Two Aspects of Security Solution for Distributed Systems in the Grid on the Example of the OCM-G

1
Two Aspects of Security Solution for Distributed
Systems in the Grid on the Example of the OCM-G

• Bartosz Balis1, Marian Bubak1,2, Wojciech
  Rzasa3, Tomasz Szepieniec2,
• Roland Wismüller4

1)Institute of Computer Science, AGH 3)Rzeszów
University of Technology
2)Academic Computer Centre -- CYFRONET 4)LRR-TUM
-- Technische Universitat Munchen
2
Plan

• OCM-G - on-line grid monitoring system
• Security issues
• Two aspects of the solution
• Performance analysis
• Generalization of the solution
• Summary

3
OCM-G Architecture

• Service Managers
• one per site
• permanent
• handle multiple users
• Local Monitors
• one per host-and-user
• transient
• owned by the user

4
OCM-G startup
site
Node 2
Node 1
SM
LM
LM
LM
process
process
5
Virtual Monitoring System

• A subset of OCM-G components involved in one
  application
• Share information about the application
• Only the VMS members are allowed to monitor the
  application
• Service Managers may be shared between multiple
  VMSs

6
Extending VMS
VMS
SM
SM
LM
LM
LM
process
process
process
process
7
Security issues

• Shared monitoring system components
• Authentication required
• OCM-G manipulates processes
• Authorization required
• Service Manager - permanent service
• Security of the site cannot be lowered
• Moreover
• Reliability of the results
• Confidentiality of monitoring information

8
1st aspect of the solutionGSI and certificates
GSI for connections between components (authentica
tion, authorization, integrity, confidentiality)

• Specific certificates for
• Service Managers
• Requirements
• Issued by valid CA
• Issued specifically for the SM specific DN, e.g.
• /CPL/OGRID/OCyfronet/CNOCM-G-SM/

• User certificates for
• tools
• Local Monitors
• Requirements
• Issued by valid CA

9
Connections secured with GSI
SM
SM

• Analogous LM SM connection establishment
• Valid certificates required to establish
  connection

10
Remaining vulnerabilities(Service Manager
problem)

• Service Managers shared between users
• Anyone can pretend SM
• Valid SM certificate required to join VMS
• Administrators can access SM certificate
• ''Forged-component attack'' is possible

11
Forged-component attack
VMS
SM
SM
LM
LM
process
process
process
12
Should we trust site administrators?

• We already trust
• Administrators can access users' accounts with
  private keys
• Administrators can control his users' resources
• ... possibly on the other sites (using his users'
  private keys)
• By the forged-component attack administrator can
  access other users' resources on the other sites
• Conclusion we cannot authorize SM to join VMS
  using his certificate only.

13
Secured protocol of extending VMS
VMS
SM
SM
LM
LM
LM
process
process
process
process
14
2nd Aspect of the solution

• Secured protocol of extending VMS
• Request to join VMS digitally signed by the user
• While extending VMS both SMs present
• Valid SM certificate
• ''Written permission'' of the VMS owner
• Consequence administrators cannot access other
  users' resources on the other sites

15
Performance

• Low monitoring overhead essential for the on-line
  system
• 1st aspect of the solution introduces additional
  overhead
• 2nd security aspect affects startup only
• Test transmission of 100B packets between two
  processes, CPU time measured
• CLEAR - data not secured
• AUTH - authentication and authorization
• PROTECT - authenticity/integrity protection
• CRYPT - confidentiality protection

16
Overhead test results
Worst case latency of the order of 0.1 ms
acceptable for on-line monitoring
17
Generalization
tool
Distributed agent
SM
SM
SM
tool
18
Summary

• The proposed security solution
• 1st aspect communication security
• 2nd aspect secured protocol of extending VMS
• Acceptable overhead confirmed by the test results
• We believe it is possible to adapt the solution
  to similar architecture systems