Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.

Published byHelen Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed."— Presentation transcript:

1 Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison alderman@cs.wisc.edu http://www.cs.wisc.edu/condor Condor Week 2007 Signed ClassAds and Restricted Delegation

2 www.cs.wisc.edu/condor Condor Week 2007 2

3 www.cs.wisc.edu/condor Condor Week 2007 3 › Multiple administrative domains aren’t well protected from each other, yet are increasingly common: Condor-C, Condor-G, flocking… › As cooperation between administrative domains increases, so does utilization. Can we take advantage of this without also increasing risk? Security Issues in Multiple Administrative Domains Job input and output data Execute Machines Data unrelated to the job Protect:

4 www.cs.wisc.edu/condor Condor Week 2007 4 Shoulders of Giants Principle of least privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” - Saltzer and Schroeder, 1975

5 www.cs.wisc.edu/condor Condor Week 2007 5 Credential Scope › Jobs either carry no credentials or the full credentials of the submitting user. › Jobs with credentials can impersonate the submitting user without any restriction. › Intermediaries that handle credentials can lose or abuse them, or alter tasks, input, and results. Limit the scope of credentials to what the job needs and no more.

6 www.cs.wisc.edu/condor Condor Week 2007 6 Goals › Make security assumptions explicit. › Reduce the number and scope of assumptions that must be made about infrastructure w.r.t. security. › Provide end-to-end security options in addition to point-to-point security. › Provide end-to-end cryptographic audit. › Alter attacker incentives. › Reduce barriers to increased cooperation and utilization.

7 www.cs.wisc.edu/condor Condor Week 2007 7

8 www.cs.wisc.edu/condor Condor Week 2007 8 Framework Overview › Signed ClassAds ∘ Digital signature applied to a ClassAd: altering invalidates the signature. › Task-specific Proxy Certificates ∘ GSI proxy certificate with signed ClassAd embedded: links certificate to a particular task. › Action Authorization Expressions ∘ Expressions within the signed ClassAd limit the usage of the proxy certificate chain.

9 www.cs.wisc.edu/condor Condor Week 2007 9 Participants U SXR U – submitting user S – scheduler X – execute host R – storage resource

10 www.cs.wisc.edu/condor Condor Week 2007 10 Actions U SXR U – submitting user S – scheduler X – execute host R – storage resource s - submit f - forward e - execute a - access sea

11 www.cs.wisc.edu/condor Condor Week 2007 11 Forwarding Action U S s - submit f - forward e - execute a - access SXR s ea U – submitting user S – scheduler X – execute host R – storage resource f

12 www.cs.wisc.edu/condor Condor Week 2007 12 Multiple Administrative Domains U S U – submitting user S – scheduler X – execute host R – storage resource SXR s - submit f - forward e - execute a - access s ea f R

13 www.cs.wisc.edu/condor Condor Week 2007 13 Authentication U S U – submitting user S – scheduler X – execute host R – storage resource SXR s - submit f - forward e - execute a - access s ea f GSI Proxy Certificates Mutual Authentication /O=Brown CS/CN=pavlo /O=Brown CS/CN=scheduler.cs.brown.edu/O=Penn CS/CN=scheduler.cs.penn.edu/O=UMD CS/CN=storage.cs.umd.edu/O=Penn CS/CN=ex0001.cs.penn.edu

14 www.cs.wisc.edu/condor Condor Week 2007 14 Authorization U S U – submitting user S – scheduler X – execute host R – storage resource SXR s - submit f - forward e - execute a - access s ea f /O=Brown CS/CN=pavlo -> pavlo@cs.brown.edu Recipient checks ACL

15 www.cs.wisc.edu/condor Condor Week 2007 15 Problems › Authorization entirely in the hands of the recipients: no restrictions can be expressed by the submitter. › Credential too permissive: can be used to access anything on resources, run any job on execute machine. › Unnecessary reliance on schedulers to preserve confidentiality and integrity of credentials. › No audit trail.

16 www.cs.wisc.edu/condor Condor Week 2007 16 Attackers › Incentive to attack schedulers; compromise results in full control: ∘ Alter tasks (to attack execute hosts or cause them to attack external hosts). ∘ Access resources using credentials. ∘ Forge results returned to submitter.

17 www.cs.wisc.edu/condor Condor Week 2007 17 Framework Overview › Signed ClassAds ∘ Digital signature applied to a ClassAd: altering invalidates the signature. › Task-specific Proxy Certificates ∘ GSI proxy certificate with signed ClassAd embedded: links certificate to a particular task. › Action Authorization Expressions ∘ Expressions within the signed ClassAd limit the usage of the proxy certificate chain.

18 www.cs.wisc.edu/condor Condor Week 2007 18 Signed ClassAds › ClassAds with digital signatures. › Signature made and checked using X.509 keys and certificates. › Altered ClassAds are easily detected. › External files can be referenced using checksums. › Explicit association between a task and information about its origin and provenance. › Results can be signed as well: receipts.

19 www.cs.wisc.edu/condor Condor Week 2007 19 Task-specific Proxy Certificates › Proxy certificates with embedded signed ClassAds. › Policy field in proxy certificate contains signed ClassAd for the associated job. › Proxy delegation chain inalterably linked with particular job. TS

20 www.cs.wisc.edu/condor Condor Week 2007 20 Action Authorization Expressions ClassAd language expressions included in the signed ClassAd. Can specify conditions on actions that the proxy certificate might be used for: submit, forwarding, execute, and access. Permits the submitting user to limit how their credentials are used.

21 www.cs.wisc.edu/condor Condor Week 2007 21 U= /O=Brown CS/CN=pavlo Sa= /O=Brown CS/CN=sche… Sb= /O=Penn CS/CN=sche… f(U, Sa, Sb) Mutual Authorization U S U – submitting user S – scheduler X – execute host R – storage resource SXR s - submit f - forward e - execute a - access s ea f U= /O=Brown CS/CN=pavlo S= /O=Brown CS/CN=sche… s(U,S) /O=Brown CS/CN=pavlo /O=Brown CS/CN=scheduler.cs.brown.edu/O=Penn CS/CN=scheduler.cs.penn.edu/O=UMD CS/CN=storage.cs.umd.edu/O=Penn CS/CN=ex0001.cs.penn.edu U= /O=Brown CS/CN=pavlo S= /O=Penn CS/CN=sche… X= /O=Penn CS/CN=ex0001… e(U, S, X) U= /O=Brown CS/CN=pavlo X= /O=Penn CS/CN=ex0001… R= /O=UMD CS/CN=storage… a(U, X R)

22 www.cs.wisc.edu/condor Questions? For more information, contact: Ian Alderman alderman@cs.wisc.edu

Download ppt "Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed."

Similar presentations

IBM Software Group ® Design Thoughts for JDSL 2.0 Version 0.2.

IBM Software Group ® Design Thoughts for JDSL 2.0 Version 0.2.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,

Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Jaime Frey Computer Sciences Department University of Wisconsin-Madison Condor-G: A Case in Distributed.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison Condor-G: A Case in Distributed.
Www.see-grid-sci.eu SEE-GRID-SCI Hands-On Session: Workload Management System (WMS) Installation and Configuration Dusan Vudragovic Institute of Physics.

SEE-GRID-SCI Hands-On Session: Workload Management System (WMS) Installation and Configuration Dusan Vudragovic Institute of Physics.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
GRID workload management system and CMS fall production Massimo Sgaravatto INFN Padova.

GRID workload management system and CMS fall production Massimo Sgaravatto INFN Padova.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Jim Basney Computer Sciences Department University of Wisconsin-Madison Managing Network Resources in.

Jim Basney Computer Sciences Department University of Wisconsin-Madison Managing Network Resources in.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Similar presentations

Ads by Google