Office of Science U.S. Department of Energy Risks of Being On The Grid William Kramer & Steve...
-
Upload
aldous-stevenson -
Category
Documents
-
view
212 -
download
0
Transcript of Office of Science U.S. Department of Energy Risks of Being On The Grid William Kramer & Steve...
Office of Science
U.S. Department of Energy
Risks of Being OnThe Grid
William Kramer & Steve Chan.govNERSC DivisionLawrence Berkeley [email protected]/510-486-7577September 20, 2004
Office of Science
U.S. Department of Energy
General IntroductionGeneral Introduction
• The Grid promises to mediate access to computing resources across organizational and geographical boundaries
• Ad Hoc collections of collaborators, code, computers, datasets and instrumentation formed into a single virtual computing environment.
• Moving out of the laboratory into production
• What are the risks involved when access is no longer constrained by organizational/geographical boundaries?– Technical?– Legal and Financial?– Risks to personal privacy?
Office of Science
U.S. Department of Energy
SpeakersSpeakers
• William T. Kramer– General Manager of NERSC Program Center
Lawrence Berkeley National Laboratory– “Computer Security Issues in Grid Computing”
• Peter Sommer– Senior Research Fellow at London School of Economics
Department of Information Systems– “Security and Liability on the Grid: Who pays when things go wrong?”
• Yannick Legré – Laboratoire de Physique Corpusculaire - CNRS/IN2P3 , France– “Privacy and Security issues in Biomedical Grid Computing“
• Mike Surridge – IT Innovation Centre– “Operational Security – Managing Risks“
Office of Science
U.S. Department of Energy
Security RisksSecurity Risks
• Three Main Categories of Security Risks– Identity Theft
Relatively new form of attack Stolen accounts, passwords Skyrocketing to most common white collar crime Collaborative environments are especially vulnerable
– Remote Exploits Classic form of attack System is attacked over the network via some vulnerable
service
Office of Science
U.S. Department of Energy
Security Risks (cont’d)Security Risks (cont’d)
– Local Exploits Good defense in depth typically addresses local exploits User who possesses a login finds vulnerability and uses it to gain
administrative access User must already be on the system
Typically preceded by Identity theft, or else is an “inside job” Typically, it is harder to protect against than Remote Exploits
Hard to keep up with patches for all programs installed (not just running services) on local system
As a result, most security programs emphasize protection against ID Theft and Remote Exploits
Office of Science
U.S. Department of Energy
Prioritizing RisksPrioritizing Risks
• In an environment where there is a good network security regime– Identity Theft is most common attack– Remote Exploits less common– Local Exploits are rarely seen standalone
• In an environment where network security is inadequate– Remote Exploits are most common
Example: windows based worms attacking unprotected PC’s on the internet
– Identity theft less common than Remote Exploits– Local Exploits initiated as “inside jobs” are once again
not that common
Office of Science
U.S. Department of Energy
Not Mutually ExclusiveNot Mutually Exclusive
• Multiple attacks used– A successful attack results in the host being controlled by the attack
ID Theft, Remote and Local exploits all used– Typically the final step is some form of local exploit to gain admin access
Example: Identity theft -> local exploit– After machine has been taken over
Identity theft tools used for wholesale account harvesting Vulnerable services are backdoored to allow remote access
• Hackers adapt to the environment by looking for path of least resistance– When Remote Exploits are difficult, ID theft is used– When Remote Exploits are easy, automated tools can be used for widespread
attacks– Hackers adapt existing tools to new purposes
• “Arms Race” against hackers
Office of Science
U.S. Department of Energy
Grid Risks: Identity TheftGrid Risks: Identity Theft
• Grid has potential for a worldwide “single sign-on”– Uses x509 certificates– Any place that trusts your certificate will allow
you to login– What if a bad guy gets control of your
certificate? They have stolen your identity and can access anything
that trusts your certificate
Office of Science
U.S. Department of Energy
ID Theft: Long Term CertificatesID Theft: Long Term Certificates
• Properties Good for roughly 1 year Private key is encrypted using passphrase Typically stored in user’s home directory Used to generate proxy (short term) certificates
• Issues? Vulnerable to trojaned certificate management binaries and keystroke loggers
Variations of these attacks have already been used against SSH Infrastructure for handling revoked certificates typically half-baked
Revocation is manual process, and relatively few clients check revocation lists Users cannot be depended upon to properly manage them
File system permissions may be inadequate FermiLab discovered during audit that 5% of ssh keys had incorrect permissions
Users may use trivial (or null) passphrases for convenience
Office of Science
U.S. Department of Energy
ID Theft: Short Term CertificatesID Theft: Short Term Certificates
• Properties– Generated from Long Term Certificates– This certificate is what is actually used in authentication
Possession of this certificate/key is sufficient to access Grid services– Good for typically a few hours to a few days– Protected only by filesystem permissions (no crypto)
Must be this way to ensure usability– By default, is stored in shared access /tmp directory
• Issues– Can be easily harvested with stolen administrative privileges
No need for passphrase to decrypt Same vulnerability as Kerberos Tickets
Hackers have stolen kerberos tickets and misused them already: method is known Cannot enforce proxy lifetime with default tools Poorly protected certificate may be good for an entire year!
– No way to revoke a short term certificate without revoking long term certificate Even if long term cert revoked, it is unclear if relying sites will notice due to spotty
certificate revocation procedures
Office of Science
U.S. Department of Energy
ID Theft: RecommendationsID Theft: Recommendations
• Activate Certificate Revocation support on client machines!– If a certificate is compromised, you want to know IMMEDIATELY
• Set standards for timeliness of certificate revocation– Parties responsible for revoking certificates should be operating at
the standard of operational security staff
• Set standards for reporting to Certificate Authorities that a certificate may have been compromised– Compromises at a single site can have very far reaching effect– Environment must be fostered that promotes cooperation between
sites for collective security Culture of fault-finding creates disincentive for sites to report and sabotages
collective security
Office of Science
U.S. Department of Energy
ID Theft: RecommendationsID Theft: Recommendations• Avoid long term certificates
– If you have to use long term certificates – they have to be centrally managed by a professional staff
– Use MyProxy or similar service if long term certs necessary Store long term certificates on highly secured server
Treat like a Kerberos server Enforce strong password rules
Implement One Time Passwords if possible– Eliminate long term certificates entirely
Services such as KCA can be used without recourse to long term cert Create new services that issue short term certs only
• Manage short term certificates better– Filesystem permissions not really inadequate protection
Perhaps a kernel credential cache– Create an OCSP framework for real time revocation of proxy certificates– Add policy language to proxy certs so that they can only be used only for specific purposes
Example: a cert may only be used for file copying and not shell access
Office of Science
U.S. Department of Energy
Grid Risks:Remote ExploitsGrid Risks:Remote Exploits
• Properties of Grid Services– Grid services must be on the network– Any network service is a potential target of remote exploits– Grid software can be distributed over the network and then run at
remote sites Sometimes the software is arbitrary code Currently, much of the software is managed by collaborations
• Issues– Firewalls must be opened up
For specific services on fixed ports – GridFTP, GateKeeper, MDS For temporary daemons on ephemeral ports
– How can you be sure that traffic coming in on opened port is legitimate?– How can you trust the code that is being sent over?
Office of Science
U.S. Department of Energy
Remote Exploits: RecommendationsRemote Exploits: Recommendations
• Restrict ephemeral Grid connections to specific port range• Use network intrusion detection tools to police traffic
– Bro, SNORT, etc…– If another protocol is using Grid ports, it should trigger response
• Raise standards for Grid code that listens on network– Code audits for core services– Education of the developer community about standards for safe coding
practices– Centrally distributed code should have some form of quality assurance– Make it as easy as possible for patches to be distributed and applied for Grid
services
• When possible, use “safer” environments like a Java Virtual Machine or some sandboxing method (like chroot)
Office of Science
U.S. Department of Energy
Grid Risks:Local ExploitsGrid Risks:Local Exploits
• Local exploit risks for Grid are not significantly different from the “background radiation” of normal local exploits
– Protecting against local exploits is generally harder to accomplish
• Grid software has complex interactions and adds to the complexity of the system overall. The more complex the system, the harder it is to understand what is going on.
• In general, local exploits can be mitigated by:– Hardening the kernels of systems to control:
Stack overflow attacks Limit ability to perform privilege escalation (cannot setuid) Block access to devices that allow reading/modifying memory directly Block loading of kernel modules
– Running dubious processes in a sandbox Chroot, CHOS, virtualized servers, etc…
– Keeping machines up to date on patches– Setting more restrictive file permissions
Office of Science
U.S. Department of Energy
Grid Risks: ConclusionGrid Risks: Conclusion
• Attacks fall into 3 main categories– Identity Theft – very different environment than common
authentication systems– Remote Exploit – similar to existing Remote Exploit problems– Local Exploit – very similar to existing Local Exploit issues.
If we can minimize identity theft, we can prevent bad guys from getting local access in the first place
• Assuming that reasonable network security measures are in place, Identity Theft is the most likely avenue of attack– Default Grid/Globus identity management is problematic– But can be mitigated with existing technology– Grid Identity Theft is huge potential problem and has been poorly
addressed in the current environment