Can be compromised l Part of the platform? u Signed and re-signed by a trusted source? l How can we integrate attestation into Grid computing seamlessly? u We need to allow for a mix of technologies

Security Workshop, GGF 12Kate Keahey Conclusions l We need virtual workspaces for Grid computing u Although we need to be able to rely on a mix of technologies VMs are a particularly promising technology to use in Grid computing for security reasons and otherwise l A growing role for the VO u VO might take on additional responsibilities l Administers and maintains VMs, certification authority, could potentially stop suspect VMs, is to blame if something happens… l Should the VO be a legal entity? u Would all this be healthy for a VO? l Do VOs have the resources to do that? u What are the trade-offs and a healthy balance? l Mechanisms for secure, efficient sharing between VOs u Via Grid tools? l Holy Grail u Can we use these new capabilities for Grid computing? Do we need the increased trust?