Presentation on theme: "Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab"— Presentation transcript:
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab Making your workspace secure: establishing trust with VMs in the Grid
Virtual Workspace in the Grid Virtual Workspace (VW) Definition: Workspace is an execution environments that can be made available dynamically in the Grid Software environment Resource allocation Examples: A physical machine configured as a service node (e.g., headnode) for a community cluster A set of virtual machines configured as an Open Science Grid cluster A set of physical machines configured with Xen hypervisor Virtual machines (VMs) as workspace implementation Good isolation properties Customizable software Fine-grained enforcement of resource allocation Ability of serialization and migration Acceptable performance cost (Xen) Hardware Hypervisor Guest OS App Guest OS App
Security Challenge of Virtual Workspace VW Hosts prohibit VMs from misusing resource maliciously; For example, a badly configured VM might get compromised and used to launch a DOS from a site VW Owners concern the integrity and confidentiality of the VM image, that is the VM image does not get used or otherwise compromised by un-trusted parties storing or transferring that image. The VM image is usually composed of multiple partitions, each partition may be provided by a different "issuer" and be associated with different security requirements concern that VM execute only on trusted hosts and the host won't jeopardize data or computations taking place inside the VM. VW Users how do I establish trust with a running VM? trust in the VM has to be rooted in both VM image (owner) and VM host
System Architecture Implementation Xen, Globus Toolkit 4 GSI provides the basic infrastructure for authentication and authorization Workspace Meta data XML document: containing the hardware, software, networking, security and other configuration of a VW VW Configuration Service Workspace Service request a workspace Workspace manage activities within the workspace Owner of VW User of VW Workspace Meta-data Deploy Manage monitor
VW Security Meta-data A Virtual Machine consists of several files (VM disk partitions, RAM image, configuration files), each of them may have different security requirements (Integrity, Confidentiality or Open) Be provided by different entities, e.g. A community partition may be issued by a given community and contain a specific version of community software An application partition may be provided by an application developer A data partition may be provided by a special interest group and be confidential Be used as part of many images Stored and transported through potentially un-trusted areas Meta-data for partition is extended with XML Signature or Encryption element to represent the signature and related key or certificate of the protected A resolvable URI that can be used to locate a partition Security Meta-data makes the security of a VW image be independent of the intermediate storage service and transferring layers. …
VW Host Credential How do we assign credential to the VM? Trust has to be rooted in both the VM image (VM owner) and the VM host (hypervisor) Scheme 1: Assign a static credential to a VM image VM issuer provides a credential partition, always encrypted Partition can be decrypted only by a host from a trusted set Credential does not change during VM lifetime Scheme 2: Generate a credential on deployment Name the VM as VM X on resource Y Resource Proxy Certificate: which is a short term GSI X509 proxy Certificate generated dynamically by the hypervisor at deployment time based on verifying the VM attestation After migration, the certificate is revoked at old host and regenerated at new host. user can attest the virtual machine and the host machine.
Deploying a Secure VW Host Creds VW Creds Virtual Workspace Hypervisor VW User Third-Party Storage Services VW Owner Metadata Verification Partition Load Signature Verification Partition Decryption Private key partition OSG software partition App data partition App software partition Creds Assign Key Load Workspace Service Data flow Control flow 1: owner builds authen & author with Workspace service 2: sends the VW meta-data 3: checks the integrity of the meta data 4: loads each partition of the VW to local site according the security meta-data 5: loads the key or certificate according the security metadata 6: verifies the partition signature or decrypts the partition 7: generates the proxy cred for VW 8. builds and starts the VW. 9: user builds authen,& author with VW 10: user accesses VW 8
Performance Impact Security Configuration –No-security conf: all the partitions are not protected –Signed partitions conf: all the partitions are signed by providers –Private data conf: all the software partitions are signed by providers, except the user data partitions encrypted by the user self –Private key conf: all the partitions are signed by providers, except the VW key partition is encrypted by the VW owner.
Conclusion GSI provides the mechanism to build trust between VW host and VW owner Security meta-data is an End-to-End VW data integrity and confidentiality solution between the VW host and VW owner without any dependence on the transportation and storage system. With Resource Proxy Certificate user can attest the VW and the running host. Performance impact to the VW deployment brought by the security functionality is significant, but still acceptable (deploying a VW with 3G signed partitions needs no more then 3 mins) The performance impact mainly caused by the partitions with big size, and Encryption is much more expensive than the signature calculation. To minimize the overhead, it is desirable –Reduce the granularity of a partition –keep the big software partition be read-only and on site for reusing. –the encryption would better be applied on small size data partitions. Further optimization will be developed based on fast security implementation, cache and differentiate transferring For more information visit