Download Distributed System Concepts and Architectures

Distributed Computer Security
8320 Advanced Operating Systems
Lanier Watkins
Outline

Distributed Computer Security-1997


Computer Security/Fault Tolerance
Secure System






Fundamentals of Computer Security -1997



Secrecy
Integrity
Availability
Reliability
Safety
Subjects
Objects
Security Policies, Models, and Mechanisms-1997
Outline (Continued)

Common Security Threats





Security Approaches







Interruption
Interception
Modification
Fabrication
Authentication
Authorization
Fault-Tolerance
Encryption
Auditing
Security Models
Security Issues in Distributed Systems-1997


Interoperability
Transparency
Outline (Continued)




Grid-based Intrusion Detection System-2003
Cluster Security with NvisionCC: Process Monitoring by Leveraging
Emergent Properties-2005
GHIDS:Defending Computational Grids against Misusing of Shared
Resources-2006
Passive Identification of Unauthorized Use of Grid Computing
Resources-2007
Distributed Computer Security-1997

Security and Fault Tolerance



Critical in Distributed Systems because of openness of environment
Solutions are closely related to design issues
Secure/Dependable System

Secrecy


Integrity


Only authorized users modify system objects
Availability


Protection from unauthorized disclosure
Authorized users are not prevented from accessing respective objects
Reliability and Safety are fault-tolerant features
Fundamentals of Computer Security-1997

Computer Systems

Can be represented by:

Subjects


Objects



Passive entities that must be protected
Examples: data, hardware, software and communication
links
Access Control Policy


Active entities that access objects
Describes how objects are accessed by subjects
Flow Control Policy

Regulates the information flow between objects and
subjects
Security Policies, Models, and Mechanisms-1997

4 Categories of Security Threats

Interruption


Interception



Loss of data and denial of service
Related to secrecy
Modification and Fabrication are violations of system integrity
3 Fundamental Approaches

Authentication


Authorization


Sustaining faults
Encryption


Extending permission
Fault Tolerance


Verification
Prevents exposure of information and maintains privacy
Auditing

Passive form of protection
Security Policies, Models, and Mechanisms-1997

Security Model

Discretionary



Provides separation of users and data
E.g. access control matrix
Mandatory


Requires access control of all subjects and orders under its control on a
system wide basis
E.g. multilevel security, all subjects and objects in the system are
assigned a sensitivity label. The labels are used as the basis for
mandatory access control decisions.
Security Issues in Distributed Systems-1997

Interoperability and Transparency


Gives rise to security issues
System Architecture

2 Approaches to Implementing New Services



Add an additional layer of software that runs on top of the existing
system to provide the new services
Redesign the system so that the new services can be executed more
efficiently in the kernel mode
Client/Server Model




Typically used by Distributed Operating Systems
Fits well with object oriented paradigm
Objects to be protected are associated with servers managing objects
Each object has a set of allowable well formed operations that can be
invoked by the client processes
Security Issues in Distributed Systems-1997

Client/Server Security






A client initiates an access to an object through the kernel
Kernel authenticates the client and then invokes the object server
Implemented via Interprocess Communication at transport layer
Supported by secure host-to-host communications at the network
layer and node to node communication at the link layer
Secure distributed system consists of communicating security
servers using trusted gateway.
Simulate a Secure Private Network Over the Public Network


Balances interoperability and transparency
Interdomain authentication


Secure message transfer between domains


Depends on successful interdomain authentication
Interdomain access control


Authorized by Interdomain access control
Depends on ability to transmits secure request/reply messages
Security Transparency maintained via secure APIs (TAPI)

E.g. GSS-API developed by DEC
Grid-Based Intrusion Detection System (VChoon et al,2003)

Grid Based Intrusion Detection System Proposed

Design

Grid environment


Autonomous


GIDS must have on demand enablement
Low Overhead


GIDS code must be easily deployed
Adaptable


GIDS must cover many nodes
Reusable


GIDS must be customizable
Scalable


GIDS must be independent of user intervention
Flexible


GIDS must be applicable in Grid environment
GIDS must not have significant system impact
Timeliness

GIDS must solve problems just in time
Grid-Based Intrusion Detection System (VChoon et al,2003)

Approach



Services








GIDS acts as a Virtual Organization
GIDS shares its resources in the form of application services
Auditing
Anomaly type of intrusion detection
Signature Matching
Policy Language
Secure Communication
Monitoring
Distributed Database
Architecture




Agent-daemon running on machine being protected
Server-Service provider
Manager-Control center of the VO
Secure Communicator-Provides secure communication for VO
Cluster Security with NVissionCC -(Koenig
et al,2005)

Cluster Security Monitoring Tool

Design






Approach/Services






Performance Impact
Central Control
Leverage Existing Software
Configurability
Effectiveness
Monitors processes across cluster nodes
Looks for open network ports
Looks for irregular network traffic patterns
Looks for modifications to critical files
Raises alerts when deviations from profiles are detected
Architecture




PCP daemon
Collector Node
Data Analyzer
User Interface
GHIDS: Defending Computational Grids
Against Misusing of Shared Resources (Feng et al,2006)

Grid Specific Host Based Intrusion Detection System

Design






Performance Impact
Central Control
Leverage Existing Software
Configurability
Effectiveness
Approach/Services

Uses Bottleneck Verification (Host)





Detects users that go from user to super user improperly
Monitors process creation, modification and destruction (Host)
Monitors accessing of critical resources (Host)
Grid User ID and Host Level ID stores when Grid services used
Architecture





Host and Grid level deployment
Virtual Kernel Device created
Grid Middleware modified
Data Analyzer
User Interface
Non-Intrusive Security Monitoring in
Cluster Grid Networks -(Watkins,2007)

Non-Intrusive Cluster Security Monitoring Tool

Design






Approach/Services





Performance Impact
Central Control
Leverage Existing Software
Configurability
Effectiveness
Host Level and Grid Level Support
Identifies unauthorized use resources
Identifies Misuse of resources
Raises alerts when deviations from profiles are detected
Architecture


NO daemons
Collector node
Non-Intrusive Security Monitoring in
Cluster Grid Networks -(Watkins,2007)
Packet Analysis
(TCPdump)
Preprocessor
(Wavelet
Transform)
Feature Extraction
(Energy + Transients)
Detection &
Decision
CPU Utilization
Identification
L/2
 a1,k  d1,k
k 1
2
Non-Intrusive Security Monitoring in
Cluster Grid Networks -(Watkins,2007)
•Problem has inherent uncertainty
•Identification Scheme
•Use Fuzzy Operators
•Use Type I Fuzzy
•Use Type II Fuzzy
Min(PIII,PIV)
Max(PIII,PIV)
Average(PIII,PIV)
OR
CPU Speed
Average Energy
2 GHz- 70% Load
50287362.90
450 MHz- 70% Load
50400246.44
OR
References
Distributed Operating Systems & Algorithms,
Randy Chow and Theodore Johnson, Addison Wesley, 1997
“Grid Based Intrusion Detection System”, O. Tian, A. Samsudin, IEEE 2003
“Cluster Security with NVisionCC:Process Monitoring by Leveraging Emergent Properties”,
Koeng et al,IEEE 2005
“GHIDS:Defending Computational Grids Against Misusing of Shared Resources”, Feng et all, IEEE2006
