Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.

Published byHarry Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC."— Presentation transcript:

1 Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC 2010) 1

2 Background  Open Science Grid provides an infrastructure for coordinating Virtual Organizations (VOs) and sites based on various grid policies (policies in short  VO have its own VO policy E.g. which VO member access which resources, usage rules -- queue priority, etc  Sites have their own policy for providing access to VOs Which resource is available to which VO, how long, under which conditions, etc 2 20010-03-09 ISGC

3 Background - cont. Sites enforce both their own policies and the VO policies when VO members utilize the site resources. 3 20010-03-09 ISGC

4 Motivation  Storage elements and computing elements in sites are shared within and across members of various VOs  Different roles of VOs have different privileges over resources in sites  Sensitive resource or jobs requires policy mechanisms  access control, job priority and scheduling, monitoring and etc  Site policy authors write their own policies w.r.t. their interests  e.g., combine multiple VO policies 4 20010-03-09 ISGC

5 Motivation - cont.  How to ensure the correct behaviours of policies?  What you specify is what you get, but not necessarily what you want  Our solution: model checking grid policies  Property verification Check whether a policy satisfied a property  Conflict and redundancy checking Check whether two policies have conflicts or redundancy Help combine two policies effectively  Change impact analysis Check whether a policy is correctly changed 5 20010-03-09 ISGC

6 Outline  Approach  Access Control in XACML  Property verification  Conflict and redundancy checking  Change impact analysis  Conclusion 6 20010-03-09 ISGC

7 Access Control in XACML  XACML is eXtensible Access Control Markup Language standardized by OASIS  XACML policy describes a set of rules to specify policy behaviors  Policy Decision Point (PDP) produces a policy decision (e.g., Permit or Deny) with regards to a request from a user Policy Decision Point RequestDecision XACML Policy 7 20010-03-09 ISGC

8 Example Grid Policy  Subjects/Roles: Admin, Tester  Actions: execute  Resources: DiskQuota  Condition: DiskQuotaBytes Rule 1: IF (Admin AND execute AND DiskQuota AND DiskQuotaBytes > 15 MB) Permit Rule 2: IF (Tester AND execute AND DiskQuota AND DiskQuotaBytes > 20 MB) Permit Rule 3: OTHERWISE Deny 8 20010-03-09 ISGC

9  NuSMV is a state-of-the-art symbolic model checker developed by CMU and IRST  Requires that a policy is translated into a FSM model  State: Pending, Deny, Permit init(decision) := Pending; next (decision) := case subject = Admin & Resource = DiskQuota & Action = execute & DiskQuotaBytes <= 15 : Permit; subject = Tester & Resource = DiskQuota & Action = execute & DiskQuotaBytes <= 20 : Permit; 1: Deny; esac; A FSM Model in NuSMV 9 20010-03-09 ISGC

10  State: description of the decisions in the machine  Initial State: Pending  Finite states: Deny, Permit  Finite-state machine (FSM) model Describing a policy as a state machine Pending Permit Deny Rule 1 or Rule2 ! (Rule 1 or Rule 2) 10 20010-03-09 ISGC

11 Policy Verification Property 1: A dmin can execute a job that requires 15 MB disk quota No violations are found … next (decision) := case subject = Admin & Resource = DiskQuota & Action = execute & DiskQuotaBytes <= 15 : Permit; …; 1: Deny; esac; … 11 20010-03-09 ISGC

12 next (decision) := case … subject = Tester & Resource = DiskQuota & Action = execute & DiskQuotaBytes <= 20 : Permit; …; 1: Deny; esac; … Policy Verification Property 2: No role cannot execute (a job) that requires a disk quota bigger than 15 MB Violation with a counterexample: Tester can execute a job that requires 17 MB disk quota Violation Found! 12 20010-03-09 ISGC

13 Conflict and Redundancy  Find conflict and redundant rules  Consider a site policy author combine multiple VO policies  Detect redundancies to remove redundant policies  Detect conflicts to identify which rule should be given higher priority during policy evaluation  Detect conflict between site and VO policies  FSM models to detect redundancy and conflict  For example, A VO has two policies: VO1 and VO2  State: Pending, Redundancy or Conflict 13 20010-03-09 ISGC

14 Conflict and Redundancy - cont. Pending Permit Deny NA Pending Permit Deny NA Pending Conflicts Redundan cy VO1.dec stateVO2.dec state Policy VO1 Policy VO2 Conflict and redundancy state Conflict/redundancy checking 14 20010-03-09 ISGC

15 Conflict and Redundancy Detect conflict and redundancy by property verification Property 1: Is there any ways to reach to redundancy state This property outputs redundancies (if any) PendingRedundancy VO1 = Permit and VO2 = Permit or VO1 = Deny and VO2 = Deny PendingConflict VO1 = Permit and VO2 = Deny or VO1 = Deny and VO2 = Permit Property 2: Is there any ways to reach to conflict state This property outputs redundancies (if any) 15 20010-03-09 ISGC

16 Change Impact Analysis  Policy authors change a policy A to a policy B  Ensure correctness of a changed policy  Output all different requests-decision pairs produced by two policies  outputs conflicting decisions of a policy A and policy B (conflicting decisions)  The administrators could miss corner cases to expose faults after policy change  By extending our conflict detection technique, we plan to apply change impact analysis on grid policies to ensure a policy B is correctly changed after inspecting conflicting decisions. 16 20010-03-09 ISGC

17 Conclusion and Future Work  Model checking help ensure the correctness of policies  Property verification  Conflict and redundancy checking  Change impact analysis 17 20010-03-09 ISGC

18 Any Questions? Thank You 18 20010-03-09 ISGC

Download ppt "Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC."

Similar presentations

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Operating System Security

Operating System Security
Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan.

Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Manage Run Activities Cognos 8 BI. Objectives  At the end of this course, you should be able to:  manage current, upcoming and past activities  manage.

Manage Run Activities Cognos 8 BI. Objectives  At the end of this course, you should be able to:  manage current, upcoming and past activities  manage.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
GridFlow: Workflow Management for Grid Computing Kavita Shinde.

GridFlow: Workflow Management for Grid Computing Kavita Shinde.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Differentiated Access to Virtual Resources in Cloud Environments M. Fazio and A. Puliafito Euro-TM Workshop.

Differentiated Access to Virtual Resources in Cloud Environments M. Fazio and A. Puliafito Euro-TM Workshop.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

Similar presentations

Ads by Google