Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Services Security Vulnerability and Risk Analysis

Published byDylan Roberts Modified over 6 years ago

Similar presentations

Presentation on theme: "Grid Services Security Vulnerability and Risk Analysis"— Presentation transcript:

1 Grid Services Security Vulnerability and Risk Analysis
Dr Linda Cornwall CCLRC (RAL) LCG-OSG-EGEE meeting, CERN, 19-20th June 2006

2 Contents Why we setup the Grid Security Vulnerability Group
Starting up the GSVG Initial strategy and disclosure policy Vulnerability Task in EGEE II Setup of the GSVG in EGEE II Disclosure policy in EGEE II Risk Assessments Other vulnerability related activities in EGEE II Grid Vulnerability - Linda Cornwall

3 Why we set up the Grid Security Vulnerability Group (GSVG)
A lot done concerning Grid Security Functionality Authentication, Authorization Not much being done to ask “Is the Grid Secure” We know the software isn’t perfect Some vulnerabilities are in the process of being fixed Some are probably waiting to be exploited It will be really embarrassing if when the Large Hadron Collider comes on line at CERN we get a serious attack which prevents data being stored or processed Hackers Conference HOPE mentioned Grids Unfriendly people without credentials aware of us Cannot rely on security through obscurity Real Grids are being deployed No longer a research/proof of concept activity Grid Vulnerability - Linda Cornwall

4 Starting up the Grid Security Vulnerability Group (GSVG)
Started up in 2005 with part of my time and a few “best efforts” volunteers Aim to inform developers and deployment people of vulnerabilities as they are identified and encourage them to produce fixes or to reduce their impact. Aim to keep grids deployed, avoid incidents, improve Grid Security with time Joint effort between Large Hadron Collider Grid (LCG), UK particle Physics Grid (GridPP), and EGEE Some people were worried about the legality of not making info available to all Defined a policy and strategy for carrying out the work Got project management approval of our terms Grid Vulnerability - Linda Cornwall

5 Initial strategy and disclosure policy
Log issues, set a Target Date (TD) usually 45 days If issue is still open on TD, distribute information including risk assessment to LCG security contacts Vulnerability group does not make issues public Security contacts considered internal Includes both software and deployment issues Issues entered by anyone Developers enter issues they know about Includes information from internal knowledge Includes impact of missing functionality which will not be available in the short term Grid Vulnerability - Linda Cornwall

6 Achievements and problems
Collected 84 potential issues 18 closed (8 fixed, 9 invalid/not a problem, 1 duplicate) 6 fix rolling out/ awaiting the next release 61 reports sent out to the LCG security contacts Haven’t been seeing enough issues closed by TD Not enough priority given to investigating or fixing issues TD set to a default (problem prioritizing) Looks worse than it is Some issues are missing functionality Many not directly exploitable Some people who would have been very useful in the team didn’t want to join Despite project approval Grid Vulnerability - Linda Cornwall

7 The Vulnerability Task in EGEE II
In EGEE II there is funded manpower for the “Grid Services Security Vulnerability and Risk Assessment” Task  The aim is “to incrementally make the Grid more secure and thus provide better availability and sustainability of the deployed infrastructure” This is recognition that it cannot be made perfect immediately Handling of Vulnerability issues is the largest activity in this task Which continues to deal with specific issues Continues not to be confined to software vulnerabilities, but also includes issues arising from lack of functionality Grid Vulnerability - Linda Cornwall

8 Setup of the GSVG in EGEE II
The GSVG in EGEE II consists of Core Group Members Run the general process Developers from the various development Clusters Can confirm/check information on issues and fix issues Risk Assessment Team (RAT) Carry out Risk Assessments RAT people are security experts, experienced system administrators, deployment experts and developers Grid Vulnerability - Linda Cornwall

9 Process of the GSVG in EGEE II
Issue logged in Database Anyone can submit an issue Only GSVG members can read or modify Issues can also be submitted by Issue is allocated to Risk Assessment Team (RAT) member RAT member Checks information – need to work with appropriate developer Carries out a Risk assessment 2 other RAT members also carry out Risk Assessment Target Date (TD) set according to Risk To improve prioritizing The issue is then allocated to the appropriate developer Grid Vulnerability - Linda Cornwall

10 Disclosure Policy for EGEE II
We plan to move to a responsible public disclosure policy On Target Date, information on the issue is made public Regardless of whether a fix is available This depends on management approval, We need to prove we can do good Risk Assessments Agree formula for setting the TD according to Risk Grid Vulnerability - Linda Cornwall

11 Main changes A risk assessment is carried out straight after issue is entered Improved Risk Assessments Target Date is set according to Risk By TBD formula Information to be made public on the Target Date Good Risk Assessments and setting of TD according to risk is key to making the improved process work Which effectively prioritizes issues Grid Vulnerability - Linda Cornwall

12 Risk Assessments Currently establishing the best way to carry out Risk Assessments Risk Assessment Team (RAT) is working on this It is important that the risk assessment, and setting of TD is objective, not subjective Common Vulnerability Scoring System (CVSS) Location of issue on “Who can Exploit” “Effect” matrix Any other method RAT members propose What RAT members actually think Grid Vulnerability - Linda Cornwall

13 CVSS CVSS is the Common Vulnerability Scoring System
Takes account of various factors e.g. Can it be exploited remotely Access complexity (whether it can be exploited at will or only in certain circumstances) Authenticated or not Modifies this according to temporal factors Availability of exploit code Availability of fix or workaround Modifies according to the environment This could be considered the Grid environment CVSS provides a score between 0 and 10 Possibility of translating this to a Target Date Grid Vulnerability - Linda Cornwall

14 CVSS limitations It is designed for information systems, not Grids
Does not take into account some factors important on the Grid In particular, “who can exploit” is restricted to authenticated or not We cannot, for example, ignore that one Grid node can affect others E.g. one sysadmin should not be able to setup a system that disrupts the Grid Grid Vulnerability - Linda Cornwall

15 Exploit/effect matrix
Site security officers most fear an attack that gives access to the whole site Especially if it can be carried out anonymously DOS tends to be considered no more than medium risk A vulnerability that can be exploited by an authorized user is less serious than one that can be exploited without credentials We can’t ignore the possibility that credentials may be stolen Nor can we ignore that we may have a rogue sysadmin 100s sites in 10s countries Grid expanding globally This is considered useful Grid Vulnerability - Linda Cornwall

16 Matrix Root Access Local Account Authz Authn No Cred Other System info
Local grid service Disruption Confidential Data Restricts usage for certain applications Unauthz usage Grid-wide Disrupt Impersonate Attack other systems Site Access Very dark pink – Root Access with no Credentials, is what site security officers fear most. Dark Pink boxes are the most serious issues. It is serious if a person with no credentials could cause grid wide disruption, impersonate another user, attack other systems or gain site access or root access. Light pink also serious Probably need to agree how we score each point on the matrix. The lack of good control on confidential data means it is not suitable for certain applications. Blue by definition allowed, a person with a local account can access that account. A person with root access by definition has root access, access to system info, and can disrupt the local service. Person with Root access should not be able to use the grid to impersonate a user, or cause grid wide disruption. Grid Vulnerability - Linda Cornwall

17 Outcome meeting on 19th June
Propose 4 categories of risk Extremely Critical High Moderate Low Grid Vulnerability - Linda Cornwall

18 Extremely Critical Examples Trivial compromise of core grid component
Remotely exploitable issue that can lead to system compromise Root access with no Credentials Trivial Grid Wide DoS with no Credentials Target date – 48 hours Special process (details TBC) for handling Alert OSCT +TCG immediately Quick patch – in isolation with no other release, tested at the front of the queue A.s.a.p. but in any case within 2 working days Unrelated to release process Expectation – Very rare if ever Grid Vulnerability - Linda Cornwall

19 High Risk Examples Remote exploit against middleware service
Spoofing – carrying an action on someone’s behalf Exploit against MW component that gives elevated access Grid-wide DoS? Target Date 3 weeks Grid Vulnerability - Linda Cornwall

20 Moderate Examples Confidential issues in user information Local DoS
Potentially serious, but hard to exploit problem. E.g. hard to exploit buffer overflow Race conditions that are hard to exploit Target Date 3 months Grid Vulnerability - Linda Cornwall

21 Low Examples Small system information leak Impact on service minimal
Note – if 2 low risk issues could produce problem, this should be entered as a higher risk issue Target Date – 6 months Grid Vulnerability - Linda Cornwall

22 Notes If anyone thinks an issue is highly critical – all available RAT members should look at it Other than that vote – E.g. If 3 look initially, and 2 say moderate, 1 low – set as moderate The Risk classification could change Rise if information is available publicly or issue has been exploited Fall if more information comes to light, e.g. part of the code not aware of mitigates problem Formula for setting TD is not for the RAT to decide unilaterally We can propose Need to agree with management Grid Vulnerability - Linda Cornwall

23 Issues arising from missing functionality
These will continue to be entered We will carry out risk assessment But handle differently Inform TCG of what we consider to be the risk If appropriate – inform appropriate people for documentation purposes But not set TD Grid Vulnerability - Linda Cornwall

24 Advisories Advisory on issue is written when the risk assessment is carried out By the RAT member the issue is allocated to, consulting other RAT members (if necessary) and appropriate developers Advisories available publicly on Target Date (or earlier if fix is available) Advisories will always include what to do Solution Patch/work around – which may reduce the service functionality In worst case – advice to stop a service Advisories will not describe how to exploit issue Grid Vulnerability - Linda Cornwall

25 Other Vulnerability work in EGEE II
Other activities currently ramping up Providing best practise guidelines for developers Co-ordinating code walkthroughs/reviews Largely to be commissioned by the Integration, testing and Certification Task in SA3 The vulnerability task is involved in co-ordinating the specific (security) tests as part of the certification process The possibility of carrying out Ethical Hacking is being considered Grid Vulnerability - Linda Cornwall

26 Summary The GSVG is attempting to prioritize specific issues identified through risk assessments and setting Target Dates Other activities for reducing vulnerabilities Testing Code walkthroughs Ethical hacking This work is important, the Grid has been described as a “Beautiful Amplifier” of vulnerability issues Grid Vulnerability - Linda Cornwall

27 Questions/Discussion
Grid Vulnerability - Linda Cornwall

Download ppt "Grid Services Security Vulnerability and Risk Analysis"

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Similar presentations

Ads by Google