Towards a Trusted Grid Architecture Andy Cooper 2008
Solving the Middleware Problem
Towards a Trusted Grid Architecture
Andy Cooper
Software Engineering Laboratory
University of Oxford
Trusted Services: Requirements and Prospects, Edinburgh, July
2008
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Problem of trust in the grid
Malicious host problem
How can you trust a remote computer to process your data securely?
Trust asymmetry problem An operating-system normally protects the computer from malicious users.
But what about protecting the users from a malicious computer?
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Problem of trust in the grid
Malicious host problem
How can you trust a remote computer to process your data securely?
Trust asymmetry problem An operating-system normally protects the computer from malicious users.
But what about protecting the users from a malicious computer?
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
The Middleware Problem
The Middleware Problem
The software that drives the grid is too complex to be trusted to protect users’ data.
Any security features built on top of the grid are doomed to failure
All grid applications are vulnerable because they can be attacked from ’underneath’ via the grid middleware
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
The Middleware Problem
The Middleware Problem
The software that drives the grid is too complex to be trusted to protect users’ data.
Any security features built on top of the grid are doomed to failure
All grid applications are vulnerable because they can be attacked from ’underneath’ via the grid middleware
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Globus Middleware Software
Total lines of code is 1,816,203
The security layer is the most complex
It doesn’t matter how good grid authorisations systems are if
systems can be accessed via the backdoor
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Globus Software Vulnerabilities
Globus Toolkit Advisories
GT version 4.0 (May ’05 - Nov ’06) - 23 vulnerabilities listed
GT version 3.2 (Apr ’05 - Nov ’06) - 13 vulnerabilities
GT version 3.0 (Jul ’03 - Jun ’04) - 6 vulnerabilities
GT version 2.4 (May ’03 - May ’04) - 6 vulnerabilities
GT version 2.0 (Oct ’02 - Oct ’03) - 8 vulnerabilities
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
The Dangers of Delegation
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Inadequacy of Proxy Credentials
Problem 1
”Give me your credential! You can trust me
- it expires in 12 hours”
Problem 2
Proxy credentials can’t be revoked
Problem 3
Attacker can repeatedly steal the credentials
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Inadequacy of Proxy Credentials
Problem 1
”Give me your credential! You can trust me
- it expires in 12 hours”
Problem 2
Proxy credentials can’t be revoked
Problem 3
Attacker can repeatedly steal the credentials
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Trusted Computing Technologies
Attestation
Using hardware chip to measure software running on a remote computer
Protected storage
Digital rights management capability - can run encrypted grid jobs so owner cannot access the decryption keys.
Virtualisation
Grid jobs can be run isolated within a virtual machine
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Trusted Computing Technologies
Attestation
Using hardware chip to measure software running on a remote computer
Protected storage
Digital rights management capability - can run encrypted grid jobs so owner cannot access the decryption keys.
Virtualisation
Grid jobs can be run isolated within a virtual machine
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Trusted Computing Technologies
Attestation
Using hardware chip to measure software running on a remote computer
Protected storage
Digital rights management capability - can run encrypted grid jobs so owner cannot access the decryption keys.
Virtualisation
Grid jobs can be run isolated within a virtual machine
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Trusted Grid Architecture
Source: Lohr et al, Enhancing Grid Security Using Trusted
Virtualization, IBM and University of Bochum
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Problems with TGA
Grid middleware problem undermines the security
Major change to existing grid middleware
Attestation only proves that insecure software is being run!
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Security in a virtual machine
Job Security Manager
User pushes down security software in another virtual machine distributed alongside the grid job
Interoperability Advantages
Service provider no longer needs to pre-install security software
Security can be enforced anywhere on the grid
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Security in a virtual machine
Job Security Manager
User pushes down security software in another virtual machine distributed alongside the grid job
Interoperability Advantages
Service provider no longer needs to pre-install security software
Security can be enforced anywhere on the grid
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
The Job Security Manager
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Difficulty in overcoming grid middleware problem
The dilemma
Grid middleware must have access to users’ data
Middleware problem means it can’t be trusted
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
A solution - pre-encrypt grid data
Solving the middleware problem
Grid job is pre-encrypted
Grid middleware downloads encrypted data
Decrypting the grid data
Grid middleware also downloads the job security manager VM
It starts running like any other grid job
Attests itself to obtain the decryption key
Job security manager decrypts and runs the grid job
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
A solution - pre-encrypt grid data
Solving the middleware problem
Grid job is pre-encrypted
Grid middleware downloads encrypted data
Decrypting the grid data
Grid middleware also downloads the job security manager VM
It starts running like any other grid job
Attests itself to obtain the decryption key
Job security manager decrypts and runs the grid job
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
A trusted grid architecture
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Benefits of this solution
Grid middleware is no longer trusted
Works with all grid middleware without modifications
Stealing credentials is no longer a problem - they only allow the attacker to download encrypted data.
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Digital rights management for grid computing
Digital Rights Management
Grid data is encrypted to enforce access controls rather than confidentiality
DRM empowers users to control access to their information on the grid
Key management service security policies
Enforce a trusted boundary for a virtual organisation
Control recipients of the results data
Control what software can run on the grid
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Digital rights management for grid computing
Digital Rights Management
Grid data is encrypted to enforce access controls rather than confidentiality
DRM empowers users to control access to their information on the grid
Key management service security policies
Enforce a trusted boundary for a virtual organisation
Control recipients of the results data
Control what software can run on the grid
Andy Cooper
Towards a Trusted Grid Architecture
Subgrids
Solving the Middleware Problem
Subgrids
Creates a strong boundary for a virtual organisation
Grid jobs can only run within an encrypted environment on trusted hosts
Even the platform owner cannot subvert the security policy
Security policy
Key management service attests job security manager
Host is authenticated before releasing keys
Andy Cooper
Towards a Trusted Grid Architecture
Subgrids
Solving the Middleware Problem
Subgrids
Creates a strong boundary for a virtual organisation
Grid jobs can only run within an encrypted environment on trusted hosts
Even the platform owner cannot subvert the security policy
Security policy
Key management service attests job security manager
Host is authenticated before releasing keys
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Encrypted Results Data
Controlling dissemination of results
Grid middleware can stage out encrypted results data
Security policy controls who can access the results
Recipient keys
Security policy lists authorised recipients
Data encryption key is encrypted for each recipient
Recipient keys are staged out as a file along with encrypted results data
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Encrypted Results Data
Controlling dissemination of results
Grid middleware can stage out encrypted results data
Security policy controls who can access the results
Recipient keys
Security policy lists authorised recipients
Data encryption key is encrypted for each recipient
Recipient keys are staged out as a file along with encrypted results data
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Mandatory access controls
Controlling software
Policy defines what software can run on the grid
Cannot be altered by users - controlled by data owners
Attesting grid jobs
Each data owner runs their own key management service
Job security manager attests the grid job
Decryption key is only released if software is authorised to access the data
Andy Cooper
Towards a Trusted Grid Architecture
Solving the Middleware Problem
Mandatory access controls
Controlling software
Policy defines what software can run on the grid
Cannot be altered by users - controlled by data owners
Attesting grid jobs
Each data owner runs their own key management service
Job security manager attests the grid job
Decryption key is only released if software is authorised to access the data
Andy Cooper
Towards a Trusted Grid Architecture
Conclusion
Solving the Middleware Problem
Middleware problem undermines grid security
New architecture has following advantages:
Middleware is not trusted
Interoperates with existing grid middleware without changes
Credential theft no longer compromises data
Digital rights management controls have a positive benefit for users of the grid
Andy Cooper
