Feb 05, 2016
Security Workshop, GGF 12 Kate Keahey
Why do we need virtual workspaces?
Need a way to configure remote nodes effortlessly, dynamically, flexibly
Need to be able to enforce positive and negative resource usage
Security Workshop, GGF 12 Kate Keahey
Virtual Workspaces
Virtual resource configuration
Protection environment
Software and file configuration state
Execution state
Virt
ual W
orks
pace
Grid
Mid
dle
wa
re
Inte
rfa
ceG
rid c
lien
t In
terf
ace
Grid clients
Grid middlewareinterface
Define interfaces and explore a variety of implementations
Virtual machines are a particularly promising technology
Security Workshop, GGF 12 Kate Keahey
Architecture
Clie
nt
request
VW EPR
inspect and manage
deploy & suspend
use existing VW Create VW
VW Factory
VW Repository
VW Manager
create new VW
ResourceVW
start program
Implemented based on Globus, tested with bioinformatics applicationsTim Freeman, Daniel Galron, SC04 poster
Security Workshop, GGF 12 Kate Keahey
VMs as VWs: the good Configurability
Allow full stack customization: choose OS, 32 on 64-bit, libraries…
Enhanced security Primarily better isolation, but also audit forensics, etc.
Managing state Freezing computation allows migration, suspend and
resume operations, etc. State management/replication tool
Customize once and copy Potential as distribution tool
Good enforcement potential
Security Workshop, GGF 12 Kate Keahey
VMs as VWs: the (not so) bad
Overhead from application perspective Depends on application, VM implementation In practice very promising
No access to specialized hardware Simply needs more work
Resource usage overhead Depends on implementation
Sharing issues and policies How do we share between VMs
Software maturity
Security Workshop, GGF 12 Kate Keahey
VMs and Security: the Good Protecting users from users
As good as it gets Protecting resource from a VM
Strong sandboxing potential for policy-driven resource consumption
enforcement Protecting VM from the resource
Trusted computing: root secure trusted VMMs and attestation: even platform owner cannot break privacy and isolation guarantees
Needs help from hardware Pretty close to as good as it gets
Security Workshop, GGF 12 Kate Keahey
VMs and Security: the Challenging Protecting the VM from the world
VMs are only as secure as the software they run Who maintains all those VMs? Local administrators
would have to maintain too many images… Protecting the world from the VM
Issue 1: one could use one’s privileges as root on a VM (for example to generate harmful network traffic)
Issue 2: no control over software running on VM means potential vulnerabilities could be exploited (also see above)
Although audit works great by the time the damage is done and it is too late!
Security Workshop, GGF 12 Kate Keahey
Potential Solutions VO could do VM certification
Maintenance by the VO makes more sense Does a VO have enough of a stake in this process?
Ultimately it is the platform owner who is to blame…
Detect when something goes wrong Hard: traffic of a parallel application can look surprisingly
like a denial of service attack! IDS isolated from the VM: loss of privacy to the user VO administrator (as well as resource owner) should have
the right to stop a suspicious VM Restricting network traffic
For example: traffic allowed only to VO-owned nodes Is questionable because the idea is to limit “them”, not us
Security Workshop, GGF 12 Kate Keahey
Grid Security with VMs
How does a VM authenticate itself? Can’t put a private key anywhere on the
image Can be compromised Part of the platform?
Signed and re-signed by a trusted source? How can we integrate attestation into Grid
computing seamlessly? We need to allow for a mix of technologies
Security Workshop, GGF 12 Kate Keahey
Conclusions We need virtual workspaces for Grid computing
Although we need to be able to rely on a mix of technologies VMs are a particularly promising technology to use in Grid computing for security reasons and otherwise
A growing role for the VO VO might take on additional responsibilities
Administers and maintains VMs, certification authority, could potentially stop suspect VMs, is to blame if something happens…
Should the VO be a legal entity? Would all this be healthy for a VO?
Do VOs have the resources to do that? What are the trade-offs and a healthy balance?
Mechanisms for secure, efficient sharing between VOs Via Grid tools?
Holy Grail Can we use these new capabilities for Grid computing? Do we
need the increased trust?