vulnerability assessment for egi and emi - presentation for nato-otan 2013
DESCRIPTION
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013TRANSCRIPT
Vulnerability Assessment for EGI and EMIand EMI
Elisa HeymannyManuel BrugnoliComputer Architecture and
Operating Systems DepartmentUniversitat Autònoma de BarcelonaUniversitat Autònoma de Barcelona
[email protected] Brugnoli@caos uab es
1
This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the
National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.
Who we areWho we are
Elisa HeymannEduardo Cesar
Bart MillerJim Kupsch Eduardo Cesar
Jairo SerranoManuel Brugnoli
Jim KupschKarl MazurakDaniel Crowell Manuel BrugnoliDaniel CrowellWenbin FangHenry Abbeyy ySalini Kowsalya
http://www cs wisc edu/mist/2
http://www.cs.wisc.edu/mist/
What do we do• Assess Middleware: Make cloud/grid software
more secure• Train: We teach tutorials for users developersTrain: We teach tutorials for users, developers,
sys admins, and managers• Research: Make in-depth assessments more
automated and improve quality of automated p q ycode analysis
http://www.cs.wisc.edu/mist/papers/VAshort.pdf
3
Our experienceCondor, University of Wisconsin
Batch queuing workload management system15 vulnerabilities 600 KLOC of C and C++
SRB, SDSCStorage Resource Broker - data grid5 vulnerabilities 280 KLOC of C
MyProxy, NCSACredential Management System5 vulnerabilities 25 KLOC of C
glExec, NikhefIdentity mapping service5 vulnerabilities 48 KLOC of C
Gratia Condor Probe, FNAL and Open Science GridFeeds Condor Usage into Gratia Accounting System3 vulnerabilities 1.7 KLOC of Perl and Bash
Condor Quill, University of WisconsinDBMS Storage of Condor Operational and Historical Data6 vulnerabilities 7.9 KLOC of C and C++
4
Our experienceWireshark, wireshark.org
Network Protocol Analyzer 2 vulnerabilities 2400 KLOC of C2 vulnerabilities 2400 KLOC of C
Condor Privilege Separation, Univ. of WisconsinRestricted Identity Switching Module22 vulnerabilities 21 KLOC of C and C++
VOMS Admin, INFNWeb management interface to VOMS dataWeb management interface to VOMS data 4 vulnerabilities 35 KLOC of Java and PHP
CrossBroker, Universitat Autònoma de BarcelonaR M f P ll l & I t ti A li tiResource Mgr for Parallel & Interactive Applications4 vulnerabilities 97 KLOC of C++
ARGUS 1.2, HIP, INFN, NIKHEF, SWITCHARGUS 1.2, HIP, INFN, NIKHEF, SWITCH gLite Authorization Service0 vulnerabilities 42 KLOC of Java and C
5
Our experienceVOMS Core INFN
Virtual Organization Management System1 vulnerability 161 KLOC of Bourne Shell, C++ and C
iRODS, DICEData-management System9 vulnerabilities (and counting) 285 KLOC of C and C++9 vulnerabilities (and counting) 285 KLOC of C and C++
Google Chrome, GoogleWeb browser1 OC f C C1 vulnerability 2396 KLOC of C and C++
WMS, INFNWMS, INFNWorkload Management Systemin progress 728 KLOC of Bourne Shell, C++,
C, Python, Java, and Perl
CREAM, INFNComputing Resource Execution And Management 4 vulnerabilities (and counting) 216 KLOC of Bourne Shell,
Java and C++6
Java, and C++
gLite ArchitectureAuthentication
RB HostUser Host authZ Service HostSubmit job & receive output
Submit job & receive output
Authentication
WMS
User
Argusreceive output receive output
StatusInf. Reference
Data TransferUser
Interface LB Host
LB Server
IS Host
InformationServices (i e BDII)
SE HostAuthorizat
Inf. Reference
r
CE Host
Services (i.e. BDII)
StoRM
Submit job &
StaStatus
AuO
MS proxy
tion
CREAM
VOMS Host WN Host
Submit job & receive output
atus
uthorizationCreate VO
LRMS
VOMS Host
VOMS Server
WN jobJobs
Authentication
7
ARGUS 1 2 HIP INFN NIKHEFARGUS 1.2, HIP, INFN, NIKHEF, SWITCH
gLite Authorization Service
42 KLOC f J d C42 KLOC of Java and C
0 vulnerabilities
9
authZ service HostU (UI)
1bArgus 1.2 Architecture
Admin data‐flowauthZ service Host
WN HostPAP Admin Tool (Edit Policy)
User (UI)
1a
RB HostA
User data‐flow
CLI Tool (Edit Policy)Administrator
WMS
PAP
B
C’
CLI
Run job Exit gLExec
CE HostPDP
29
10a
CREAM
D’ E’
C
Dt
PEP Client (Lib)
Et
/etc/init.d/pdp
10b
PEP Server
gLExec3
56
LRMS
7 8F’ HTTPS
reloadpolicy
/etc/init.d/pepd PEP ServerWN jobclearcache
Ft
4
PAP (Policy Administration Point) → Manage Policies.PDP (Policy Decision Point) → Evaluate Authorization Requests.PEP (Policy Enforcement Point)→ Process Client Requests and Responses.
OS privileges user batch user
External ComponentrootPEP (Policy Enforcement Point) → Process Client Requests and Responses.
Administrator & root
User: X’ = Optional stepsXt Periodic steps
Argus 1.2 Architecture
Xt = Periodic steps1. User submits a job described as a JDL expression.2. CREAM receives a job execution request from WMS (1a) or the User (1b) directly.3. CREAM sends the job execution request to the LRMS.4 LRMS sends the job to the WN for its execution4. LRMS sends the job to the WN for its execution. 5. WN sends an authorization request to gLExec, and gLExec interacts with PEP Server using an LCMAPS plug‐in which
uses the PEP Client library to check if the mapping request can be satisfied.6. PEP Client sends the request to the PEP Server.7 PEP Server sends the authorization request (XACML) to PDP for evaluation7. PEP Server sends the authorization request (XACML) to PDP for evaluation.8. PDP evaluates the authorization request and sends the response to PEP Server.9. PEP Server sends to PEP Client the authorization response which can be allowed (10a) or denied (10b).10. gLExec runs job using local identity only if the authorization response is allowed.
Admin:
A. Administrator edits policies using the command line interface (CLI).B. PAP Admin Tool writes policies and policy sets and make them available at PAP.B. PAP Admin Tool writes policies and policy sets and make them available at PAP.
C’. Administrator forces reload of policies since Argus updates the policies in regular intervals.D’. PDP sends a retrieve policies request to PAP.E’. PAP sends policies (XACML) to PDP.’ d d l h f l h hF’. Administrator sends a clear cache request to PEP Server for clearing the response cache.
Dt. PDP connects periodically to the remote PAP to refresh the repository policy.Et. PAP sends the policies (XACML) to PDP.Ft. PEP Server clears periodically its cache, since PEP Server keeps a short response cache.Ft. PEP Server clears periodically its cache, since PEP Server keeps a short response cache.
authZ service Host (PAP Component)
Argus 1.2 Resources
PAP
conf lib logsTRUSTED_CA etc/grid_security
bin repository sbin
pappap
hosthas key
signed,
certificatesloggingd i pap_configuration.ini
pap_authorization.ini
hostcert.pem
hostkey.pem
certificatesloggingpap-admin pap-standalone.sh
pap-deploy.sh
XACML Policy files
Readable OS privileges b t h
OwnerWorld
user batch user
External Component
Administrator & root
root
authZ service Host (PDP Component)Argus 1.2 Resources
( p )
PDP Repository
policy
conf lib logsTRUSTED_CA etc/grid_security
sbin
d i i h t t
hosthas key
signed,
h tktifi th l i ld tl h pdp.ini hostcert.pem hostkey.pemcertificatesenv.sh logging.xml
Readable
pdpctl.sh
OS privileges b t h
OwnerWorld
user batch user
External Component
Administrator & root
root
authZ service Host (PEP Server Component)Argus 1.2 Resources
( p )
PEP Server Cached Policies
conf lib logsTRUSTED_CA etc/grid_security
sbin
pepd.inienv.sh logging.xmlpepdctl.sh
hosthas key
signed,
Readable
hostcert.pem
hostkey.pem
certificates grid-mapfile groupmapfile
gridmapdir vomsdir
OS privileges Readable
OwnerWorld
user batch user
External Component
Administrator & root
root
VOMS INFNVOMS, INFN
VOMS Core 2.0.2, Virtual Organization Management System
161 KLOC f B Sh ll C d C161 KLOC of Bourne Shell, C++ and C
1 vulnerability
VOMS Admin 2.0.15 Web management interfaceVOMS Admin 2.0.15, Web management interface
35 KLOC of Java and PHP
4 l biliti4 vulnerabilities
15
VOMS 2.0.2 Architecture
VOMS Server Host
VOMS
User Host
GSI Connection VOMSdaemon
VOMSClient
Ancillary
GSI ConnectionCommand Line
Command Line
DB
Utilities
DB
WebBrowser
HTTPS
Web
VOMS Admin(Tomcat)
VOMS AdminClient
HTTPS
SOAP over SSLCommand Line
OS privileges DB privileges p guser daemon
root
VO_Server
VOMS Client‐Server InteractionVOMS Server HostUser Host
VOMS daemon
nt 3. Wait for Connection
2. Connect to Port
OMS Clien
voms‐proxy‐init
4. Accept Connection
1. Send Request
5 Fork
6. Mutual Auth. & Create SecureCommunication Channel via GSI
VO
VOMS daemon child process
5. Fork
child process
8. Query the database toverify the assertion against User DN
7. Request AC with attributes X, Y, Z
13. Create a proxy certificate with embedded AC
VOMSpseudo
certificate 12 End Child Process
10. Send the Attribute Certificate
11. Close Connection
9. Create Attribute Certificate,Sign with VOMS certificate
12. End Child Process
DB
VOMS Core 2.0.2 Resources
VOMS Server Host
VOMSdaemon
/ /$CONFIG_DIRVO_NAME
logsTRUSTED_CA /etc/grid_security
DB
host
hostcert.pem
hosthas key
signed,
hostkey.pem
certificatesvoms.conf voms.pass
vomsdir
Readable
p p
OS privileges DB privileges
OwnerWorld
OS p egesdaemon
root
p egesVO_Server
VOMS Core 2.0.2 Resources
User HostUser Host
VOMS Client
$HOME/ /tmp/ /TRUSTED_CA /etc//opt/
x509up_u<user_id>/user/.globus/ grid_security/ vomses/glite/etc/vomses
certificatesusercert.pem userkey.pem vomsdir
Readable OS privileges DB privileges
OwnerWorld
OS p egesdaemon
root
p egesVO_Server
WMS 3 3 5 INFNWMS 3.3.5, INFN
Workload Management System
728 KLOC of Bourne Shell, C++, C, Python Java and PerlPython,Java, and Perl
0 vulnerabilities
20
WMS Host
Workload Manager System (WMS) 3.3.5 Architecture
CREAM
User Host CE Host
WM Proxy LB
GridFTP
LRMSUserInterface
Apache
WM ProxyServer
SOAP/HTTPS
LB Proxy
LBDataBase
WN HostWorkloadManager
Logger(InterLogd)
LB Proxy
VOMS Host
VOMS
WN job
IS Host
Job Controller –Condor G
VOMS Server
CE HostOS privileges
user E t l
InformationService
Log Monitor
ICE
user External ComponentrootLB Host
LB ServerDB privileges
Proxy Renewal
LB ServerLB_Admin
WMS 3.3.4 Resources
WMS Host
WMSWMS
/etc/glite-wms
logsTRUSTED_CA /etc/grid_security
LBDataBase
Job SandBoxg DataBase
host
hostcert.pem
has key
signed,
hostkey.pem
certificatesglite_wms.conf glite_wms_wmproxy.gacl
glite_wms_wmproxy_httpd.conf
wmproxy_logrotate.conf
Readable
O
OS privilegesdaemon
DB privilegesLB AdminOwner
World
daemon
root
LB_Admin
CREAM 1 14 0 INFNCREAM 1.14.0, INFN
Computing Resource Execution And Management
216 KLOC of Bourne Shell Java C++ C and216 KLOC of Bourne Shell, Java, C++, C, and Perl
4 vulnerabilities
23
CREAM 1.14.0 Architecture
CE Host WN Host
WN job
User Host
GridFTPWN job
UserCREAM‐CE
SOAP/HTTPS
CREAMDataBase
Job
Interface Tomcat
BLAH
VOMS Host
LRMS
VOMS Host
VOMS Server
DB privilegesDB Admin
OS privileges user External Component DB_Adminuser External Component
root Tomcat Batch user
CREAM‐CE 1.14.0 Resources
CREAM CE h tCREAM‐CE host
CE
logs/etc/CREAMDataBase/etc//var/ logs
grid_securityDataBase
hosth k
/etc/glite-ce-cream
/var/Cream_sandbox
hostcert.pem
has key
signed,
hostkey.pemcertificatesCream-config.xmlUser 1 User N vomsdir
DB privilegesOS privilegesOwner
File ownership
CREAM adminTomcat
root
Batch users
Owner
World
CREAM‐CE Client 1.14.0 Resources
Cli t H tClient Host
ClientClient
/tmp/ /home/user /etc/grid_security
proxy client logs Job input files JDL file Job output files Certificates
OS privilegesTomcat
p y g p p
O
File ownership
Tomcat
root
userWorld
Owner
Questions?
http://www.cs.wisc.edu/mist
27