Grid-computing portals and security issues

Computational grids provide computing power by sharing resources across administrative domains. This sharing, coupled with the need to execute untrusted code from arbitrary users, introduces security hazards. Grid environments are built on top of platforms that control access to resources within a single administrative domain, at the granularity of a user. In wide-area multidomain grid environments, the overhead of maintaining user accounts is prohibitive, and securing access to resources via user accountability is impractical. Typically, these issues are handled by implementing checks that guarantee the safety of applications, so that they can run in shared user accounts. This work shows that safety checks--language-based, compile-time, link-time or load-time--currently implemented in most grid environments are either inadequate or limit allowed grid users and applications. A survey of various grid systems is presented, highlighting the problems and limitations of current grid environments. A runtime process monitoring technique is also proposed. The approach allows setting-up an execution environment that supports the full legitimate use allowed by the security policy of a shared resource. For shell-based applications, performance measurements of the proposed scheme show up to 2.14 times less overheads as compared to the case where all applications including the shell are monitored.

[1]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[2]  José A. B. Fortes,et al.  PUNCH: An architecture for Web-enabled wide-area network-computing , 2004, Cluster Computing.

[3]  Renato J. O. Figueiredo,et al.  Fine-grain access control for securing shared resources in computational grids , 2002, Proceedings 16th International Parallel and Distributed Processing Symposium.

[4]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[5]  Chris J. Scheiman,et al.  UFO: a personal global file system based on user-level extensions to the operating system , 1998, TOCS.

[6]  Renato J. O. Figueiredo,et al.  Enhancing the scalability and usability of computational grids via logical user accounts and virtual file systems , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.

[7]  Miron Livny,et al.  Condor-a hunter of idle workstations , 1988, [1988] Proceedings. The 8th International Conference on Distributed.

[8]  Giovanni Vigna,et al.  Mobile Agents and Security , 1998, Lecture Notes in Computer Science.

[9]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[10]  Henry McGilton,et al.  The JavaTM Language Environment , 1998 .

[11]  Charles F. Webb,et al.  S/390 microprocessor design , 2000, IBM J. Res. Dev..

[12]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[13]  Harish Patil,et al.  Efficient Run-time Monitoring Using Shadow Processing , 1995, AADEBUG.

[14]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[15]  Renato J. O. Figueiredo,et al.  PUNCH: Web Portal for Running Tools , 2000, IEEE Micro.

[16]  Ian T. Foster,et al.  Globus: a Metacomputing Infrastructure Toolkit , 1997, Int. J. High Perform. Comput. Appl..

[17]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[18]  David Wagner,et al.  Janus: an Approach for Confinement of Untrusted Applications , 1999 .

[19]  Barton P. Miller,et al.  Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes , 2001, Parallel Process. Lett..

[20]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[21]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[22]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[23]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[24]  Ali R. Butt,et al.  Security Implications of Making Computing Resources Available via Computational Grids , 2001 .