A Prototype of the GENI Authorization Architecture. Tom Anderson, Lujo Bauer, Arvind Krishnamurthy and Mike Reiter. The project's goal is to design, implement, and demonstrate a prototype authorization service for GENI. GENI's scale, widespread deployment, and visibility will make it an inviting target for attack, and thus careful attention must be paid to security in its design. In our view, security considerations need to permeate every interface to be defined for GENI, and thus it is particularly important to build a prototype implementation to validate GENI's security architecture prior to construction funding. The GENI distributed services working group has identified several requirements for GENI's security architecture: least privilege, flexibility revocation, auditability, and scalability. Unfortunately, none of the existing technologies address all of these requirements. For one thing, GENI's predecessors in both the distributed systems community (PlanetLab) and the Grid community (Globus) have primitive security architectures (key-based access control lists) that address authentication more than authorization. Some of these limitations are addressed by newer standards, such as Taos, SPKI/SDSI, PolicyMaker, and KeyNote, but implementations are scarce and none exist for the sorts of resources managed in distributed testbeds. Hence there is a need for a prototyping effort that will explore issues arising out of the use of fine-grained authorization in planetary-scale systems. Clearly, achieving all of these objectives is a multi-year task. For this one-year prototyping effort, we narrow our focus to the central element of the proposed GENI security architecture: fine-grained distributed authorization and access control. We seek to develop a prototype design and implementation for access control that is sufficiently rich and flexible that it could be applied ubiquitously in GENI to regulate access to virtually any resource. We will deploy this prototype on PlanetLab, and demonstrate it using user programs that are executed in restricted environments, such as a Java Virtual Machine. Users would build distributed applications/experiments in Java, which we would then ship around to PlanetLab nodes running our resource monitors. The resource monitor would be used to first authorize the execution of the user program on a given node and then be used to enforce access restrictions to objects such as files and network devices during program execution. By restricting ourselves to Java programs, we are leveraging the existence of a virtual machine that has the appropriate hooks for invoking access control checks. Note that the eventual implementation of GENI should include these hooks inside the OS kernel or a virtual machine monitor (such as Xen) in order to invoke the appropriate runtime checks. Incorporating such hooks into the OS kernel or a VMM is more of an engineering issue and is not central to our technical efforts. Specific milestones ------------------- 6th Month Deliverable (Feb '07): Demonstrate the technical feasibility of the authorization service. Project tasks include: a) Defining the structure of credentials and their concrete representation. b) Implementation of APIs and libraries for creating cryptographic keys; for creating credentials; for creating proofs of policy compliance from a formal statement of an access policy and a set of credentials; and for verifying a claimed proof of a given policy (the resource monitor). c) Adaptation of access-control logics to encode access-control constructs and policies typical of those needed for GENI. Develop a demonstration that showcases all of the above system components. Allow users to initiate experiments on PlanetLab nodes and have them be executed under the supervision of resource monitors. In particular, demonstrate the following features: a) Fine-grained control over access: For example, for experiments deployed by novice users, limit the programs to talking only to other PlanetLab nodes. b) Fast startup and efficient execution. Demonstrate that the new features do not come at the cost of noticeable execution overheads. Allow experimenters to instantiate slices and deploy experiments, all in real time. 12th Month Deliverable (Aug '07): Develop proof-of-concept tools that illustrate that the authorization service can support the various administrative tasks currently being performed by PlanetLab Central and site administrators. Address scalability issues and release the reference implementations. Demonstrate the ability to track down the effects of a compromised administrator key and revoking privileges that have been incorrectly granted.