INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
Chapter 17: WEB COMPONENTS
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV 2- 1 Copyright © 2005 Element K Content LLC. All rights reserved. Security Threats  Social Engineering  Software-based Threats  Hardware-based Threats.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Data Security in Local Networks using Distributed Firewalls
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
The 10 Most Critical Web Application Security Vulnerabilities
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Security
OWASP Mobile Top 10 Why They Matter and What We Can Do
MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko EGEE is a project.
SEC835 Database and Web application security Information Security Architecture.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
A Framework for Automated Web Application Security Evaluation
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Security Testing Vinay Srinivasan cell:
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Deconstructing API Security
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Wireless and Mobile Security
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Web Services Security Patterns Alex Mackman CM Group Ltd
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
INFSO-RI Enabling Grids for E-sciencE Web Services Mike Mineter National e-Science Centre, Edinburgh.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Manuel Brugnoli, Elisa Heymann UAB
Secure Software Confidentiality Integrity Data Security Authentication
Evaluating Existing Systems
Evaluating Existing Systems
E-commerce Application Security
Operating System Security
Intrusion Detection system
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research Group (AIRG) University of Amsterdam

INFSO-RI Enabling Grids for E-sciencE Outline Background: Addressing known security vulnerabilities From Vulnerability to Incident Existing classifications and models Proposed security threats classification and models

Enabling Grids for E-sciencE INFSO-RI Addressing Known Security Vulnerabilities Grid Operational Centers (and JSPG :-) know major security vulnerabilities –Those that are actually obvious  Reason why it happened? –We can expect more will be discovered when we apply regular security vulnerability analysis and risk assessment Approach for security/operational people? –Actively search for vulnerabilities OR wait until somebody will discover them and (mis)use (Already perceived) Problems –There is no common approach/model for analysing security vulnerabilities in Web Services and Grids –All security models and methodologies are complex and multifaceted  Grid is new but not unique – better learn from others’ expereince  Need some efforts and willinness to learn or to listen to experts

Enabling Grids for E-sciencE INFSO-RI Vulnerability-Incident life-cycle Vulnerability => Exploit => Threat => Attack/Intrusion => Incident Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Exploit is a known way to take advantage of a specific software vulnerability Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm Attack is an assault on system security that derives from an intelligent threat Incident is a result of successful Attack

Enabling Grids for E-sciencE INFSO-RI Basic steps in attacking methodology

Enabling Grids for E-sciencE INFSO-RI Known Vulnerabilities and Threats Classifications OWASP (Open Web Application Security Project) – –Developed in and industry adopted EVDL (Enterprise Vulnerability Description Language) –OASIS WG – Web Applications Security Threats Model by Microsoft – XML Web Services Security Vulnerabilities/Threats classification –Proposed in MJRA3.4 and updated in MJRA3.6

Enabling Grids for E-sciencE INFSO-RI Top 10 OWASP vulnerabilities A1 - Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows A6 - Injection Flaws A7 - Improper Error Handling A8 – Insecure Credentials Storage A9 - Denial of Service A10 - Insecure Configuration Management

Enabling Grids for E-sciencE INFSO-RI XML Web Services threats/ attacks classification (1) XWS1 – Web Services Interface probing –WSDL scanning, WSDL parameters tampering, WSDL error interface probing XWS2 – XML parsing system –Recursive XML document content, oversized XML document XWS3 – Malicious XML content –Malicious code exploiting known vulnerabilities in back-end applications, viruses or Trojan horse programs, malicious XPath or XQuery built-in operations, malicious Unicode content XWS4 – External reference attacks –Malicious XML Schema extensions, namespace resolution manipulation, external entity attacks

Enabling Grids for E-sciencE INFSO-RI XML Web Services threats/ attacks classification (2) XWS5 – SOAP/XML Protocol attacks –SOAP flooding attack, replay attack, routing detour, message eavesdropping, “Main-in-the-middle” attack XWS6 – XML security credentials tampering –XML Signature manipulation, secure XML content manipulation, Unicode content manipulation, XML credentials replay, application session hijacking XWS7 – Secure key/session negotiation tampering –Poor WS-Security implementation, poor key generation, poor key/trust management; weak or custom encryption

Enabling Grids for E-sciencE INFSO-RI Threats/Attacks grouping in interacting services

Enabling Grids for E-sciencE INFSO-RI Threats/Attacks grouping (1) WIA – “Wire” Intelligence Attacks –Network eavesdropping –“Man in the middle” (MITM) –Brute Force –Credentials compromise –Replay/Session hijack –XML/SOAP protocol MIA – Melifactor Initiated Attacks –Denial of Service (DoS) –Brute Force –Dictionary Attacks –WSDL probing UCA – User Credentials Attacks –Credentials theft –Credentials compromise –User impersonation

Enabling Grids for E-sciencE INFSO-RI Threats/Attacks grouping (1) SIA – Site Management Attacks –Configuration vulnerabilities –Improper Key/Trust Management –Improper Privilege Management –Improper Error Handling –Insecure audit/logging ESA – End Services Attacks –Resource misuse and quota violation –Malicious input –Dynamic XML –XML/SQL Injection –(XSS)

Enabling Grids for E-sciencE INFSO-RI Security models for interacting Grid/XWS services Requestor/User site security zones Service/Resource site security zones

Enabling Grids for E-sciencE INFSO-RI Requestor/User site security zones

Enabling Grids for E-sciencE INFSO-RI Service/Resource site security zones

Enabling Grids for E-sciencE INFSO-RI Example use of security models Collaboratory.nl project (CNL) Providing secure remote access to unique analytical equipment Job-centric security model for Open Collaborative Environment –Distributed security services model –Security context handling addressed –Trust model for distributed security services

Enabling Grids for E-sciencE INFSO-RI Authorisation Service operation in a CNL2 Demo system JNLP – Java Network Launch Protocol CHEF – Collaborative tool Surabaya – Collaborative Workspace environment Locations

Enabling Grids for E-sciencE INFSO-RI Security and trust issues in the OCE Job-centric security model TA – Trust Anchor; TR# - trust path from root (resource); RAM – Resource Allocation and Management; UserCT – User Collaborative Tools

Enabling Grids for E-sciencE INFSO-RI Trust relations in distributed access control infra Obtaining required permissions to perform requested action by the user: User => AuthN(HomeOrg.staff, Job.members) => => AuthZ(Member.roles, Policy.permissions) => => Resource.permissions Trust/credentials chain and delegation between major modules: User => => HomeOrg.staff(TA2) => Job.members => Member.roles => Role.permissions

Enabling Grids for E-sciencE INFSO-RI Summary and next steps Security vulnerabilities and attacks classification provides an input to further analysis of existing and to be discovered vulnerabilities Proposed Requestor and Resource security models need discussion and trial with analysing real middleware products –Need to be developed to cover case with the delegation Need some organisational form to proceed as an ad- hoc activity to target improving Grid middleware security

Enabling Grids for E-sciencE INFSO-RI Additional materials Users vs hackers Application security layers Host security components Implementation suggestions for OCE/CNL Job-centric security architecture

Enabling Grids for E-sciencE INFSO-RI Users vs hackers Users go regular route Potential hacker use any possible opportunity to bypass

Enabling Grids for E-sciencE INFSO-RI Application Security Layers Grid and application security must be build on solid base of lower layers Grid middleware constitutes Tier 3 layer and must protect actual applications from possible attacks

Enabling Grids for E-sciencE INFSO-RI Host security components Protocols and Ports that provides network access and communication services for applications. Common OS Services Files and Directories User Accounts and privileges Registries Auditing and Logging Patches and Updates management

Enabling Grids for E-sciencE INFSO-RI Trust relations in distributed Access Control Implementation suggestions for OCE/CNL security model –Root of trust and authority belong to the Resource –Trust anchor TA2 embedded into the Job Description is the main trust anchor shared between the resource and the customer.  In more business integrated model the signed order may contain TA1  Both TA2 and TA1 may have the same trust path to the root/resource –To become a shared trust anchor for the resource and the customer trust domains, the Order or JobDescription must contain mutually signed credentials/certificates –Although the main PEP operation assumes authorisation decision request from the trusted PDP, in general PEP may accept an AuthzTicket from other trusted/external PDP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.