Toward Realizable Restricted Delegation in Computational Grids1

  • Geoff Stoker
  • Brian S. White
  • Ellen Stackpole
  • T. J. Highley
  • Marty Humphrey
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2110)


In a Computational Grid, or Grid, a user often requires a service to perform an action on his behalf. Currently, the user has few options but to grant the service the ability to wholly impersonate him, which opens the user to seemingly unbounded potential for security breaches if the service is malicious or errorful. To address this problem, eight approaches are explored for realizable, practical, and systematic restricted delegation, in which only a small subset of the user’s rights are given to an invoked service. Challenges include determining the rights to delegate and easily implementing such delegation. Approaches are discussed in the context of Legion, an object-based infrastructure for Grids. Each approach is suited for different situations and objectives. These approaches are of practical importance to Grids because they significantly limit the degree to which users are subject to compromise.


Computational Grid Replay Attack Security Breach Method Invocation Remote Method 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Berman, F., R. Wolski, S. Figueira, J. Schopf, and G. Shao. “Application-level Scheduling on Distributed Heterogeneous Networks”, in Proceedings of Supercomputing 96, 1996.Google Scholar
  2. 2.
    Chizmadia, David. A Quick Tour of the CORBA Security Service,, Reprinted from Information Security Bulletin-September 1998.
  3. 3.
    Erdos, M.E. and J.N. Pato. “Extending the OSF DCE Authorization System to Support Practical Delegation”, PSRG Workshop of Network and Distributed System Security, pages 93–100, February 1993.Google Scholar
  4. 4.
    Ferrari, Adam, Frederick Knabe, Marty Humphrey, Steve Chapin, and Andrew Grimshaw. “A Flexible Security System for Metacomputing Environments.” In Seventh International Conference on High Performance Computing and Networking Europe (HPCN Europe 99), pages 370–380, April 1999.Google Scholar
  5. 5.
    Foster, Ian, and Carl Kesselman. “Globus: a metacomputing infrastructure toolkit”. International Journal of Supercomputer Applications, 11(2): pages 115–128, 1997.CrossRefGoogle Scholar
  6. 6.
    Foster, Ian, Carl Kesselman, Gene Tsudik, and Steven Tuecke. “A Security Architecture for Computational Grids.” In Proceedings of the 5th ACM Conference on Computer and Communications Security, pages 83–92, November 1998.Google Scholar
  7. 7.
    Gasser, Morrie, Andy Goldstein, Charlie Kaufman, and Butler Lampson. “The Digital Distributed System Security Architecture.” In Proceedings of 1989 National Computer Security Conference, 1989.Google Scholar
  8. 8.
    Grimshaw, Andrew S, Adam Ferrari, Frederick Knabe, and Marty Humphrey. “Wide-Area Computing: Resource Sharing on a Large Scale.” Computer, 32(5): pages 29–37, May 1999.CrossRefGoogle Scholar
  9. 9.
    Linn, J. and M. Nystrom. “Attribute Certification: An Enabling Technology for Delegation and Role-Based Controls in Distributed Environments”, Proceedings of the Fourth ACM workshop on Role-Based Access Control, 1999, pages 121–130.Google Scholar
  10. 10.
    Neuman, B. Clifford. “Proxy-Based Authorization and Accounting for Distributed Systems,” Proceedings of the ICDCS’93, May 1993.Google Scholar
  11. 11.
    Ryutov, T.V., G. Gheorghiu, and B.C. Neuman. “An Authorization Framework for Metacomputing Applications”, Cluster Computing. Vol 2 (1999), pages 165–175.CrossRefGoogle Scholar
  12. 12.
    Thompson, M., W. Johnston, S. Mudumbai, G. Hoo, K. Jackson, and A. Essiari. “Certificate-based Access Control for Widely Distributed Resources”, Proceedings of the Eighth Usenix Security Symposium, August 1999.Google Scholar
  13. 13.
    Wray, J. “Generic Security Services Application Programmer Interface (GSS-API), volume 2”. RFC 2078, January 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Geoff Stoker
  • Brian S. White
  • Ellen Stackpole
  • T. J. Highley
  • Marty Humphrey
    • 1
  1. 1.Department of Computer ScienceUniversity of VirginiaCharlottesville

Personalised recommendations