Cluster Security with NVisionCC: The Forseti Distributed File Integrity Checker

Attackers who are able to compromise a single node in a high performance computing cluster can use that node as a launch point for a number of malicious actions. In many cases, the password used to log into a single node can be used to access a large number of nodes in the system, allowing the attacker to utilize the vast computing and storage capabilities of the compromised cluster to sniff network traffic, carry out brute-force password cracking, launch distributed denial of service attacks, or serve illegal digital content. Often, these types of attackers modify important system files to collect passwords to other accounts, disable certain logging facilities, or create back-doors into the system. In this paper, we present Forseti, a distributed file integrity checker designed specifically for the high performance computing cluster environment. Forseti was designed to address the shortcomings exhibited by existing host-based intrusion detection systems when used in the cluster environment and to provide a means of detecting changes to critical system files made by root-level adversaries. We discuss the design and implementation of the Forseti system, present a security analysis of Forseti, examine the performance of the system, and explore how Forseti can be used in concert with other security monitoring techniques to enhance the security of the HPC cluster environment.

[1]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[2]  Gregory A. Koenig,et al.  Searching for open windows and unlocked doors: port scanning in large-scale commodity clusters , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[3]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[4]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[5]  Gregory A. Koenig,et al.  Detection of Privilege Escalation for Linux Cluster Security , 2005 .

[6]  William Yurcik,et al.  NVisionCC: a visualization framework for high performance cluster security , 2004, VizSEC/DMSEC '04.

[7]  Eugene H. Spafford,et al.  The COPS Security Checker System , 1990, USENIX Summer.

[8]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[9]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[10]  Gregory A. Koenig,et al.  Cluster security with NVisionCC: process monitoring by leveraging emergent properties , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[11]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[12]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[13]  Gregory A. Koenig,et al.  Cluster Security as a Unique Problem with Emergent Properties: Issues and Techniques , 2004 .