Ian D. AldermanComputer Sciences DepartmentUniversity of Wisconsin-Madison
[email protected]://www.cs.wisc.edu/condor
Signed ClassAdsand Restricted
Delegation
Condor Week 2007 3www.cs.wisc.edu/condor
› Multiple administrative domains aren’t well protected from each other, yet are increasingly common: Condor-C, Condor-G, flocking…
› As cooperation between administrative domains increases, so does utilization. Can we take advantage of this without also increasing risk?
Security Issues in Multiple
Administrative Domains
Job input and output dataExecute MachinesData unrelated to the job
Protect:
Condor Week 2007 4www.cs.wisc.edu/condor
Shoulders of Giants
Principle of least privilege:
“Every program and every user of the system should operate using the least set of privileges necessary to complete the job.”
- Saltzer and Schroeder, 1975
Condor Week 2007 5www.cs.wisc.edu/condor
Credential Scope
› Jobs either carry no credentials or the full credentials of the submitting user.
› Jobs with credentials can impersonate the submitting user without any restriction.
› Intermediaries that handle credentials can lose or abuse them, or alter tasks, input, and results.
Limit the scope of credentials to what the job needs and no more.
Condor Week 2007 6www.cs.wisc.edu/condor
Goals
› Make security assumptions explicit.› Reduce the number and scope of
assumptions that must be made about infrastructure w.r.t. security.
› Provide end-to-end security options in addition to point-to-point security.
› Provide end-to-end cryptographic audit.› Alter attacker incentives.› Reduce barriers to increased cooperation
and utilization.
Condor Week 2007 9www.cs.wisc.edu/condor
Participants
U S X R
U – submitting user
S – scheduler
X – execute host
R – storage resource
Condor Week 2007 10www.cs.wisc.edu/condor
Actions
U S X R
U – submitting user
S – scheduler
X – execute host
R – storage resource
s - submit
f - forward
e - execute
a - access
s e a
Condor Week 2007 11www.cs.wisc.edu/condor
Forwarding Action
U S
s - submit
f - forward
e - execute
a - access
S X R
s
e a
U – submitting user
S – scheduler
X – execute host
R – storage resource
f
Condor Week 2007 12www.cs.wisc.edu/condor
Multiple Administrative Domains
U S
U – submitting user
S – scheduler
X – execute host
R – storage resource
S X R
s - submit
f - forward
e - execute
a - access
s
e af
R
Condor Week 2007 13www.cs.wisc.edu/condor
Authentication
U S
U – submitting user
S – scheduler
X – execute host
R – storage resource
S X R
s - submit
f - forward
e - execute
a - access
s
e af
GSI Proxy CertificatesMutual Authentication
/O=Brown CS/CN=pavlo
/O=Brown CS/CN=scheduler.cs.brown.edu/O=Penn CS/CN=scheduler.cs.penn.edu/O=UMD CS/CN=storage.cs.umd.edu/O=Penn CS/CN=ex0001.cs.penn.edu
Condor Week 2007 14www.cs.wisc.edu/condor
Authorization
U S
U – submitting user
S – scheduler
X – execute host
R – storage resource
S X R
s - submit
f - forward
e - execute
a - access
s
e af
/O=Brown CS/CN=pavlo -> [email protected]
Recipient checks ACL
Condor Week 2007 15www.cs.wisc.edu/condor
Problems
› Authorization entirely in the hands of the recipients: no restrictions can be expressed by the submitter.
› Credential too permissive: can be used to access anything on resources, run any job on execute machine.
› Unnecessary reliance on schedulers to preserve confidentiality and integrity of credentials.
› No audit trail.
Condor Week 2007 16www.cs.wisc.edu/condor
Attackers
› Incentive to attack schedulers; compromise results in full control:∘ Alter tasks (to attack execute hosts or
cause them to attack external hosts).
∘ Access resources using credentials.
∘ Forge results returned to submitter.
Condor Week 2007 18www.cs.wisc.edu/condor
Signed ClassAds
› ClassAds with digital signatures.
› Signature made and checked using X.509 keys and certificates.
› Altered ClassAds are easily detected.
› External files can be referenced using checksums.
› Explicit association between a task and information about its origin and provenance.
› Results can be signed as well: receipts.
Condor Week 2007 19www.cs.wisc.edu/condor
Task-specific Proxy Certificates
› Proxy certificates with embedded signed ClassAds.
› Policy field in proxy certificate contains signed ClassAd for the associated job.
› Proxy delegation chain inalterably linked with particular job.
TS
Condor Week 2007 20www.cs.wisc.edu/condor
Action Authorization Expressions
• ClassAd language expressions included in the signed ClassAd.
• Can specify conditions on actions that the proxy certificate might be used for: submit, forwarding, execute, and access.
• Permits the submitting user to limit how their credentials are used.
Condor Week 2007 21www.cs.wisc.edu/condor
U=/O=Brown CS/CN=pavloSa=/O=Brown CS/CN=sche…Sb=/O=Penn CS/CN=sche…
f(U, Sa, Sb)
Mutual Authorization
U S
U – submitting user
S – scheduler
X – execute host
R – storage resource
S X R
s - submit
f - forward
e - execute
a - access
s
e af
U=/O=Brown CS/CN=pavloS=/O=Brown CS/CN=sche…
s(U,S)
/O=Brown CS/CN=pavlo
/O=Brown CS/CN=scheduler.cs.brown.edu/O=Penn CS/CN=scheduler.cs.penn.edu/O=UMD CS/CN=storage.cs.umd.edu/O=Penn CS/CN=ex0001.cs.penn.edu
U=/O=Brown CS/CN=pavloS=/O=Penn CS/CN=sche…
X=/O=Penn CS/CN=ex0001…e(U, S, X)
U=/O=Brown CS/CN=pavloX=/O=Penn CS/CN=ex0001…R=/O=UMD CS/CN=storage…
a(U, X R)