Toward Realizable Restricted Delegation in Computational Grids1
In a Computational Grid, or Grid, a user often requires a service to perform an action on his behalf. Currently, the user has few options but to grant the service the ability to wholly impersonate him, which opens the user to seemingly unbounded potential for security breaches if the service is malicious or errorful. To address this problem, eight approaches are explored for realizable, practical, and systematic restricted delegation, in which only a small subset of the user’s rights are given to an invoked service. Challenges include determining the rights to delegate and easily implementing such delegation. Approaches are discussed in the context of Legion, an object-based infrastructure for Grids. Each approach is suited for different situations and objectives. These approaches are of practical importance to Grids because they significantly limit the degree to which users are subject to compromise.
KeywordsComputational Grid Replay Attack Security Breach Method Invocation Remote Method
Unable to display preview. Download preview PDF.
- 1.Berman, F., R. Wolski, S. Figueira, J. Schopf, and G. Shao. “Application-level Scheduling on Distributed Heterogeneous Networks”, in Proceedings of Supercomputing 96, 1996.Google Scholar
- 2.Chizmadia, David. A Quick Tour of the CORBA Security Service, http://www.omg.org/news/corbasec.htm, Reprinted from Information Security Bulletin-September 1998.
- 3.Erdos, M.E. and J.N. Pato. “Extending the OSF DCE Authorization System to Support Practical Delegation”, PSRG Workshop of Network and Distributed System Security, pages 93–100, February 1993.Google Scholar
- 4.Ferrari, Adam, Frederick Knabe, Marty Humphrey, Steve Chapin, and Andrew Grimshaw. “A Flexible Security System for Metacomputing Environments.” In Seventh International Conference on High Performance Computing and Networking Europe (HPCN Europe 99), pages 370–380, April 1999.Google Scholar
- 6.Foster, Ian, Carl Kesselman, Gene Tsudik, and Steven Tuecke. “A Security Architecture for Computational Grids.” In Proceedings of the 5th ACM Conference on Computer and Communications Security, pages 83–92, November 1998.Google Scholar
- 7.Gasser, Morrie, Andy Goldstein, Charlie Kaufman, and Butler Lampson. “The Digital Distributed System Security Architecture.” In Proceedings of 1989 National Computer Security Conference, 1989.Google Scholar
- 9.Linn, J. and M. Nystrom. “Attribute Certification: An Enabling Technology for Delegation and Role-Based Controls in Distributed Environments”, Proceedings of the Fourth ACM workshop on Role-Based Access Control, 1999, pages 121–130.Google Scholar
- 10.Neuman, B. Clifford. “Proxy-Based Authorization and Accounting for Distributed Systems,” Proceedings of the ICDCS’93, May 1993.Google Scholar
- 12.Thompson, M., W. Johnston, S. Mudumbai, G. Hoo, K. Jackson, and A. Essiari. “Certificate-based Access Control for Widely Distributed Resources”, Proceedings of the Eighth Usenix Security Symposium, August 1999.Google Scholar
- 13.Wray, J. “Generic Security Services Application Programmer Interface (GSS-API), volume 2”. RFC 2078, January 1997.Google Scholar