Skip to main content
SpringerLink
Log in

Enhancing grid security by fine-grained behavioral control and negotiation-based authorization

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Nowadays, Grid has become a leading technology in distributed computing. Grid poses a seamless sharing of heterogeneous computational resources belonging to different domains and conducts efficient collaborations between Grid users. The core Grid functionality defines computational services which allocate computational resources and execute applications submitted by Grid users. The vast models of collaborations and openness of Grid system require a secure, scalable, flexible and expressive authorization model to protect these computational services and Grid resources. Most of the existing authorization models for Grid have granularity to manage access to service invocations while behavioral monitoring of applications executed by these services remains a responsibility of a resource provider. The resource provider executes an application under a local account, and acknowledges all permissions granted to this account to the application. Such approach poses serious security threats to breach system functionality since applications submitted by users could be malicious. We propose a flexible and expressive policy-driven credential-based authorization system to protect Grid computational services against a malicious behavior of applications submitted for the execution. We split an authorization process into two levels: a coarse-grained level that manages access to a computational service; and a fine-grained level that monitors the behavior of applications executed by the computational service. Our framework guarantees that users authorized on a coarse-grained level behave as expected on the fine-grained level. Credentials obtained on the coarse-grained level reflect on fine-grained access decisions. The framework defines trust negotiations on coarse-grained level to overcome scalability problem, and preserves privacy of credentials and security policies of, both, Grid users and providers. Our authorization system was implemented to control access to the Globus Computational GRAM service. A comprehensive performance evaluation shows the practical scope of the proposed system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alfieri R., Cecchini R., Ciaschini V., dell’Agnello L., Frohner A., Lőrentey K., Spataro F.: From gridmap-file to voms: managing authorization in a grid environment. Futur. Gener. Comput. Syst. 21(4), 549–558 (2005)

    Article  Google Scholar 

  2. Alpern B., Attanasio C., Barton J. et al.: The jalapeño virtual machine. IBM Syst. J. 39(1), 211–221 (2000)

    Article  Google Scholar 

  3. Apt K.: Logic programming. In: van Leeuwen, J. (eds) Handbook of Theoretical Computer Science, Elsevier, Amsterdam (1990)

    Google Scholar 

  4. Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity federation and attribute-based authorization through the globus toolkit, shibboleth, gridshib, and myproxy. In: 5th Annual PKI R&D Workshop (2006)

  5. Baselice, S., Bonatti, P.A., Faella, M.: On interoperable trust negotiation strategies. In: Proceedings of IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’07), pp. 39–50. IEEE Computer Society (2007)

  6. Becker, M.Y., Nanz, S.: The role of abduction in declarative authorization policies. In: Proceedings of the 10th International Symposium on Practical Aspects of Declarative Languages (PADL’08). Lecture Notes in Computer Science. Springer, Berlin (2008)

  7. Bertino E., Ferrari E., Squicciarini A.C.: Trust-X: a peer-to-peer framework for trust establishment. IEEE Trans. Knowl. Data Eng. 16(7), 827–842 (2004)

    Article  Google Scholar 

  8. Chadwick, D.W., Otenko, A.: The PERMIS X.509 role-based privilege management infrastructure. In: Seventh ACM Symposium on Access Control Models and Technologies, pp. 135–140. ACM Press, New York (2002)

  9. Chervenak A., Foster I., Kesselman C., Salisbury C., Tuecke S.: The data grid: towards an architecture for the distributed management and analysis of large scientific datasets. J. Netw. Comput. Appl. 23, 187–200 (2001)

    Article  Google Scholar 

  10. Constandache, I., Olmedilla, D., Siebenlist, F.: Policy-driven negotiation for authorization in the grid. In: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY ’07), pp. 211–220. IEEE Computer Society (2007)

  11. Eiter T., Gottlob G., Leone N.: Abduction from logic programs: semantics and complexity. Theor. Comput. Sci. 189(1–2), 129–177 (1997)

    Article  MATH  MathSciNet  Google Scholar 

  12. Fang, L., Gannon, D., Siebenlist, F.: XPOLA: An extensible capability-based authorization infrastructure for grids. In: Fourth Annual PKI Workshop: Multiple Paths to Trust. NIST (2005)

  13. Feller, M., Foster, I., Martin, S.: Gt4 gram: a functionality and performance study. In: Proceedings of the Teragrid 2007 Conference. Madison, WI, USA (2007)

  14. Foster, I.: Globus toolkit version 4: Software for service-oriented systems. In: Proceedings of IFIP International Conference on Network and Parallel Computing. Lecture Notes in Computer Science, vol. 3779. pp. 2–13. Springer, Berlin (2005)

  15. Foster, I., Kesselman, C.: The Grid: blueprint for a Future Computing Infrastructure, chap. Computational Grids. Morgan Kaufmann, San Francisco (1998)

  16. Foster, I., Kesselman, C., Pearlman, L., Tuecke, S., Welch, V.: A community authorization service for group collaboration. In: Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 02), pp. 50–59 (2002)

  17. Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational grids. In: Proceedings of the 5th ACM conference on Computer and communications security (CCS’98), pp. 83–92. ACM Press, San Francisco (1998)

  18. Hoare C.A.R.: Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978). doi:10.1145/359576.359585

    Article  MATH  MathSciNet  Google Scholar 

  19. Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion detection using sequences of system calls, pp. 151–180 (1998)

  20. Kapadia, A., Sampemane, G., Campbell, R.H.: KNOW why your access was denied: regulating feedback for usable security. In: Proceedings of the 11th ACM conference on Computer and Communications Security, pp. 52–61. ACM Press, New York, NY, USA (2004)

  21. Keahey, K., Welch, V.: Fine-grain authorization for resource management in the grid environment. In: GRID ’02: Proceedings of the Third International Workshop on Grid Computing. Lecture Notes in Computer Science, vol. 2536, pp. 199–206 (2002)

  22. Keahey K., Welch V., Lang S., Liu B., Meder S.: Fine-grained authorization for job execution in the grid: design and implementation: research articles. Concurr. Comput. Pract. Exp. 16(5), 477–488 (2004)

    Article  Google Scholar 

  23. Koshutanski, H., Martinelli, F., Mori, P., Borz, L., Vaccarelli, A.: A fine-grained and X.509-based access control system for Globus. In: Proceedings of the International Symposium on Grid computing, high-performAnce and Distributed Applications (GADA’06). Springer, Montpellier (2006)

  24. Koshutanski, H., Martinelli, F., Mori, P., Vaccarelli, A.: Fine-grained and history-based access control with trust management for autonomic grid services. In: Proceedings of the 2nd International Conference on Autonomic and Autonomous Systems (ICAS’06). IEEE Computer Society, Silicon Valley, CA (2006)

  25. Koshutanski H., Massacci F.: Interactive access control for autonomic systems: from theory to implementation. ACM Trans. Auton. Adapt. Syst. (TAAS) 3(3), 1–31 (2008). doi:10.1145/1380422.1380424

    Article  Google Scholar 

  26. Koshutanski, H., Massacci, F.: A negotiation scheme for access rights establishment in autonomic communication. J. Netw. Syst. Manage. 15(1), (2007)

  27. Lee A.J., Winslett M., Basney J., Welch V.: The traust authorization service. ACM Trans. Inf. Syst. Secur. 11(1), 1–33 (2008)

    Article  Google Scholar 

  28. Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., Scarcello, F.: The DLV system for knowledge representation and reasoning. ACM Trans. Comput. Logic (2006). Available on http://www.arxiv.org/ps/cs.AI/0211004

  29. Lepro, R.: Cardea: Dynamic access control in distributed systems. In: NAS Technical Report NAS-03-020. NASA Advanced Supercomputing (NAS) Division (2003)

  30. Li J., Cordes D.: A scalable authorization approach for the globus grid system. Futur. Gener. Comput. Syst. 21(2), 291–301 (2005)

    Article  MATH  Google Scholar 

  31. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society (2002)

  32. Liang S.: Java(TM) Native Interface: Programmer’s Guide and Specification. Addison-Wesley, Reading (1999)

    Google Scholar 

  33. Lorch, M., Adams, D.B., Kafura, D., Koneni, M.S.R., Rathi, A., Shah, S.: The PRIMA system for privilege management, authorization and enforcement in grid environments. In: Proceedings of the Fourth International Workshop on Grid Computing, p. 109. IEEE Computer Society (2003)

  34. Martinelli, F.: Towards an integrated formal analysis for security and trust. In: FMOODS, pp. 115–130 (2005)

  35. Martinelli, F., Mori, P., Vaccarelli, A.: Towards continuous usage control on grid computational services. In: Proceedings of Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services (ICAS-ICNS 2005), p. 82, IEEE Computer Society (2005)

  36. Nefedova, V., Jacob, R., Foster, I., Liu, Z., Liu, Y., Deelman, E., Mehta, G., Su, M.H., Vahi, K.: Automating climate science: Large ensemble simulations on the TeraGrid with the GriPhyN virtual data system. In: Proceedings of the Second IEEE International Conference on e-Science and Grid Computing (E-SCIENCE’06), p. 32. IEEE Computer Society (2006)

  37. Nejdl, W., Olmedilla, D., Winslett, M.: PeerTrust: Automated trust negotiation for peers on the semantic Web. In: VLDB Workshop on Secure Data Management (SDM), Lecture Notes in Computer Science, vol. 3178, pp. 118–132. Springer (2004)

  38. Pearlman, L., Kesselman, C., Welch, V., Foster, I., Tuecke, S.: The community authorization service: status and future. In: Proceedings of Computing in High Energy and Nuclear Physics (CHEP 03): ECONF C0303241 (2003)

  39. Provos, N.: Improving host security with system call policies. In: SSYM’03: Proceedings of the 12th conference on USENIX Security Symposium, pp. 257–272. USENIX Association, Berkeley, CA, USA (2003)

  40. Randall D.A., Ringler T.D., Heikes R.P., Jones P., Baumgardner J.: Climate modeling with spherical geodesic grids. Comput. Sci. Eng. 4(5), 32–41 (2002)

    Article  Google Scholar 

  41. Saltzer J.H., Schroeder M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  42. Seamons, K., Winslett, M., Yu, T.: Limiting the disclosure of access control policies during automated trust negotiation. In: Proceedings of the Network and Distributed System Security Symposium (2001)

  43. Seamons, K., Winslett, M., Yu, T., Smith, B., Child, E., Jacobson, J., Mills, H., Yu, L.: Requirements for policy languages for trust negotiation. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY’02), pp. 68–79. IEEE Computer Society (2002)

  44. Seehusen, F., Stølen, K.: A transformational approach to facilitate monitoring of high-level policies. In: 9th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2008), pp. 70–73. IEEE Computer Society (2008)

  45. Sekar, R., Bowen, T., Segal, M.: On preventing intrusions by process behavior monitoring. In: ID’99: Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring, pp. 29–40. USENIX Association, Berkeley, CA, USA (1999)

  46. Shanahan, M.: Prediction is deduction but explanation is abduction. In: Proceedings of IJCAI’89, pp. 1055–1060. Morgan Kaufmann, San Francisco (1989)

  47. Spencer Jr. B. et al.: Neesgrid: A distributed collaboratory for advanced earthquake engineering experiment and simulation. In: 13th World Conference on Earthquake Engineering (2004)

  48. Squicciarini A., Bertino E., Ferrari E., Paci F., Thuraisingham B.: PP-trust-X: a system for privacy preserving trust negotiations. ACM Trans. Inf. Syst. Secur. 10(3), 12 (2007)

    Article  Google Scholar 

  49. Stell, A.J., Sinnott, R.O., Watt, J.P.: Comparison of advanced authorisation infrastructures for grid computing. In: Proceedings of High Performance Computing System and Applications 2005, HPCS, pp. 195–201 (2005)

  50. Thompson, M., Essiari, A., Keahey, K., Welch, V., Lang, S., Liu, B.: Fine-grained authorization for job and resource management using akenti and the globus toolkit. In: Proceedings of Computing in High Energy and Nuclear Physics (CHEP03) (2003)

  51. Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based access control for widely distributed resources. In: Proceedings of Eighth USENIX Security Symposium (Security’99), pp. 215–228 (1999)

  52. Welch, V., Ananthakrishnan, R., Siebenlist, F., Chadwick, D., Meder, S., Pearlman, L.: Use of SAML for OGSI Authorization. Global Grid Forum, Open Grid Services Architecture Authorization Working Group (2005). http://forge.gridforum.org/projects/ogsa-authz

  53. Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., Tuecke, S.: Security for grid services. In: 12th IEEE International Symposium on High Performance Distributed Computing (2003)

  54. Winsborough, W., Seamons, K., Jones, V.: Automated trust negotiation. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX), vol. 1, pp. 88–102. IEEE Press (2000)

  55. Winslett, M.: An introduction to trust negotiation. In: First International Conference on Trust Management (iTrust’03), Lecture Notes in Computer Science, vol. 2692, pp. 275–283. Springer, Berlin (2003)

  56. Winslett M., Yu T., Seamons K.E., Hess A., Jacobson J., Jarvis R., Smith B., Yu L.: Negotiating trust in the Web. IEEE Internet Comput. 6(6), 30–37 (2002)

    Article  Google Scholar 

  57. X.509: The directory: Public-key and attribute certificate frameworks (2005). ITU-T Recommendation X.509:2005, ISO/IEC 9594-8:2005

  58. XACML: eXtensible Access Control Markup Language (XACML) (2005). http://www.oasis-open.org/committees/xacml

  59. Yu, T., Ma, X., Winslett, M.: Prunes: an efficient and complete strategy for automated trust negotiation over the Internet. In: Proceedings of the 7th ACM conference on Computer and communications security (CCS ’00), pp. 210–219. ACM Press, New York (2000)

  60. Yu T., Winslett M., Seamons K.E.: Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. 6(1), 1–42 (2003)

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Malaga, Campus de Teatinos, 29071, Málaga, Spain

    Hristo Koshutanski

  2. Dipartimento di Informatica, Universita di Pisa, Largo Bruno Pontecorvo, 3, 56127, Pisa, Italy

    Aliaksandr Lazouski

  3. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Via Giuseppe Moruzzi, 1, 56124, Pisa, Italy

    Fabio Martinelli & Paolo Mori

Authors
  1. Hristo Koshutanski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aliaksandr Lazouski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Paolo Mori
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aliaksandr Lazouski.

Additional information

Hristo Koshutanski was supported by the Marie Curie Intra-European fellowship 038978-iAccess within the 6th European Community Framework Programme. Aliaksandr Lazouski, Fabio Martinelli and Paolo Mori were partially supported by the EU project FP6-033817 GRIDTRUST (Trust and Security for Next Generation Grids).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Koshutanski, H., Lazouski, A., Martinelli, F. et al. Enhancing grid security by fine-grained behavioral control and negotiation-based authorization. Int. J. Inf. Secur. 8, 291–314 (2009). https://doi.org/10.1007/s10207-009-0083-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-009-0083-4

Keywords

Search

Navigation