Two Aspects of Security Solution for Distributed Systems in the Grid on the Example of the OCM-G

Institute of Computer

Science AGH

Technishe Universitat Munchen

Rzeszów University of Technology

Two Aspects of Security Solution for Distributed Systems in the Grid

on the Example of the OCM-G

Bartosz Baliś1, Marian Bubak1,2, Wojciech Rząsa3, Tomasz Szepieniec2,

Roland Wismüller4

1)Institute of Computer Science, AGH 3)Rzeszów University of Technology

2)Academic Computer Centre -- CYFRONET 4)LRR-TUM -- Technische Universitat Munchen


Science AGH



Plan

● OCM-G - on-line grid monitoring system● Security issues● Two aspects of the solution● Performance analysis● Generalization of the solution● Summary


Science AGH



OCM-G Architecture

● Service Managers● one per site● permanent● handle multiple users

● Local Monitors● one per host-and-user● transient● owned by the user

Site

LM LM

Site

Node Node Node`

SM SM

LM

Tool

request

request

request

request request


Science AGH



OCM-G startup

LM

process

site

Node 1 Node 2

process

LM

fork() fork() fork()

process

User 1

process

User 2

LM

SMSM

Shared component


Science AGH



Virtual Monitoring System

● A subset of OCM-G components involved in one application

● Share information about the application● Only the VMS members are allowed to

monitor the application● Service Managers may be shared

between multiple VMSs


Science AGH



Extending VMS

processprocess process

LM LM

VMS

process

register

Request membershipSM

LM

register

SM


Science AGH



Security issues

● Shared monitoring system components● Authentication required

● OCM-G manipulates processes● Authorization required

● Service Manager - permanent service● Security of the site cannot be lowered

● Moreover:● Reliability of the results● Confidentiality of monitoring information


Science AGH



User certificates for:• tools• Local Monitors

Requirements• Issued by valid CA

Specific certificates for:• Service Managers

Requirements• Issued by valid CA• Issued specifically for the

SM; specific DN, e.g. /C=PL/O=GRID/O=Cyfronet/CN=OCM-G-SM/

GSI for connections between components(authentication, authorization, integrity,

confidentiality)

1st aspect of the solutionGSI and certificates


Science AGH



Connections secured with GSI

● Analogous LM – SM connection establishment● Valid certificates required to establish connection

Mutual authentication(certificates exchange)

Network connection

AuthorizationAuthorization

Secured connection(authenticity, integrity,

confidentiality)

SMSM


Science AGH



Remaining vulnerabilities(Service Manager problem)

Service Managers shared between users Anyone can pretend SM Valid SM certificate required to join VMS Administrators can access SM certificate ''Forged-component attack'' is possible


Science AGH



Forged-component attack


LM LM

VMSRequest membership

SMSM


Science AGH



Should we trust site administrators?

We already trust:• Administrators can access users' accounts with private

keys• Administrators can control his users' resources• ... possibly on the other sites (using his users' private

keys) By the forged-component attack

administrator can access other users' resources on the other sites

Conclusion: we cannot authorize SM to join VMS using his certificate only.


Science AGH



Secured protocol of extending VMS


LM LM

VMS

process

register

Request membershipSM

LM

Digitaly signed''written permission''

SM''written permission'' exchange

Permission verification Permission verification


Science AGH



2nd Aspect of the solution

Secured protocol of extending VMS Request to join VMS digitally signed by the

user While extending VMS both SMs present:

• Valid SM certificate • ''Written permission'' of the VMS owner

Consequence: administrators cannot access other users' resources on the other sites


Science AGH



Performance

Low monitoring overhead essential for the on-line system

1st aspect of the solution introduces additional overhead

2nd security aspect affects startup only Test: transmission of 100B packets between two

processes, CPU time measured• CLEAR - data not secured• AUTH - authentication and authorization• PROTECT - authenticity/integrity protection• CRYPT - confidentiality protection


Science AGH



Overhead test results

Security level

Avg. Time [ms]

CLEAR 0.0530 AUTH 0.0448 PROTECT 0.2357 CRYPT 0.3826

Worst case latency of the order of 0.1 ms acceptable for on-line monitoring


Science AGH



Distributed system

Generalization

SMSM

SM

Distributed agent

proc

LM

proc

LM

proc

tool

tool

proc

LM

proc

proc

LM

proc

LMresourceres.

resource

res. res.

User

User


Science AGH



Summary

The proposed security solution• 1st aspect – communication security• 2nd aspect – secured protocol of extending

VMS Acceptable overhead confirmed by the test

results We believe it is possible to adapt the

solution to similar architecture systems

Documents

Two Aspects of Security Solution for Distributed Systems in the Grid on the Example of the OCM-G