Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Published byDelilah Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "Virtual Workspaces Kate Keahey Argonne National Laboratory."— Presentation transcript:

1 Virtual Workspaces Kate Keahey keahey@mcs.anl.gov Argonne National Laboratory

2 Security Workshop, GGF 12Kate Keahey Why do we need virtual workspaces? l Need a way to configure remote nodes effortlessly, dynamically, flexibly l Need to be able to enforce positive and negative resource usage

3 Security Workshop, GGF 12Kate Keahey Virtual Workspaces Virtual resource configuration Protection environment Software and file configuration state Execution state Virtual Workspace Grid Middleware Interface Grid client Interface Grid clients Grid middleware interface l Define interfaces and explore a variety of implementations l Virtual machines are a particularly promising technology

4 Security Workshop, GGF 12Kate Keahey Architecture Client request VW EPR inspect and manage deploy & suspend use existing VW Create VW VW Factory VW Repository VW Manager create new VW Resource VW start program Implemented based on Globus, tested with bioinformatics applications Tim Freeman, Daniel Galron, SC04 poster

5 Security Workshop, GGF 12Kate Keahey VMs as VWs: the good l Configurability u Allow full stack customization: choose OS, 32 on 64-bit, libraries… l Enhanced security u Primarily better isolation, but also audit forensics, etc. l Managing state u Freezing computation allows migration, suspend and resume operations, etc. l State management/replication tool u Customize once and copy u Potential as distribution tool l Good enforcement potential

6 Security Workshop, GGF 12Kate Keahey VMs as VWs: the (not so) bad l Overhead from application perspective u Depends on application, VM implementation u In practice very promising l No access to specialized hardware u Simply needs more work l Resource usage overhead u Depends on implementation l Sharing issues and policies u How do we share between VMs l Software maturity

7 Security Workshop, GGF 12Kate Keahey Networking Issues (wormhole) l What network are the VMs on u Adding a machine to a remote network u Migration problem l Solution u Create a “virtual LAN” hosting the VMs u Redirect traffic to the actual location u Administered by a VO

8 Security Workshop, GGF 12Kate Keahey VMs and Security: the Good l Protecting users from users u As good as it gets l Protecting resource from a VM u Strong sandboxing u potential for policy-driven resource consumption enforcement l Protecting VM from the resource u Trusted computing: root secure trusted VMMs and attestation: even platform owner cannot break privacy and isolation guarantees u Needs help from hardware u Pretty close to as good as it gets

9 Security Workshop, GGF 12Kate Keahey VMs and Security: the Challenging l Protecting the VM from the world u VMs are only as secure as the software they run u Who maintains all those VMs? Local administrators would have to maintain too many images… l Protecting the world from the VM u Issue 1: one could use one’s privileges as root on a VM (for example to generate harmful network traffic) u Issue 2: no control over software running on VM means potential vulnerabilities could be exploited (also see above) u Although audit works great by the time the damage is done and it is too late!

10 Security Workshop, GGF 12Kate Keahey Potential Solutions l VO could do VM certification u Maintenance by the VO makes more sense u Does a VO have enough of a stake in this process? l Ultimately it is the platform owner who is to blame… l Detect when something goes wrong u Hard: traffic of a parallel application can look surprisingly like a denial of service attack! u IDS isolated from the VM: loss of privacy to the user u VO administrator (as well as resource owner) should have the right to stop a suspicious VM l Restricting network traffic u For example: traffic allowed only to VO-owned nodes u Is questionable because the idea is to limit “them”, not us

11 Security Workshop, GGF 12Kate Keahey Grid Security with VMs l How does a VM authenticate itself? u Can’t put a private key anywhere on the image l Can be compromised l Part of the platform? u Signed and re-signed by a trusted source? l How can we integrate attestation into Grid computing seamlessly? u We need to allow for a mix of technologies

12 Security Workshop, GGF 12Kate Keahey Conclusions l We need virtual workspaces for Grid computing u Although we need to be able to rely on a mix of technologies VMs are a particularly promising technology to use in Grid computing for security reasons and otherwise l A growing role for the VO u VO might take on additional responsibilities l Administers and maintains VMs, certification authority, could potentially stop suspect VMs, is to blame if something happens… l Should the VO be a legal entity? u Would all this be healthy for a VO? l Do VOs have the resources to do that? u What are the trade-offs and a healthy balance? l Mechanisms for secure, efficient sharing between VOs u Via Grid tools? l Holy Grail u Can we use these new capabilities for Grid computing? Do we need the increased trust?

Download ppt "Virtual Workspaces Kate Keahey Argonne National Laboratory."

Similar presentations

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.
A Scalable Approach to Deploying and Managing Appliances Kate Keahey Rick Bradshaw, Narayan Desai, Tim Freeman Argonne National Lab, University of Chicago.

A Scalable Approach to Deploying and Managing Appliances Kate Keahey Rick Bradshaw, Narayan Desai, Tim Freeman Argonne National Lab, University of Chicago.
From Sandbox to Playground: Virtual Environments and Quality of Service in the Grids Kate Keahey Argonne National Laboratory.

From Sandbox to Playground: Virtual Environments and Quality of Service in the Grids Kate Keahey Argonne National Laboratory.
Working Spaces: Virtual Machines in the Grid Kate Keahey Argonne National Laboratory Tim Freeman, Frank Siebenlist

Working Spaces: Virtual Machines in the Grid Kate Keahey Argonne National Laboratory Tim Freeman, Frank Siebenlist
Workspaces for CE Management Kate Keahey Argonne National Laboratory.

Workspaces for CE Management Kate Keahey Argonne National Laboratory.
The VM deployment process has 3 major steps: 1.The client queries the VM repository, sending a list of criteria describing a workspace. The repository.

The VM deployment process has 3 major steps: 1.The client queries the VM repository, sending a list of criteria describing a workspace. The repository.
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.

From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.
Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.

Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Similar presentations

Ads by Google