1 | A Prototype of the GENI Authorization Architecture. |
---|
2 | |
---|
3 | Tom Anderson, Lujo Bauer, Arvind Krishnamurthy and Mike Reiter. |
---|
4 | |
---|
5 | |
---|
6 | |
---|
7 | The project's goal is to design, implement, and demonstrate a |
---|
8 | prototype authorization service for GENI. GENI's scale, widespread |
---|
9 | deployment, and visibility will make it an inviting target for attack, |
---|
10 | and thus careful attention must be paid to security in its design. In |
---|
11 | our view, security considerations need to permeate every interface to |
---|
12 | be defined for GENI, and thus it is particularly important to build a |
---|
13 | prototype implementation to validate GENI's security architecture |
---|
14 | prior to construction funding. |
---|
15 | |
---|
16 | The GENI distributed services working group has identified several |
---|
17 | requirements for GENI's security architecture: least privilege, |
---|
18 | flexibility revocation, auditability, and scalability. Unfortunately, |
---|
19 | none of the existing technologies address all of these requirements. |
---|
20 | For one thing, GENI's predecessors in both the distributed systems |
---|
21 | community (PlanetLab) and the Grid community (Globus) have primitive |
---|
22 | security architectures (key-based access control lists) that address |
---|
23 | authentication more than authorization. Some of these limitations are |
---|
24 | addressed by newer standards, such as Taos, SPKI/SDSI, PolicyMaker, |
---|
25 | and KeyNote, but implementations are scarce and none exist for the |
---|
26 | sorts of resources managed in distributed testbeds. Hence there is a |
---|
27 | need for a prototyping effort that will explore issues arising out of |
---|
28 | the use of fine-grained authorization in planetary-scale systems. |
---|
29 | |
---|
30 | Clearly, achieving all of these objectives is a multi-year task. For |
---|
31 | this one-year prototyping effort, we narrow our focus to the central |
---|
32 | element of the proposed GENI security architecture: fine-grained |
---|
33 | distributed authorization and access control. We seek to develop a |
---|
34 | prototype design and implementation for access control that is |
---|
35 | sufficiently rich and flexible that it could be applied ubiquitously |
---|
36 | in GENI to regulate access to virtually any resource. We will deploy |
---|
37 | this prototype on PlanetLab, and demonstrate it using user programs |
---|
38 | that are executed in restricted environments, such as a Java Virtual |
---|
39 | Machine. Users would build distributed applications/experiments in |
---|
40 | Java, which we would then ship around to PlanetLab nodes running our |
---|
41 | resource monitors. The resource monitor would be used to first |
---|
42 | authorize the execution of the user program on a given node and then |
---|
43 | be used to enforce access restrictions to objects such as files and |
---|
44 | network devices during program execution. By restricting ourselves to |
---|
45 | Java programs, we are leveraging the existence of a virtual machine |
---|
46 | that has the appropriate hooks for invoking access control checks. |
---|
47 | Note that the eventual implementation of GENI should include these |
---|
48 | hooks inside the OS kernel or a virtual machine monitor (such as Xen) |
---|
49 | in order to invoke the appropriate runtime checks. Incorporating such |
---|
50 | hooks into the OS kernel or a VMM is more of an engineering issue and |
---|
51 | is not central to our technical efforts. |
---|
52 | |
---|
53 | Specific milestones |
---|
54 | ------------------- |
---|
55 | |
---|
56 | 6th Month Deliverable (Feb '07): |
---|
57 | |
---|
58 | Demonstrate the technical feasibility of the authorization service. |
---|
59 | Project tasks include: |
---|
60 | |
---|
61 | a) Defining the structure of credentials and their concrete |
---|
62 | representation. |
---|
63 | |
---|
64 | b) Implementation of APIs and libraries for creating cryptographic |
---|
65 | keys; for creating credentials; for creating proofs of policy |
---|
66 | compliance from a formal statement of an access policy and a set of |
---|
67 | credentials; and for verifying a claimed proof of a given policy (the |
---|
68 | resource monitor). |
---|
69 | |
---|
70 | c) Adaptation of access-control logics to encode access-control |
---|
71 | constructs and policies typical of those needed for GENI. |
---|
72 | |
---|
73 | Develop a demonstration that showcases all of the above system |
---|
74 | components. Allow users to initiate experiments on PlanetLab nodes |
---|
75 | and have them be executed under the supervision of resource monitors. |
---|
76 | In particular, demonstrate the following features: |
---|
77 | |
---|
78 | a) Fine-grained control over access: For example, for experiments |
---|
79 | deployed by novice users, limit the programs to talking only to |
---|
80 | other PlanetLab nodes. |
---|
81 | |
---|
82 | b) Fast startup and efficient execution. Demonstrate that the new |
---|
83 | features do not come at the cost of noticeable execution overheads. |
---|
84 | Allow experimenters to instantiate slices and deploy experiments, |
---|
85 | all in real time. |
---|
86 | |
---|
87 | 12th Month Deliverable (Aug '07): |
---|
88 | |
---|
89 | Develop proof-of-concept tools that illustrate that the authorization |
---|
90 | service can support the various administrative tasks currently being |
---|
91 | performed by PlanetLab Central and site administrators. Address |
---|
92 | scalability issues and release the reference implementations. |
---|
93 | Demonstrate the ability to track down the effects of a compromised |
---|
94 | administrator key and revoking privileges that have been incorrectly |
---|
95 | granted. |
---|
96 | |
---|