fine-凯发官网入口

fine-grain access control for securing shared resources in computational grids* ali raza buttt sumalatha adabalat nirav h. kapadiat renato figueiredott jose a. b. fortes:: tschoo1 of ece ttdept. of ece $dept. of ece purdue university northwestern university university of florida w lafayette, in 47907 evanston, il 60208 gainesville, fl 32611 {butta, adabala, renato@ece.nwu.edu fortes@ufl.edu kapadia}@purdue.edu abstract computational grids provide computing power by sharing resources across administrative domains. this sharing, coupled with the need to execute untrusted code from arbitrary users, introduces security hazards. this paper addresses the security implications of mak- ing q computing resource available to untrusted a&- cations via computational grids. it highlights the prob- lems and limitations of current grid environments and proposes q technique that employs runtime monitor- ing and q restricted shell. the technique can be used for setting-up an execution environment that supports the full legitimate use allowed by the security policy of q shared resource. performance analysis shows up to z.l,j times execution overhead improvement for shell- based applications. the approach proves effective and provides q substrate for hybrid techniques that combine static and dynamic mechanisms to minimize monitor- ing overheads. key phrases: access control, grid environments, grid security, unix access model. 1. introduction grid environments of the future will require an abil- ity to provide a secure execution environment for ap- plications. the grid should allow arbitrary code from untrusted users to legitimately share resources, while *this work was partially funded by the national science foundation under grants ecs-9809520, eia-9872516, and eia- 9975275, by the army research office defense university re- search initiative in nanotechnology, and by an academic rein- vestment grant from purdue university. intel, purdue, src, and hp have provided equipment grants for punch compute- servers. providing an active enforcement of the security policy of the shared resources. this requirement, if not ad- dressed, presents significant obstacles to the viability of computational grids, which typically span multiple administrative domains. the ability to share resources is a fundamental con- cept for realization of grids; therefore, resource se- curity and integrity are prime concerns. if the goal is to allow arbitrary users to submit applications to the grid, new dimensions to security issues will be introduced [a]. the issues of authorization and se- cure communications are addressed in great length in globus [www.globus.org]. however, in this case, the fact that the users and resources no longer enjoy a mu- tual relationship complicates the problem. two scenar- ios may arise, the shared resource may be malicious and affects the results of the program utilizing the resource, or the grid program may be malicious and threatens the integrity of the resource. although the first sce- nario is a crucial issue [25], this paper focuses on the latter issue providing a step towards achieving better security. a two-level approach consisting of a restricted shell and runtime monitoring is presented, to provide a se- cure execution environment for unmodified binaries. the second level provides active runtime monitoring to prevent any malicious use in programs. however, development environments generally require an inter- active shell environment. if only runtime monitoring were to be employed, the shell itself will also have to be monitored therefore incurring extra overheads. to overcome these overheads, the first level of the ap- proach consists of a restricted shell that is not moni- tored directly by the second level. the shell utilizes its own checks to control the user’s ability to freely peruse resources during an interactive session. for example, the shell controls reads to otherwise world-readable re- 0-7695-1573-8/02/$17.00 (c) 2002 ieee