Vulnerability Assessment for EGI and EMIand EMI

Elisa HeymannyManuel BrugnoliComputer Architecture and

Operating Systems DepartmentUniversitat Autònoma de BarcelonaUniversitat Autònoma de Barcelona

Elisa.Heymann@uab.esManuel Brugnoli@caos uab es

1

This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the

National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.

Manuel.Brugnoli@caos.uab.es

Who we areWho we are

Elisa HeymannEduardo Cesar

Bart MillerJim Kupsch Eduardo Cesar

Jairo SerranoManuel Brugnoli

Jim KupschKarl MazurakDaniel Crowell Manuel BrugnoliDaniel CrowellWenbin FangHenry Abbeyy ySalini Kowsalya

http://www cs wisc edu/mist/2

http://www.cs.wisc.edu/mist/

What do we do• Assess Middleware: Make cloud/grid software

more secure• Train: We teach tutorials for users developersTrain: We teach tutorials for users, developers,

sys admins, and managers• Research: Make in-depth assessments more

automated and improve quality of automated p q ycode analysis

http://www.cs.wisc.edu/mist/papers/VAshort.pdf

3

Our experienceCondor, University of Wisconsin

Batch queuing workload management system15 vulnerabilities 600 KLOC of C and C++

SRB, SDSCStorage Resource Broker - data grid5 vulnerabilities 280 KLOC of C

MyProxy, NCSACredential Management System5 vulnerabilities 25 KLOC of C

glExec, NikhefIdentity mapping service5 vulnerabilities 48 KLOC of C

Gratia Condor Probe, FNAL and Open Science GridFeeds Condor Usage into Gratia Accounting System3 vulnerabilities 1.7 KLOC of Perl and Bash

Condor Quill, University of WisconsinDBMS Storage of Condor Operational and Historical Data6 vulnerabilities 7.9 KLOC of C and C++

4

Our experienceWireshark, wireshark.org

Network Protocol Analyzer 2 vulnerabilities 2400 KLOC of C2 vulnerabilities 2400 KLOC of C

Condor Privilege Separation, Univ. of WisconsinRestricted Identity Switching Module22 vulnerabilities 21 KLOC of C and C++

VOMS Admin, INFNWeb management interface to VOMS dataWeb management interface to VOMS data 4 vulnerabilities 35 KLOC of Java and PHP

CrossBroker, Universitat Autònoma de BarcelonaR M f P ll l & I t ti A li tiResource Mgr for Parallel & Interactive Applications4 vulnerabilities 97 KLOC of C++

ARGUS 1.2, HIP, INFN, NIKHEF, SWITCHARGUS 1.2, HIP, INFN, NIKHEF, SWITCH gLite Authorization Service0 vulnerabilities 42 KLOC of Java and C

5

Our experienceVOMS Core INFN

Virtual Organization Management System1 vulnerability 161 KLOC of Bourne Shell, C++ and C

iRODS, DICEData-management System9 vulnerabilities (and counting) 285 KLOC of C and C++9 vulnerabilities (and counting) 285 KLOC of C and C++

Google Chrome, GoogleWeb browser1 OC f C C1 vulnerability 2396 KLOC of C and C++

WMS, INFNWMS, INFNWorkload Management Systemin progress 728 KLOC of Bourne Shell, C++,

C, Python, Java, and Perl

CREAM, INFNComputing Resource Execution And Management 4 vulnerabilities (and counting) 216 KLOC of Bourne Shell,

Java and C++6

Java, and C++

gLite ArchitectureAuthentication

RB HostUser Host authZ Service HostSubmit job & receive output

Submit job & receive output

Authentication

WMS

User

Argusreceive output receive output

StatusInf. Reference

Data TransferUser

Interface LB Host

LB Server

IS Host

InformationServices (i e BDII)

SE HostAuthorizat

Inf. Reference

r

CE Host

Services (i.e. BDII)

StoRM

Submit job &

StaStatus

AuO

MS  proxy

tion

CREAM

VOMS Host WN Host

Submit job & receive output

atus

uthorizationCreate  VO

LRMS

VOMS Host

VOMS Server

WN jobJobs

Authentication

7

ARGUS 1 2 HIP INFN NIKHEFARGUS 1.2, HIP, INFN, NIKHEF, SWITCH

gLite Authorization Service

42 KLOC f J d C42 KLOC of Java and C

0 vulnerabilities

9

authZ service HostU (UI)

1bArgus 1.2 Architecture

Admin data‐flowauthZ service Host

WN HostPAP Admin Tool (Edit Policy)

User (UI)

1a

RB HostA

User data‐flow

CLI Tool (Edit Policy)Administrator

WMS

PAP

B

C’

CLI

Run job Exit gLExec

CE HostPDP

29

10a

CREAM

D’ E’

C

Dt

PEP Client (Lib)

Et

/etc/init.d/pdp 

10b

PEP Server

gLExec3

56

LRMS

7 8F’ HTTPS

reloadpolicy

/etc/init.d/pepd  PEP ServerWN jobclearcache

Ft

4

PAP (Policy Administration Point)  → Manage Policies.PDP (Policy Decision Point) → Evaluate Authorization Requests.PEP (Policy Enforcement Point)→ Process Client Requests and Responses.

OS privileges user batch user

External ComponentrootPEP (Policy Enforcement Point) → Process Client Requests and Responses.

Administrator & root

User: X’ = Optional  stepsXt Periodic steps

Argus 1.2 Architecture

Xt = Periodic steps1. User  submits a job described as a JDL expression.2. CREAM receives a job execution request from WMS (1a) or the User (1b) directly.3. CREAM sends the job execution request to the LRMS.4 LRMS sends the job to the WN for its execution4. LRMS sends the job to the WN for its execution. 5. WN sends an authorization request to gLExec, and gLExec interacts with PEP Server  using an LCMAPS plug‐in which 

uses the PEP Client library to check if the mapping request can be satisfied.6. PEP Client sends the request to the PEP Server.7 PEP Server sends the authorization request (XACML) to PDP for evaluation7. PEP Server sends the authorization request (XACML) to PDP for evaluation.8. PDP evaluates the authorization request and sends the response to PEP Server.9. PEP Server sends to PEP Client the authorization response which can be allowed (10a) or denied (10b).10. gLExec runs job using local identity only if the authorization response is allowed.

Admin:

A. Administrator edits policies using the command line interface (CLI).B. PAP Admin Tool writes policies and policy sets and make them available at PAP.B. PAP Admin Tool writes policies and policy sets and make them available at PAP.

C’. Administrator forces reload of policies since Argus updates the policies in regular intervals.D’. PDP  sends a retrieve policies request to PAP.E’. PAP sends policies (XACML) to PDP.’ d d l h f l h hF’. Administrator sends a clear cache request to PEP Server for clearing the response cache.

Dt. PDP connects periodically to the remote PAP to refresh the repository policy.Et. PAP sends the policies (XACML) to PDP.Ft. PEP Server clears periodically its cache, since PEP Server keeps a short response cache.Ft. PEP Server clears periodically its cache, since PEP Server keeps a short response cache.

authZ service Host (PAP Component)

Argus 1.2 Resources

PAP

conf lib logsTRUSTED_CA etc/grid_security

bin repository sbin

pappap

hosthas key

signed,

certificatesloggingd i pap_configuration.ini

pap_authorization.ini

hostcert.pem

hostkey.pem

certificatesloggingpap-admin pap-standalone.sh

pap-deploy.sh

XACML Policy files

Readable OS privileges b t h

OwnerWorld

user batch user

External Component

Administrator & root

root

authZ service Host (PDP Component)Argus 1.2 Resources

( p )

PDP                          Repository

policy

conf lib logsTRUSTED_CA etc/grid_security

sbin

d i i h t t

hosthas key

signed,

h tktifi th l i ld tl h pdp.ini hostcert.pem hostkey.pemcertificatesenv.sh logging.xml

Readable

pdpctl.sh

OS privileges b t h

OwnerWorld

user batch user

External Component

Administrator & root

root

authZ service Host (PEP Server Component)Argus 1.2 Resources

( p )

PEP Server                           Cached Policies

conf lib logsTRUSTED_CA etc/grid_security

sbin

pepd.inienv.sh logging.xmlpepdctl.sh

hosthas key

signed,

Readable

hostcert.pem

hostkey.pem

certificates grid-mapfile groupmapfile

gridmapdir vomsdir

OS privileges Readable

OwnerWorld

user batch user

External Component

Administrator & root

root

VOMS INFNVOMS, INFN

VOMS Core 2.0.2, Virtual Organization Management System

161 KLOC f B Sh ll C d C161 KLOC of Bourne Shell, C++ and C

1 vulnerability

VOMS Admin 2.0.15 Web management interfaceVOMS Admin 2.0.15, Web management interface

35 KLOC of Java and PHP

4 l biliti4 vulnerabilities

15

VOMS 2.0.2 Architecture

VOMS Server Host

VOMS

User Host

GSI Connection VOMSdaemon

VOMSClient

Ancillary

GSI ConnectionCommand Line

Command Line

DB

Utilities

DB

WebBrowser

HTTPS

Web

VOMS Admin(Tomcat)

VOMS AdminClient

HTTPS

SOAP over SSLCommand Line

OS privileges DB privileges p guser daemon

root

VO_Server

VOMS Client‐Server InteractionVOMS Server HostUser Host

VOMS daemon

nt 3. Wait for Connection

2.  Connect to Port

OMS Clien

voms‐proxy‐init 

4.  Accept Connection

1.  Send Request

5 Fork

6. Mutual Auth.  & Create SecureCommunication Channel via GSI

VO

VOMS daemon child process

5. Fork

child process

8. Query the database toverify the assertion against User DN

7. Request AC with attributes X, Y, Z

13. Create a proxy certificate with embedded AC

VOMSpseudo

certificate 12 End Child Process

10. Send the Attribute Certificate

11. Close Connection

9. Create Attribute Certificate,Sign with VOMS certificate

12. End Child Process

DB

VOMS Core 2.0.2 Resources

VOMS Server Host

VOMSdaemon

/ /$CONFIG_DIRVO_NAME

logsTRUSTED_CA /etc/grid_security

DB

host

hostcert.pem

hosthas key

signed,

hostkey.pem

certificatesvoms.conf voms.pass

vomsdir

Readable

p p

OS privileges DB privileges 

OwnerWorld

OS p egesdaemon

root

p egesVO_Server

VOMS Core 2.0.2 Resources

User HostUser Host

VOMS Client

$HOME/ /tmp/ /TRUSTED_CA /etc//opt/

x509up_u<user_id>/user/.globus/ grid_security/ vomses/glite/etc/vomses

certificatesusercert.pem userkey.pem vomsdir

Readable OS privileges DB privileges 

OwnerWorld

OS p egesdaemon

root

p egesVO_Server

WMS 3 3 5 INFNWMS 3.3.5, INFN

Workload Management System

728 KLOC of Bourne Shell, C++, C, Python Java and PerlPython,Java, and Perl

0 vulnerabilities

20

WMS Host

Workload Manager System (WMS) 3.3.5 Architecture

CREAM

User Host CE Host

WM Proxy LB

GridFTP

LRMSUserInterface

Apache

WM ProxyServer

SOAP/HTTPS

LB Proxy

LBDataBase

WN HostWorkloadManager

Logger(InterLogd)

LB Proxy

VOMS Host

VOMS

WN job

IS Host

Job Controller –Condor G

VOMS Server

CE HostOS privileges 

user E t l

InformationService

Log Monitor

ICE

user External ComponentrootLB Host

LB ServerDB privileges

Proxy Renewal

LB ServerLB_Admin

WMS 3.3.4 Resources

WMS Host

WMSWMS

/etc/glite-wms

logsTRUSTED_CA /etc/grid_security

LBDataBase

Job SandBoxg DataBase

host

hostcert.pem

has key

signed,

hostkey.pem

certificatesglite_wms.conf glite_wms_wmproxy.gacl

glite_wms_wmproxy_httpd.conf

wmproxy_logrotate.conf

Readable

O

OS privilegesdaemon

DB privilegesLB AdminOwner

World

daemon

root

LB_Admin

CREAM 1 14 0 INFNCREAM 1.14.0, INFN

Computing Resource Execution And Management

216 KLOC of Bourne Shell Java C++ C and216 KLOC of Bourne Shell, Java, C++, C, and Perl

4 vulnerabilities

23

CREAM 1.14.0 Architecture

CE Host WN Host

WN job

User Host

GridFTPWN job

UserCREAM‐CE

SOAP/HTTPS

CREAMDataBase

Job

Interface Tomcat

BLAH

VOMS Host

LRMS

VOMS Host

VOMS Server

DB privilegesDB Admin

OS privileges user External Component DB_Adminuser External  Component

root Tomcat Batch user

CREAM‐CE 1.14.0 Resources

CREAM CE h tCREAM‐CE host

CE

logs/etc/CREAMDataBase/etc//var/ logs

grid_securityDataBase

hosth k

/etc/glite-ce-cream

/var/Cream_sandbox

hostcert.pem

has key

signed,

hostkey.pemcertificatesCream-config.xmlUser 1 User N vomsdir

DB privilegesOS privilegesOwner

File ownership

CREAM adminTomcat

root

Batch users

Owner

World

CREAM‐CE Client 1.14.0 Resources

Cli t H tClient Host

ClientClient

/tmp/ /home/user /etc/grid_security

proxy client logs Job input files JDL file Job output files Certificates

OS privilegesTomcat

p y g p p

O

File ownership

Tomcat

root

userWorld

Owner

Questions?

http://www.cs.wisc.edu/mist

27