Legion - A Grid OS

Object Model• Everything is object• Core objects

- processing resource – host object- stable storage - vault object- definition of object – class object

• Legion provides default implementation, but all system components can be extended, specialized and replaced.

Object Model

• Object stateActive: hosted within a running processInert: state/OPR is stored on a persistent

storage deviceOPR: LOID, private key, ACL

• Identified by location-independent LOID• LOID include the public key

Status Of An Object

Legion Runtime Library

• Defines generic interfaces to services - message passing- object creation, location, deletion

• flexible, configurable protocol stack- adding message privacy is simply a matter of registering the appropriate message processing event handlers into the Legion protocol stack

Two main concerns• User’s concern Protecting the meta-computer’s high-level

resources, services, and users from possibly corrupted underlying resources

• Administrator’s concernPreserving the security policies of the underlying resources that from the foundation of the meta-computer and minimizing their vulnerability to attacks from the meta-computer level

Features • Flexible

simple policy-neutral mechanism build different policy on top of it• Easy to use

explore the legion inheritance mechanism• Scalable

object authenticate one another directlyno centralized key services

• Isolated Object isolation & site isolation

Object Management• Object Isolation

- isolate system object to user object host object and vault object run in

different local account- isolate different user-object from one

another native user or generic account

• Host object does not run in root account• PCD(Process Control Daemon) does the object activate,

deactivate, reactivate under the request of host object

Creating object• Class manager

- assigns LOID for the new object- create object’s key- pass the LOID and key to the host object on the machine where the object will run- pass the binary of the object implementation to host object- ask vault object to create directory for the object

• Host object- map the LOID to local user account - spawn a process to host the object- pass the LOID and key to the active object- change the ownership of the directory for the object

Credential• A list of rights granted by the credential’s maker

can be passed along the call chain

• Delegated credentials – what is the right and to whoe.g., [object A may call object B’s method M as Alice during the period T] signed Alice

• Bearer credentials – what is the right- call chain may branch out- the identity of the final object on the call chain may be unknown by the user- increase the risk

• Both have valid period or short time• Authentication credential

Access Control• Each object is responsible for enforcing its own

access control policy

• MayI for each object implements access control on a per-function basis

• Who decides the security policy of object?user initiating the object class object of this object

ObjectA MayI?

Bb.foo()

No!foook

Scenario 1• Site isolationProblem:

No matter how subverted any external sites in the Legion system might be, no intruder can invoke methods on local Legion resources as Admin

Solution: - Local Legion resources should be started as a separate Legion domain- Automated enforcement of no leakage of site critical information off-site by configuring extra event handler

e.g., an event handler for message-send event to check whether the ACL of host object is being sent out. If so, the message is block and an exception is raised

Scenario2• Site-wide required access controlProblem:

- File object with no restrictions on which user can access the file it represents- a site wishes to enforce the policy that files may not be accessed by outside users

Solution: use local host object to control access to local resources. The site administrator can configure the ACL of host object to limit the classes of objects that may run at the site.

Scenario3• Site selection policyProblem:

which resource to execute my job?

Solution: encode the site selection policy in the user’s class manager objects

Comparison

• Resource proxy vs. host object• Delegate identity vs. delegate right• No object control vs. MayI