Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

Published byOlivia Scott Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford Appleton Laboratory 30/03/2012 EGI CF 2012 SVG and EMI1

2 www.egi.eu EGI-InSPIRE RI-261323 Contents The Purpose of the EGI Software Vulnerability Group What is a vulnerability? Activities for reducing vulnerabilities Summary of the issue handling process Vulnerability Assessment - EMI Prevention of new vulnerabilities 30/03/2012 2EGI CF 2012 SVG and EMI

3 www.egi.eu EGI-InSPIRE RI-261323 Purpose Purpose of the EGI Software Vulnerability Group (SVG) “To eliminate existing vulnerabilities from the deployed infrastructure, primarily from the grid middleware, prevent the introduction of new ones and prevent security incidents”. 30/03/2012 3 EGI CF 2012 SVG and EMI

4 www.egi.eu EGI-InSPIRE RI-261323 What is a vulnerability? A weakness allowing a principal (e.g. a user) to gain access to or influence a system beyond the intended rights –Unauthorized user can gain access –Authorized user can gain unintended privileges – e.g. root or admin damage a system gain unintended access to data or information delete or change another user’s data impersonate another user 30/03/2012 4EGI CF 2012 SVG and EMI

5 www.egi.eu EGI-InSPIRE RI-261323 What is not a vulnerability Actions which can only be carried out by site administrators –Site administrators mostly trusted –Except with bulk encrypted data + keys Issues which provide information that may be useful to an attacker –Not usually treated as vulnerabilities General concerns –e.g. “these instructions are not clear” 30/03/2012 5EGI CF 2012 SVG and EMI

6 www.egi.eu EGI-InSPIRE RI-261323 3 main activities for reducing vulnerabilities Handling vulnerabilities found/reported –Main activity of SVG Assessing software for vulnerabilities –Mainly done by others, including EMI Preventing new vulnerabilities being introduced –Developer education, awareness –Considering new software to be used in the infrastructure 30/03/2012 6EGI CF 2012 SVG and EMI

7 www.egi.eu EGI-InSPIRE RI-261323 Main focus The main focus is to deal with software vulnerabilities in the EGI Unified Middleware Distribution (UMD) –Middleware generally does not have any other activity handling vulnerabilities Also handles other software (jointly with CSIRT) to provide consistent risk assessments –Most vulnerabilities found and fixed outside grid activity 30/03/2012 7EGI CF 2012 SVG and EMI

8 www.egi.eu EGI-InSPIRE RI-261323 Types of software Software SourceS/W provider aware/announced vulnerability S/W provider not clearly aware of vulnerability Risk Assessment Other comment EGI UMD – e.g. EMI/IGE software for which EGI has SLA Problem handled according to process in document by SVG SVG Linux Operating system on which the EGI infrastructure is based CSIRT/SVG investigates relevance to EGI Inform software provider SVG/CSIRT jointly Usually CSIRT will contact provider if necessary EPEL software (Extra Packages for Linux Enterprise) CSIRT/SVG investigates relevance to EGI Inform software provider SVG/CSIRT jointly SVG or CSIRT member will contact provider depending on knowledge Other Software widely installed on the EGI Infrastructure CSIRT/SVG investigates relevance to EGI Inform software provider SVG/CSIRT jointly SVG or CSIRT member will contact provider depending on knowledge Software not installed on the EGI Infrastructure Do nothingInform software provider NoneOnly action is to forward information. 30/03/2012 8EGI CF 2012 SVG and EMI

9 www.egi.eu EGI-InSPIRE RI-261323 EGI UMD Software is distributed by EGI as the Unified Middleware Distribution(UMD) UMD consists of IGE (Initiative for Globus in Europe), EMI (glite, Unicore, ARC, dCache). Service Level Agreement (SLA) with these software providers, including –Agree to response times, provide contact details, etc. –Participate in process 30/03/2012 9EGI CF 2012 SVG and EMI

10 www.egi.eu EGI-InSPIRE RI-261323 Issue handling process This is carried out by the SVG Risk Assessment Team (RAT) –The RAT has access to information on vulnerabilities reported Anyone may report an issue –By e-mail to report-vulnerability@egi.eu Issue is investigated by a collaboration between the RAT, reporter and developers. 30/03/2012 10EGI CF 2012 SVG and EMI

11 www.egi.eu EGI-InSPIRE RI-261323 Issue handling (2) If the Issue is valid, the RAT carries out a risk assessment Issue placed in one of 4 risk categories Critical, High, Moderate or Low Risk assessment carried out by the RAT because –mitigating or aggravating factors may exist in the Grid environment –Usually by consensus - the RAT usually agrees on the category –Say vote, but mostly agree on category 30/03/2012 11EGI CF 2012 SVG and EMI

12 www.egi.eu EGI-InSPIRE RI-261323 Issue handling (3) Target Date for resolution set according to the Risk Critical - 3 days, High - 6 weeks, Moderate – 4 months, Low - 1 year –Aim to reach this point within 4 working days Within 1 day for critical issues –This allows the prioritization of the timely resolution of issues according to their severity 30/03/2012 12EGI CF 2012 SVG and EMI

13 www.egi.eu EGI-InSPIRE RI-261323 Issue handling (4) It is then up to the developers and release team to fix the problem by the Target Date or earlier –SVG will provide help and advice if appropriate Track version product where vulnerability is fixed, release of e.g. EMI which contains fix, release UMD containing fix. Advisory released when fix present in UMD, or on the target date 30/03/2012 13EGI CF 2012 SVG and EMI

14 www.egi.eu EGI-InSPIRE RI-261323 Fixing issues Development teams (e.g. In EMI) fix problem and test solution Integrated into release –Tested and certified Later released as part of EGI UMD Small coding error that results in vulnerability can result in a lot of work. 30/03/2012 EGI CF 2012 SVG and EMI14

15 www.egi.eu EGI-InSPIRE RI-261323 Vulnerability Assessment Examination and testing of software in order to find vulnerabilities For EMI this is done in the Computer Architecture and Operating Systems department at Universitat Autònoma de Barcelona Some assessment work also carried out by Poznan Supercomputing Centre 30/03/2012 EGI CF 2012 SVG and EMI15

16 www.egi.eu EGI-InSPIRE RI-261323 FPVA Members of the University of Wisconsin and the Universitat Autònoma de Barcelona have developed the First Principles Vulnerability Assessment This involves the detailed manual assessment of a piece of software 30/03/2012 EGI CF 2012 SVG and EMI16

17 www.egi.eu EGI-InSPIRE RI-261323 FPVA methodology Understanding the architecture, resources, trust and privilege analysis, detailed evaluation of components –Very effort intensive, typically a few PM effort per piece of software Plan written for small number of priority components to be analysed during EMI 30/03/2012 EGI CF 2012 SVG and EMI17

18 www.egi.eu EGI-InSPIRE RI-261323 FPVA gLite assessed VOMS Admin 2.0.18 –Vulnerabilities found fixed (1 year ago) Argus 1.2 –No vulnerabilities found gLexec 0.8 –Some ‘Low’ risk vulnerabilities found –Fixed in EMI 2 VOMS Core 2.0.2 –1 ‘Low risk DoS 30/03/2012 EGI CF 2012 SVG and EMI18

19 www.egi.eu EGI-InSPIRE RI-261323 FPVA in work/plans gLite: WMS: Workload Management System –currently in work CREAM: Computing Resource Execution And Management –Planned after WMS 30/03/2012 EGI CF 2012 SVG and EMI19

20 www.egi.eu EGI-InSPIRE RI-261323 FPVA plans -UNICORE Target System Interface (TSI) –provides an interface between UNICORE and the individual resource management/batch system and operating system of the Grid resources. Gateway –an authenticating web proxy service for web service requests (SOAP messages) and normal HTTP traffic of the UNICORE Grid middleware 30/03/2012 EGI CF 2012 SVG and EMI20

21 www.egi.eu EGI-InSPIRE RI-261323 Vulnerability prevention Developer education –Tutorials on secure coding given at the EGI TF 2011 Tests in certification Assessing new software to be deployed on EGI infrastructure Requirements for changes – ensure these do not introduce vulnerabilities 30/03/2012 EGI CF 2012 SVG and EMI21

22 www.egi.eu EGI-InSPIRE RI-261323 E.g. file permission World writeable executable that runs as ‘root’ is a root exploit –Several during EGEE-II and EGEE-III –Now part of the EMI certification process to check for world writable files –None recently World readable can of course also expose data or information unintentionally 30/03/2012 EGI CF 2012 SVG and EMI22

23 www.egi.eu EGI-InSPIRE RI-261323 Other vulnerability prevention No funding/effort for checking new software for vulnerabilities –Checklist checks which must be done before new software used in EGI suggested –No progress yet Checking new requirements/ change requests –E.g. ‘tool’ which gives useful info may introduce a vulnerability 30/03/2012 EGI CF 2012 SVG and EMI23

24 www.egi.eu EGI-InSPIRE RI-261323 The future Current SVG issue handling well established and should continue Vulnerability assessment continuing Assessment of new software, changes –No significant effort at present Virtualization, Clouds, other changes, –Need to address changes needed Sustainability of activity –Availability of funding and effort 30/03/2012 24EGI CF 2012 SVG and EMI

25 www.egi.eu EGI-InSPIRE RI-261323 More information Vulnerability Issue handling Process https://documents.egi.eu/public/ShowDocument?docid= 717 https://documents.egi.eu/public/ShowDocument?docid= 717 EGI SVG Wiki https://wiki.egi.eu/wiki/SVG:SVGhttps://wiki.egi.eu/wiki/SVG:SVG RAT Members https://wiki.egi.eu/wiki/SVG:RAT_Members https://wiki.egi.eu/wiki/SVG:RAT_Members Secure coding tutorials at EGI TF https://www.egi.eu/indico/contributionDisplay.py?contrib Id=75&confId=452 https://www.egi.eu/indico/contributionDisplay.py?contrib Id=75&confId=452 FPVA http://research.cs.wisc.edu/mist/includes/vuln.html http://research.cs.wisc.edu/mist/includes/vuln.html University of Wisconsin/UAB team http://research.cs.wisc.edu/mist/includes/people.html http://research.cs.wisc.edu/mist/includes/people.html 30/03/2012 25EGI CF 2012 SVG and EMI

26 www.egi.eu EGI-InSPIRE RI-261323 Questions? ?? 30/03/2012 26EGI CF 2012 SVG and EMI

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR-100205-a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.

Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.

European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.

Similar presentations

Ads by Google