G-PASS: Security Infrastructure for Grid Travelers

1
G-PASS Security Infrastructure for Grid
Travelers

• Tianchi Ma, Lin Chen, Cho-Li Wang, Francis C.M.
  Lau
• The University of Hong Kong

2
Outline

• Problems Methodology
• Introduction to G-PASS
• Application G-JavaMPI
• Experiment Results

3
Grid Travelers

• A Grid Traveler is a process that can move itself
  across the boundary of organizations during the
  runtime.
• Two types of Grid travelers
• Mobile agent
• Migrate-able process
• Organization Policy space
• Security policy (identity, access control)
• Other policies

4
Security Issues for Grid Travelers

• Protect Grid travelers from malicious hosts
• Eavesdropping
• Integrity compromising
• Protect hosts from malicious travelers
• Illegal resource accessing
• Deliver fake information
• DoS attack (replay)
• Protect from network eavesdropping
• Use security transfer

5
Under a Grid Scenario (1)

• Complex authorization relationship
• Multiple policy spaces concerned
• Identity mapping
• Reputation system
• Most of existing mechanisms are less general
  purpose

6
Under a Grid Scenario (2)
An example scenario of a Grid traveler who wants
to access resources in other organization. Please
note this example will be the simplest one in Grid
Policy space
! Exception
Identity mapping
Organization
Organization
Warranted
Reputation
Dispatcher
Warrantor
7
Problems

• How to carry and proof the authorizations and
  warrants?
• How to record and track the history events?
• How to do the identity mapping?
• How to propagate the security exception and
  reputation?

8
Grid Fashion

• Infrastructure
• General purpose (not application specific)
• Providing fundamental information and control
  mechanisms
• Weak defense
• Monitoring instead of preventing
• Stable information
• Reputation system

9
Relative Information

• Distributed Trust Model
• Authorization
• Delegation
• Warrant
• Events
• Migration
• Resource consuming / job submission
• Exceptions

10
GSI Not Enough for Grid Traveler

• Providing fundamental establishment derived from
  conventional distributed trust
• PKI
• X.509
• Global DN -gt Local user
• Job service
• Delegation
• Proxy
• The X.509 delegation is unsuitable for Grid
  traveler
• Scalability will form a certificate chain
• Delegation abusing in full delegation protocol
• Cannot deal with a complex identity mapping

11
Traveler in Reality
The example shows how a traveler can be permitted
to visit an unacquainted country and do some
critical operations
Visa

12
G-passport

• G-passport is a list of certificates and proved
  security information
• Records and proofs
• Transit
• Privilege betaken
• Security exception
• Contracts
• Double linked traceable list

13
G-passport Example
A Grid travelers recorded history Birth -gt
Initiation -gt Migration -gt Warranted -gt
14
Instance-Oriented Delegation

• Security transaction
• Separation of responsibility
• Security instance
• Binding transaction with its valid specification
• Issuer sign on it
• Different with capability
• Representing delegation but not direct
  authorizations on resource

15
Across the Organization Boundary

• Global identity cannot be recognized by local
  resources
• Mapping G-passport -gt Local privilege table
• Role-based RBAC3

16
Position of G-PASS

• Under the application layer
• Can access resource layer
• Based on GSI

17
Application G-JavaMPI

• Grid based Java MPI
• Support for process migration
• Four reasons of migration
• Availability
• Searching better resource
• Load balancing
• Optimizing program by removing the bottleneck
  caused by communication

18
JmpiBLAST

• A BLAST program on G-JavaMPI
• Four universities sharing CPU cycles and local
  bio-databases
• Funded by two organizations
• MPI VO coordinates their resources together

19
HKU Gideon 300 Cluster

• Pentium 4 2.0 GHz w/ 512 Kbytes L2 cache
• 512 Mbytes (PC2100) DDR SDRAM
• Fast-Ethernet adaptors x 2
• 40 GB IDE hard disk
• Linux OS (RedHat 7.3/8.0)

• High-performance network (for inter-process
  communication)
• Foundry Networks' Fast-Ethernet switch with 312
  ports
• Hierarchical management network (for I/O access
  and cluster management)
• 24-port Gigabit-Ethernet switch x 1
• 24-port Fast-Ethernet switch (with
  Gigabit-Ethernet uplink) x 13
• UTP network cables x 620

20
Hong Kong Grid
HKGrid provides a platform for its members to
experiment with various research prototypes and
pilot applications
Institutions
City University of HK
HK Baptist University
HK University of Science and Technology
The HK Polytechnic University
The HK Institute of HPC
HKU Computer Centre
HKU Department of CSIS
21
Environment Setting

• JmpiBLAST setting
• Application Blastp
• Database nr (687MBytes)
• Segment 1MBytes (687 segs)
• Experiment setting
• Three Blastp programs, total 18 processes (8,6,4
  respectively)
• Global scheduling GA vs. Min-Min
• Original nodes 5
• Event 1 2 nodes join in
• Event 2 2 nodes quit

22
Data Reports

• In task 1 2, the GA is better than Min-Min
• In task 3, Min-Min generates a better result

• Scheduling by GA in task 1 has fully utilized the
  addi-tional 2 nodes, and has provided maximal
  through-put during the fixed time interval
  between event 1 and event 2.

23
Security Overhead
G-PASS overhead
Affordable
24
Results from HKGrid
Under all circumstances, the security overhead
will be less than 50
25
Thank You!

• QA?
• Web site http//www.cs.hku.hk/tcma/GPASS
• http//www.cs.hku.hk/lchen2/research/G-JavaMPI/do
  c/readme.html