Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2008 End-to-end.

Published byGarey Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2008 End-to-end."— Presentation transcript:

1 Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison alderman@cs.wisc.edu http://www.cs.wisc.edu/condor Condor Week 2008 End-to-end Security and Condor

2 www.cs.wisc.edu/condor Condor Week 2008 2 End-to-End Security and Condor › When Condor was first designed, a single administrative domain was all that was required: all Condor daemons were installed and configured by the same group. › Practical concerns have led to the adoption of mechanisms that violate this assumption. › Goal: Develop framework balancing usability (w.r.t. both end-users and administrators) with security in the context of multiple administrative domains.

3 www.cs.wisc.edu/condor Condor Week 2008 3 Outline › The Problem › History of Condor › Stakeholders › Framework mechanisms › Related work › Summary and conclusions

4 General Trust Model Service 1 Service 2Service n Service k... ~ Service n-1... Service k+1... ~ Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data DB / SE Proxy Read/Write

5 The Problem: Altered Task, Input, or Results Proxy Exe+args Data Service 1 Service 2 Service n Service k... ~ Service n-1... Service k+1... ~ Proxy Exe+args Data Proxy Exe+args Data Proxy Exe1+args1 Data Proxy Exe1+args1 Data Proxy Exe1+args1 Data Proxy Exe1+args1 Data Arbitrary code is run in user's name DB / SE

6 The Problem: Stolen Credentials Unauthorized access to user's information systems (possibly corrupting them)‏ Proxy Exe1+args1 Proxy Read1/Write1 DB / SE Service 1 Service 2Service n Service k... ~ Service n-1... Service k+1... ~ Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Read/Write

7 www.cs.wisc.edu/condor Condor Week 2008 7 Design Principles › End-to-end Principle: Saltzer, Reed & Clark, 1985 The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the end points of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. › Principle of Least Privilege: Saltzer & Schroeder, 1975 Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.

8 www.cs.wisc.edu/condor Condor Week 2008 8 Outline › The Problem › History of Condor “Multiple domain distributed batch computing infrastructure” v. “Grid” › Stakeholders › Framework mechanisms › Related work › Summary and conclusions

9 Submit Host Central Manager User submit startd schedd shadow Execute Host startd schedd starter User Job collectornegotiator 1. Job Description File 2. Job ClassAd 3. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Host 7. fork Shadow 8. Establish Communication Path 9. Set policy and fork User Job 4. Negotiation Cycle 7. fork Starter Privileges - Root Install root condor user Real UIDs nobody 4.Negotiation Cycle 5. Report Match

10 Submit Host Central Manager User submit startd schedd shadow Execute Host startd schedd starter User Job collectornegotiator 1. Job Description File 2. Job ClassAd 3. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Host 7. fork Shadow 8. Establish Communication Path 9. Set policy and fork User Job 4. Negotiation Cycle 7. fork Starter Condor History: Origins home Administrative Domains 4.Negotiation Cycle 5. Report Match

11 Submit Host Central Manager User submit startd schedd shadow Execute Host startd schedd starter User Job collectornegotiator 1. Job Description File 2. Job ClassAd 3. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Host 7. fork Shadow 8. Establish Communication Path 9. Set policy and fork User Job 4. Negotiation Cycle 7. fork Starter Condor History: Flocking home away Real UIDs 4.Negotiation Cycle 5. Report Match

12 Submit Host Central Manager User submit startd schedd GAHP Scheduler schedd collectornegotiator 1. Job Description File 2. Job ClassAd 3. Job ClassAd 1. Machine ClassAd 5. Report Match 6. Claim Resource 7. fork GAHP 8. Transfer Job 4. Negotiation Cycle Condor History: Condor-G, C home away Real UIDs 4.Negotiation Cycle 5. Report Match

13 Condor Week 2008 13 Today: Multiple domain distributed batch computing

14 www.cs.wisc.edu/condor Condor Week 2008 14 Outline › The Problem › History of Condor › Stakeholders ∘ Submitters ∘ Schedulers ∘ Execution hosts ∘ Storage elements › Framework mechanisms › Related work › Summary and conclusions

15 www.cs.wisc.edu/condor Condor Week 2008 15 Stakeholders: Submitters › “Just want to get work done, don’t care about anything else.” › Actually, do care about reproducibility and accuracy of results. › May care about confidentiality of tasks and data. › Want to know the following about their jobs: what, when, where, who, why. › Don’t have any way of expressing policy.

16 www.cs.wisc.edu/condor Condor Week 2008 16 Stakeholders: Schedulers › Successful w/ goodput. › Don’t want to waste time. ∘ Security can be expensive in CPU time. ∘ Don’t advertise resources that don’t exist. › Don’t need to change job payloads. › Don’t want to get attacked.

17 www.cs.wisc.edu/condor Condor Week 2008 17 Stakeholders: Execute Hosts › Have a trust relationship with users: users trust them to execute tasks accurately and return correct results › Successful when many users successfully run many jobs (but only the “real” users’ “real” jobs). › Need to perform authorization based on user credentials: must trust users, too. › Don’t want to get attacked. › Need audit capability if they do.

18 www.cs.wisc.edu/condor Condor Week 2008 18 Stakeholders: File Servers › Have a trust relationship with users, not with execute hosts or schedulers: users trust them to enforce access control policies. › Responsible for enforcing access control policy, but ACLs don’t have access to information about tasks. › Can’t change authentication/authorization very much. › Need audit capability.

19 www.cs.wisc.edu/condor Condor Week 2008 19 Outline › The Problem › History of Condor › Stakeholders › Framework mechanisms ∘ Signed ClassAds ∘ Task-specific proxy certificates ∘ Service-specific proxy certificates ∘ Policy expressions › Related work › Summary and conclusions

20 Untrusted services? Service 1 Service 2 Service n Service k... ~ Service n-1... Service k+1... ~ Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data Proxy Exe+args Data DB / SE Proxy Read/Write We need to trust the end-points, we have no choice Endpoints handle integrity, confidentiality. Intermediaries just responsible for availability.

21 Sign executable+args Proxy X Exe+args Data Service 1 Service 2 Service n Service k... ~ Service n-1... Service k+1... ~ Proxy X Exe+args Data Proxy X Exe+args Data Proxy X Exe'+args' Data Proxy X Exe'+args' Data Proxy X Exe'+args' Data End point checks signature before execution DB / SE Proxy X = Proxy with rule “Execute iff hash(Exe+args)==myhash” Requirements: WN must be able to determine integrity of executables. User specifies policy; Worker node interprets it. WN must be able to associate task with proxy.

22 Sign data End point checks signature before staging data Since without data the job could fail, it should not run the job either DB / SE ProxyY = Proxy with rule “Stage data iff hash(data)==myhash” ProxyY Exe+args Data Service 1 Service 2Service n Service k... ~ Service n-1... Service k+1... ~ ProxyY Exe+args Data ProxyY Exe+args Data ProxyY Exe+args Data+data1 ProxyY Exe+args Data+data1 ProxyY Exe+args Data+data1 Requirements: WN must be able to determine integrity of data.

23 Integrity: Signed ClassAds › WN must be able to verify the integrity of executables, arguments, and input data. User must be able to verify the integrity of results. › WN's check signatures on executables, arguments and input, and sign output data (results). User can verify the signature on the results, and verify whether the WN was consistent with policy. › The task's signed ClassAd specifies executables, arguments, and input data; external files are “included” through cryptographic hashes. Completed task ClassAds are signed by WNs before output data is returned to the client; output data file hashes are included. Requirement Solution Implementation

24 Integrity: Signed ClassAds › WN must be able to verify the integrity of executables, arguments, and input data. User must be able to verify the integrity of results. › WN's check signatures on executables, arguments and input, and sign output data (results). User can verify the signature on the results, and verify whether the WN was consistent with policy. › The task's signed ClassAd specifies executables, arguments, and input data; external files are “included” through cryptographic hashes. Completed task ClassAds are signed by WNs before output data is returned to the client; output data file hashes are included. [ owner = “ian” executable = “a.out” input = “file1.txt” arguments = “-safe”... executable_hash = “de1a...” input_hash = “be5ed23a0...”... cad_sig = “ long opaque string ” ]

25 User Specified Policies › Users must be able to specify policies describing appropriate uses of their tasks and credentials. Worker nodes and resources must be able to interpret and enforce policies. › Users specify policies such as acceptable WN trust roots and signs executables, arguments and input data. Policy enforcement is performed by trusted endpoints and policy aware resources. › Users specify policy in the ClassAd language with additional primitives. ClassAd policy expressions are evaluated by endpoints and resources in addition to local access control settings. (ACLs + capabilities)‏ Hash of public key x: hP x execute_aae = exec_ca(hP e )‏ access_aae = exec_ca(hP e ) && resource_ca(hP r )‏

26 www.cs.wisc.edu/condor Task-specific proxies › Unique executable, arguments, input data -> unique proxy. Intermediaries don't need to understand, interpret or enforce policy. › Each task has a unique proxy certificate issued by the submitting user's proxy. Intermediaries are only assumed to provide availability. › An additional proxy is generated by the user for each task containing the policies and signature. Policy and signatures are included in proxy certificates as an X509.v3 attribute which can be ignored by intermediaries.

27 www.cs.wisc.edu/condor Service-specific proxies When a WN authenticates with a service on behalf of a user, the service must be able to authenticate both the user and the WN to enforce the user's policy. Proxy delegation includes the additional step of including a signature performed by the WN on the delegation chain. The resource enforces policy by verifying that the signing WN is consistent with user-specified policy.

28 Authenticating the WN too ProxyZ = Proxy with rule “Allow access to my info systems only if signed by trusted WN” Information system checks for signature from trusted WN. An untrusted resource cannot add it. ProxyZ Exe1+args1 ProxyZ Read1/Write1 DB / SE Service 1 Service 2Service n Service k... ~ Service n-1... Service k+1... ~ ProxyZ Exe+args Data ProxyZ Exe+args Data ProxyZ Exe+args Data ProxyZ Exe+args Data ProxyZ Exe+args Data ProxyZ Exe+args Data ProxyW Exe+args Data ProxyW Read/Write ProxyW = ProxyZ signed with the WN host cert (or equivalent)‏ Requirements: Proxy and WN authenticate to services.

29 www.cs.wisc.edu/condor Condor Week 2008 29 Outline › The Problem › History of Condor › Stakeholders › Framework mechanisms › Related work ∘ Secure message board ∘ … › Summary and conclusions

30 www.cs.wisc.edu/condor Condor Week 2008 30 Related Work ∘ Privsep & Glide-ins ∘ Third party information (VOMS, Shibboleth, SPRUCE) ∘ Use case: Message service ∘ Authorization services collaboration ∘ Authentication methods ∘ Encryption and integrity methods (AES, SHA-1, SHA-256)

31 www.cs.wisc.edu/condor Condor Week 2008 31 Secure Message Board Good security design results in new possibilities: things you can do that you couldn’t do without the security features. Ex: › Components can publish information to the condor_collector using condor_advertize. ∘ Igor uses this mechanism to exchange information from VO frontends to glide-in factories. › Currently, only authorization provided by CEDAR provides access control: anyone (who can write something) can write anything. ∘ So, Igor can only have one VO frontend per collector. › Signed ClassAds to the rescue.

32 Condor Week 2008 32

33 www.cs.wisc.edu/condor Condor Week 2008 33 Summary and Conclusion › As systems evolve, security mechanisms need to evolve along with them. › Developed framework balancing usability (w.r.t. both end-users and administrators) with security in the context of multiple administrative domains. › Met design goals, additional new usage is being discovered as well.

34 www.cs.wisc.edu/condor Questions? For more information, contact: Ian Alderman alderman@cs.wisc.edu

Download ppt "Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2008 End-to-end."

Similar presentations

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Open Science Grid Discovering and understanding the site environment Or, yet another site test kit.

Open Science Grid Discovering and understanding the site environment Or, yet another site test kit.
Operating System Security

Operating System Security
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.

Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Condor-G: A Computation Management Agent for Multi-Institutional Grids James Frey, Todd Tannenbaum, Miron Livny, Ian Foster, Steven Tuecke Reporter: Fu-Jiun.

Condor-G: A Computation Management Agent for Multi-Institutional Grids James Frey, Todd Tannenbaum, Miron Livny, Ian Foster, Steven Tuecke Reporter: Fu-Jiun.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
Jaime Frey Computer Sciences Department University of Wisconsin-Madison Condor-G: A Case in Distributed.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison Condor-G: A Case in Distributed.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
First steps implementing a High Throughput workload management system Massimo Sgaravatto INFN Padova

First steps implementing a High Throughput workload management system Massimo Sgaravatto INFN Padova
Evaluation of the Globus GRAM Service Massimo Sgaravatto INFN Padova.

Evaluation of the Globus GRAM Service Massimo Sgaravatto INFN Padova.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.
Alain Roy Computer Sciences Department University of Wisconsin-Madison An Introduction To Condor International.

Alain Roy Computer Sciences Department University of Wisconsin-Madison An Introduction To Condor International.

Similar presentations

Ads by Google