Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

Similar presentations


Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,"— Presentation transcript:

1 EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall, Rutherford Appleton Laboratory GridPP16 meeting, 27-29th June 2006

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 2 Reminder: Why we set up the Grid Security Vulnerability Group (GSVG) A lot done concerning Grid Security Functionality –Authentication, Authorization Not much being done to ask Is the Grid Secure We know the software isnt perfect – Some vulnerabilities are in the process of being fixed – Some are probably waiting to be exploited It will be really embarrassing if when the Large Hadron Collider comes on line at CERN we get a serious attack which prevents data being stored or processed Hackers Conference HOPE mentioned Grids –Unfriendly people without credentials aware of us –Cannot rely on security through obscurity Real Grids are being deployed –No longer a research/proof of concept activity

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 3 The Vulnerability Task in EGEE II In EGEE II there is manpower for the Grid Services Security Vulnerability and Risk Assessment Task The aim is to incrementally make the Grid more secure and thus provide better availability and sustainability of the deployed infrastructure –This is recognition that it cannot be made perfect immediately Handling of Vulnerability issues is the largest activity in this task –Which continues to deal with specific issues –Continues not to be confined to software vulnerabilities, but also includes issues arising from lack of functionality and deployment problems

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 4 Setup of the GSVG in EGEE II The GSVG in EGEE II consists of Core Group Members –Run the general process Developers from the various development Clusters –Can confirm/check information on issues and fix issues Risk Assessment Team (RAT) –Carry out Risk Assessments RAT people are security experts, experienced system administrators, deployment experts and developers

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 5 Process of the GSVG in EGEE II Issue logged in Database –Anyone can submit an issue –Only GSVG members can read or modify –Issues can also be submitted by Issue is allocated to Risk Assessment Team (RAT) member RAT member –Checks information – need to work with appropriate developer –Carries out a Risk assessment 2 other RAT members also carry out Risk Assessment Target Date (TD) set according to Risk –To improve prioritizing The issue is then allocated to the appropriate developer

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 6 Disclosure Policy for EGEE II We plan to move to a responsible public disclosure policy On Target Date, information on the issue is made public –Regardless of whether a fix is available This depends on management approval, –We need to prove we can do good Risk Assessments –Agree formula for setting the TD according to Risk

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 7 Main changes A risk assessment is carried out straight after issue is entered Improved Risk Assessments Target Date is set according to Risk – By formula to be agreed Information to be made public on the Target Date Good Risk Assessments and setting of TD according to risk is key to making the improved process work –Which effectively prioritizes issues

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 8 Risk Assessments Tendency for physicists to underestimate risk –Why on earth would anyone want to spoil our nice collaboration, or do anything illegal? Tendency for developers to also underestimate risk –Their Managers focus on new functionality Tendency for some site admins to be very cautious Need an agreed strategy where risk assessments are objective not subjective

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 9 Exploit/effect matrix Site security officers most fear an attack that gives access to the whole site –Especially if it can be carried out anonymously –DOS tends to be considered no more than medium risk A vulnerability that can be exploited by an authorized user is considered by most less serious than one that can be exploited without credentials We cant ignore the possibility that credentials may be stolen Nor can we ignore that we may have a rogue sysadmin –100s sites in 10s countries –Grid expanding globally This is considered useful

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 10 Matrix Root Access Local Account AuthzAuthnNo CredOther System info Local grid service Disruption Confidential DataRestricts usage for certain applications Unauthz usage Grid-wide Disrupt Impersonate Attack other systems Site Access Root Access

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 11 Categories Propose 4 categories of risk Extremely Critical High Moderate Low

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 12 Extremely Critical Examples Trivial compromise of core grid component Remotely exploitable issue that can lead to system compromise Root access with no Credentials Trivial Grid Wide DoS with no Credentials Special process for handling –Alert OSCT + EMT immediately –Quick patch – in isolation with no other release, tested at the front of the queue –Unrelated to release process Expectation – Very rare if ever Suggested TD 48 hours

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 13 High Risk Examples Remote exploit against middleware service Spoofing – carrying an action on someones behalf Exploit against MW component that gives elevated access Grid-wide DoS? Information leakage which is illegal or embarrassing? Suggested Target Date 3 weeks

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 14 Moderate Examples Confidential issues in user information Local DoS Potentially serious, but hard to exploit problem. –E.g. hard to exploit buffer overflow Race conditions that are hard to exploit Suggested Target Date 3 months

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 15 Low Examples Small system information leak Impact on service minimal Note – if 2 low risk issues could produce problem, this should be entered as a higher risk issue Suggested Target Date – 6 months

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 16 Notes The Risk classification could change –Rise if information is available publicly or issue has been exploited –Fall if more information comes to light, e.g. part of the code not aware of mitigates problem Formula for setting TD is not for the RAT to decide unilaterally –We can propose

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 17 Advisories Advisory on issue is written when the risk assessment is carried out –By the RAT member the issue is allocated to, consulting other RAT members (if necessary) and appropriate developers Advisories available publicly on Target Date (or earlier if fix is available) Advisories will always include what to do –Solution –Patch/work around – which may reduce the service functionality –In worst case – advice to stop a service Advisories will be included in release notes Advisories will not describe how to exploit issue

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 18 Encouraging updating Some sites do not update when new software is available If the advisories say that there is a vulnerability issue we hope this will encourage updating of software –Especially if this will be made public It may be necessary to suspend sites who refuse to update If move to a system where different components are released at different times – may need to have components returning their version? –Need to monitor which version of which component is installed –In a way that does not allow sites to lie!

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI Grid Vulnerability- GridPP16 - Linda Cornwall 19 Questions/Discussion ???


Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,"

Similar presentations


Ads by Google