Enabling Grids for E-sciencE

Models for Security

Vulnerabilities and Threats

Yuri Demchenko
Advanced Internet Research Group (AIRG)
University of Amsterdam
demch@science.uva.nl

www.eu-egee.org

INFSO-RI-508833
 Enabling Grids for E-sciencE

Outline

• Background: Addressing known security

vulnerabilities
• From Vulnerability to Incident
•Existing classifications and models
• Proposed security threats classification and
models

www.eu-egee.org

INFSO-RI-508833
 Addressing Known Security
Enabling Grids for E-sciencE Vulnerabilities
• Grid Operational Centers (and JSPG :-) know major
security vulnerabilities
– Those that are actually obvious
 Reason why it happened?
– We can expect more will be discovered when we apply regular
security vulnerability analysis and risk assessment
• Approach for security/operational people?
– Actively search for vulnerabilities OR wait until somebody will
discover them and (mis)use
• (Already perceived) Problems
– There is no common approach/model for analysing security
vulnerabilities in Web Services and Grids
– All security models and methodologies are complex and
multifaceted
 Grid is new but not unique – better learn from others’ expereince
 Need some efforts and willinness to learn or to listen to experts
INFSO-RI-508833 3
 Vulnerability-Incident life-cycle
Enabling Grids for E-sciencE

Vulnerability => Exploit => Threat => Attack/Intrusion => Incident

Vulnerability is a flaw or weakness in a system's design, implementation,

or operation and management that could be exploited to violate the
system's security policy
Exploit is a known way to take advantage of a specific software
vulnerability
Threat is a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and
cause harm
Attack is an assault on system security that derives from an intelligent
threat
Incident is a result of successful Attack

INFSO-RI-508833 4
 Basic steps in attacking
Enabling Grids for E-sciencE methodology

Survey and Exploit and Escalate

Assess Penetrate Privileges

Deny Service Maintain Access

Clean or forge
track of activity

Unauthorised use
of Resource

INFSO-RI-508833 5
 Known Vulnerabilities and
Enabling Grids for E-sciencE Threats Classifications
• OWASP (Open Web Application Security Project)
– http://www.owasp.org/documentation/topten.html
– Developed in 2003-2004 and industry adopted
• EVDL (Enterprise Vulnerability Description Language)
– OASIS WG
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was
• Web Applications Security Threats Model by Microsoft
– http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
• XML Web Services Security Vulnerabilities/Threats
classification
– Proposed in MJRA3.4 and updated in MJRA3.6

INFSO-RI-508833 6
 Top 10 OWASP vulnerabilities
Enabling Grids for E-sciencE

• A1 - Unvalidated Input
• A2 - Broken Access Control
• A3 - Broken Authentication and Session Management
• A4 - Cross Site Scripting (XSS) Flaws
• A5 - Buffer Overflows
• A6 - Injection Flaws
• A7 - Improper Error Handling
• A8 – Insecure Credentials Storage
• A9 - Denial of Service
• A10 - Insecure Configuration Management

INFSO-RI-508833 7
 XML Web Services threats/
Enabling Grids for E-sciencEattacks classification (1)
• XWS1 – Web Services Interface probing
– WSDL scanning, WSDL parameters tampering, WSDL error
interface probing
• XWS2 – XML parsing system
– Recursive XML document content, oversized XML document
• XWS3 – Malicious XML content
– Malicious code exploiting known vulnerabilities in back-end
applications, viruses or Trojan horse programs, malicious XPath
or XQuery built-in operations, malicious Unicode content
• XWS4 – External reference attacks
– Malicious XML Schema extensions, namespace resolution
manipulation, external entity attacks

INFSO-RI-508833 8
 XML Web Services threats/
Enabling Grids for E-sciencEattacks classification (2)
• XWS5 – SOAP/XML Protocol attacks
– SOAP flooding attack, replay attack, routing detour, message
eavesdropping, “Main-in-the-middle” attack
• XWS6 – XML security credentials tampering
– XML Signature manipulation, secure XML content manipulation,
Unicode content manipulation, XML credentials replay,
application session hijacking
• XWS7 – Secure key/session negotiation tampering
– Poor WS-Security implementation, poor key generation, poor
key/trust management; weak or custom encryption

INFSO-RI-508833 9
 Threats/Attacks grouping in
Enabling Grids for E-sciencE interacting services
Site Services/Resources
Requestor/User
SecureCreds SrvReqst

Reqr/User AuthN AuthZ Resource/

Client (SSO) Resource
Agent
Creds

SrvDeliv SecureAssert
UCV ESV
Accounting/Logging

SMV

MIA – Malifactor
UCA - User Initiated Attacks ESA – End Service
Credentials Attack * DoS Attacks
* Creds theft * Brute Force * Malicious input
* Creds compromise * Dictionary Attacks * XSS
* User impersonation * WSDL probing * XML/SQL Injection
WIA – Wire Intelligence * Dynamic XML
Attacks * Malicious content
* Misuse & Quota
* Network eavesdropping SMA – Service
* “Man in the middle” (MITM) Management Attacks
* Brute Force * Configuration vuln
* Credentials compromise * Improp Key/Trust Mngnt
* Replay/Session hijack * Improper Priv Mngnt
* XML/SOAP protocol * Improper Error Handl
* Insecure audit/log

INFSO-RI-508833 10
 Threats/Attacks grouping (1)
Enabling Grids for E-sciencE

• WIA – “Wire” Intelligence Attacks

– Network eavesdropping
– “Man in the middle” (MITM)
– Brute Force
– Credentials compromise
– Replay/Session hijack
– XML/SOAP protocol
• MIA – Melifactor Initiated Attacks
– Denial of Service (DoS)
– Brute Force
– Dictionary Attacks
– WSDL probing
• UCA – User Credentials Attacks
– Credentials theft
– Credentials compromise
– User impersonation

INFSO-RI-508833 11
 Threats/Attacks grouping (1)
Enabling Grids for E-sciencE

• SIA – Site Management Attacks

– Configuration vulnerabilities
– Improper Key/Trust Management
– Improper Privilege Management
– Improper Error Handling
– Insecure audit/logging
• ESA – End Services Attacks
– Resource misuse and quota violation
– Malicious input
– Dynamic XML
– XML/SQL Injection
– (XSS)

INFSO-RI-508833 12
 Security models for interacting
Grid/XWS services
Enabling Grids for E-sciencE

Site Services/Resources
Requestor/User
SecureCreds SrvReqst

Reqr/User AuthN AuthZ Resource/

Client (SSO) Resource
Agent
Creds

SrvDeliv SecureAssert
UCA ESA
Accounting/Logging

SMA

• Requestor/User site security zones

• Service/Resource site security zones

INFSO-RI-508833 13
 Requestor/User site security
Enabling Grids for E-sciencE zones
Zone X Zone D Zone C Zone B Zone A

Requestor Site Services

Resource/
Ext Creds Req/User Browser/ Service
Storage Client/Proxy Application
Server
Local
Creds
Storage

User Pswd Temp Cache

Creds (Cookie,
Storage applets,
(Cache) etc)
Init Pswd

X.509 X.509
PKCert PKCert

Proxy/Client Cache
External Creds Local Creds (Temp/Proxy Cookie/SessionID Internet Zone
Storage Storage Creds Storage) Applets

INFSO-RI-508833 14
 Service/Resource site security
Enabling Grids for E-sciencE zones

Zone RN Zone RA Zone RAA Zone R1 Zone R0

IdentP Resource/Service Site

TA/BA

Appl
Req/User FW Srvr/ AuthN AuthZ Resource Resource/
Client/System Contnr (SSO) (Policy IF/Agent Service
Enforcemnt) (IntFW)
Creds PEP ACL
(ResAuthZ)
Attrib PDP

PolicyA PolicyA Data

AttrA

UserDB Local
FileSyst

Site AuthN
Internet/Network Identity/Attributes Site AuthZ Resource IF/Agent Resource
Access (TA/BA/VO Contx) (Policy Enforcement) Resource Manager (Local File System)

INFSO-RI-508833 15
 Example use of security models
Enabling Grids for E-sciencE

Collaboratory.nl project (CNL)

• Providing secure remote access to unique analytical
equipment

• Job-centric security model for Open Collaborative

Environment
– Distributed security services model
– Security context handling addressed
– Trust model for distributed security services

INFSO-RI-508833 16
 Authorisation Service operation in a
CNL2 Demo system
Enabling Grids for E-sciencE

JNLP – Java
Network
Remote CNL Launch
3. JNLP Instrument
Surabaya Protocol
CHEF –
Web 5,10 startSession() Instrument Collaborative
PEP
Client 11,14 goLeft() Controller tool
4. getJobInfo() Surabaya –
2. JNLP 6,9 startSession()
Collaborative
12,13 checkAuthZStatus() Workspace
1. Login
environment
gAAA Server
CHEF 7,8 requestDecision()

Job Mgt. PDP

Note: we assume SSL TCP connections all over.

Locations

INFSO-RI-508833 17
 Security and trust issues in the OCE
Job-centric security model
Enabling Grids for E-sciencE

Site Services/Resources
Resource
Customer Broker Resource Agent
Org
Order/
OrderDoc CRM RAM
Biz/Admin
TR1
TA1 OrderDoc Order
(document) Job Policy
TR8/TA1 (template) (template)
Resource/
Service
PI/Admin JobDescr
Job/ JobDescr TR1
TA2 RBAC Job Policy
AdmT (instance) (instance)
TR3/TA2 TR4
AA Resource IF
TR1
User UserList Attributes
DB
Policy PEP/PDP
AA
User AuthN/
AuthN/ SSO TR3
CT SSO AuthzReq
TR7 PDP
UserDB PEP
TR5
AuthnTkt TR6 TR2
Users

AuthzTkt AuthnTkt SrvReq

SrvDeliv AuthzTkt

TA – Trust Anchor; TR# - trust path from root (resource); RAM – Resource
Allocation and Management; UserCT – User Collaborative Tools

INFSO-RI-508833 18
 Trust relations in distributed
Enabling Grids for E-sciencE access control infra

Customer
Resource
Site Services/Resources
Trust/credentials chain and
Broker Resource Agent
Org
Order/ delegation between
OrderDoc CRM RAM
Biz/Admin
TA1 OrderDoc Order
TR1 major modules:
(document) Job Policy
TR8/TA1 (template) (template)

JobDescr
Resource/
Service User =>
PI/Admin Job/ TR1
=> HomeOrg.staff(TA2)
JobDescr
TA2 RBAC Job Policy
AdmT (instance) (instance)
TR3/TA2 TR4
AA Resource IF => Job.members
TR1
User
DB
UserList Attributes

Policy PEP/PDP
=> Member.roles
AuthN/ SSO
User
CT
AuthN/
AA
TR3
=> Role.permissions
SSO AuthzReq
TR7 PDP
UserDB PEP
TR5
AuthnTkt TR6 TR2
Users

AuthzTkt AuthnTkt SrvReq

SrvDeliv AuthzTkt

Obtaining required permissions to perform requested action by the user:

User => AuthN(HomeOrg.staff, Job.members) =>
=> AuthZ(Member.roles, Policy.permissions) =>
=> Resource.permissions

INFSO-RI-508833 19
 Summary and next steps
Enabling Grids for E-sciencE

• Security vulnerabilities and attacks classification

provides an input to further analysis of existing and to
be discovered vulnerabilities

• Proposed Requestor and Resource security models

need discussion and trial with analysing real
middleware products
– Need to be developed to cover case with the delegation

• Need some organisational form to proceed as an ad-

hoc activity to target improving Grid middleware
security

INFSO-RI-508833 20
 Additional materials
Enabling Grids for E-sciencE

• Users vs hackers
• Application security layers
• Host security components
• Implementation suggestions for OCE/CNL Job-centric
security architecture

INFSO-RI-508833 21
 Users vs hackers
Enabling Grids for E-sciencE

• Users go regular route

• Potential hacker use any possible opportunity to bypass

INFSO-RI-508833 22
 Application Security Layers
Enabling Grids for E-sciencE

• Grid and application

security must be build on
Tier 1 - Secure the Network solid base of lower layers
• Grid middleware constitutes
Tier 2 - Secure the Host
Tier 3 layer and must
Tier 3 - Secure the Application
protect actual applications
Presentation Business Data Access from possible attacks
Logic Logic Logic

Runtime Services and Components

Platform Services and Components

Operating System

INFSO-RI-508833 23
 Host security components
Enabling Grids for E-sciencE

• Protocols and Ports that provides network access and

communication services for applications.
• Common OS Services
• Files and Directories
• User Accounts and privileges
• Registries
• Auditing and Logging
• Patches and Updates management

INFSO-RI-508833 24
 Trust relations in distributed
Enabling Grids for E-sciencE Access Control
Implementation suggestions for OCE/CNL security model
– Root of trust and authority belong to the Resource
– Trust anchor TA2 embedded into the Job Description is the main
trust anchor shared between the resource and the customer.
 In more business integrated model the signed order may contain
TA1
 Both TA2 and TA1 may have the same trust path to the
root/resource
– To become a shared trust anchor for the resource and the
customer trust domains, the Order or JobDescription must
contain mutually signed credentials/certificates
– Although the main PEP operation assumes authorisation
decision request from the trusted PDP, in general PEP may
accept an AuthzTicket from other trusted/external PDP

INFSO-RI-508833 25