March, 2004
By secure, we mean a high degree of assurance that the system is operating as designed, with data object updates and accesses controlled as per the assigned user privileges. If the SRB system indicates that data object F1 is owned by user U1 and was stored by user U1, then there is a high degree of confidence that this is so. If the data object is accessible only to users in group G1, then there is a high degree of confidence that only those users have accessed it.
Perfect computer security does not exist. Even a strong encryption system, implemented using long cryptographic keys, can be broken given enough computational power. And, usually, cryptography is a relatively strong security component and attackers bypass the encryption to attempt to exploit other, weaker, aspects of the system.
Security is only as strong as the weakest link. There are many pieces
to the security infrastructure whole, and they all must be strong if
the system is to be secure.
The above diagram illustrates the SRB environment. Like any other
grid application, security concerns include the host operating
systems, and interprocess communication and authentication, locally and
across the network.
The following discussion involves quite a few separate, largely disjoint, topics due to the nature of computer security. When considering the overall security of a computer system, one needs to evaluate attributes of various sub-components where vulnerabilities may come into play. In addition, there are some broader issues to consider, such as various social engineering attacks:
The SANS Institute (SysAdmin, Audit, Network, Security) is a cooperative research and education organization. The SANS Top 20 Internet Security Vulnerabilities (October, 2003) lists 10 top Windows threats and 10 top Unix threats, many of which involve coding errors in particular software packages, primarily buffer overflow problems. Buffer overflow errors are aspects of Windows threats 1, 2, 4, and 6 and Unix threats 1, 2, 6 and 9.
As described in the article "Buffer overflows likely to be around for another decade": "Buffer overflows in both Unix and Windows systems were common occurrences in the recently released SANS/FBI Top 20 List of Web vulnerabilities. Buffer overflows open gaping holes that attackers can exploit, as the recent Slapper worm showed. The worm took advantage of a buffer overflow in OpenSSL running on Linux Apache Web servers to set up peer-to-peer networks and to commandeer other computers for possible use in launching distributed denial-of-service attacks. Often buffer overflow vulnerabilities are hard to find in the minutiae of computer code. Additionally, the nature of the popular C programming language makes them an easy programming error to make, experts said."
Buffer overflow coding errors typically allow an attacker to execute arbitrary code on a victim machine, with the privileges of the attacked process. Although exploitations of buffer overflow errors require a moderate level of knowledge and skill to create, they are often then packaged in "cook book" packages for use by the less sophisticated.
The SRB has a very low level of risk from buffer overflow attacks for three main reasons. First, a few years ago, a major U.S. Government agency acquired the SRB source code, did a complete audit, and found and described to us a number of vulnerabilities (primarily buffer overflow) which we then repaired in our branch of the source code and since then the developers of the core SRB system code have been consciously attempting to avoid introducing additional buffer overflow problems. Second, since the SRB source code is (currently) relatively unknown, the potential number of attackers that would attempt exploits of this form is quite small. And third, the SRB Servers are not running as root (unlike the buffer-overflow problems that are top threats), so a compromise would provide only limited access, constrained by the privileges of the SRB user account.
Still, it would be worthwhile to perform another audit to attempt to locate and repair potential buffer overflow problems. There are software tools available that can help with this. We expect to do this sometime in the next few months.The fact that SRB servers execute as a non-privileged user (not root) is a significant advantage, preventing the SRB system from presenting a potential security hole to the operating system as a whole. If an SRB compromise of this sort did occur, the attacker would be able to execute arbitrary code, but only as the Unix SRB server login account, and so would not be able to take over the system. However, this would compromise SRB space for the local Zone, as any SRB-administration command could be executed.
The SRB client hosts should also be secure, however, since these hosts may not be under the control of the SRB administrator they may be compromised. If they are not secure, then the user accounts that access the SRB from those hosts may be compromised. Beyond this, however, the SRB is well protected as the compromise of one non-privileged client account does not provide the attacker with any significant information or access beyond that one account.
Of course, if the SRB Administrator account is compromised then the attacker will have full access to all SRB data for all SRB users under that administrative domain (that is, in that SRB Zone). Thus extra care is needed for the Administrator accounts.
Even GSI is vulnerable if a client host is compromised. With root access, or access as a particular user, the temporary delegation certificates that are generated via the grid-proxy-init command could be copied and used for a certain period (typically a few hours), allowing the attacker to masquerade as the user. In addition, there are attacks in which keystrokes can be recorded which could provide the certificate private key passphrase and this combined with access to the certificate file would give the attacker full access to the SRB account.
Other SRB authentication mechanisms would also be vunerable on compromised client hosts. With ENCRYPT1, root or particular user access would make available the account password as stored in the .MdasAuth file. We plan to improve the security of the .MdasAuth contents in the near future, perhaps with routines to scamble the password in a manner that would make it harder to decode (via obfuscation techniques). But with SRB source code, or a keystroke record, it too could be compromised.
Basically, if root is compromised, any software may be vunerable as various system utilities and functions can be subverted. This means that the only more secure client hosts should be used for SRB Administrator access.
Unfortunately, most system administrators are slow to install security patches. See the paper "Security holes... Who cares?" and/or the summary Slides.
Today, network security continues to be a primary concern for wide-area, and in many cases local-area, communications. One needs to assume that network packet data is easily acquired. But encryption-based utilities and libraries, such as SSH and OpenSSL, prevent this from being a problem.
The SRB Encrypt1 and GSI authentication protocols cannot be easily broken even if every packet is observed. Encrypt1 uses a one-way hash using the password and a challenge value (sending only this hash back to the server to be verified). And GSI uses the elaborate X.509 certificate-based protocol via OpenSSL and ultimately RSA public/private keys.
If a site is using Encrypt1 though, users will be storing the SRB passwords in their ~/.srb/.MdasAuth files. If root is compromised, then their passwords are accessible. In addition to that though, if their home directory is NFS mounted (as is commonly done), the NFS data packets while accessing .MdasAuth will contain the plain-text passwords making them vulnerable. We are working on a solution to reduce this risk via SRB 'obfuscation' routines that will store these as non-plain-text which would be difficult to convert to plain-text without SRB source.
A similar vunerability exists when Encrypt1 users run Spasswd to change their password: the SRB client/server protocol message transfer the new password as plain-text data. Again, we are planning to improve this via some 'obfuscation' routines.
Although SRB does not currently support Kerberos or DCE user authentication, such functionality could be added if needed. Both Kerberos and DCE authentication are similar to GSI and ENCRYPT1 in that they provide network-secure authentication capabilities. The SRB GSI authentication is handled by a library, called AID, that provides a simple API to the other SRB routines and then interfaces to the GSI library. The GSI library presents a standard (and fairly complicated) API, the GSSAPI (Generic Security Services Application Programming Interface). The AID library, at one time also supported Kerberos and DCE user authentication (also via GSSAPI) so it should be fairly straight-forward to revive this and integrate it into SRB.
The SRB system is only as secure as the MCAT. So you need to install and operate your DBMS system in a secure manner, with only securely-authenticated access. PostgreSQL and Sybase provide challenge/response systems for secure network authentication. And Oracle provides multiple secure authentication systems including PKI, Kerberos and SSL. This SRB MCAT-enabled server to DBMS authentication will be either within the same host or across a LAN, so is less vulnerable than WAN traffic may be.
There are various software tools available to obfuscate or encrypt the database contents. These are either part of the DBMS system itself or are add-on components. The freely-available PostgreSQL has a number of encryption options available. See the PostgreSQL FAQ. Depending on your DBMS preference, you should investigate the options available for it.
The MdasConfig, within the SRB-installation/data directory, contains the information needed to access the MCAT instance, including the password for the more secure DBMS systems. This file will be installed with Unix permissions that prohibit group or other access. To be more secure, this should be stored on a local file system rather than an NFS file system so that the contents are not transmitted on the local network as part of the NFS protocol. You should make sure that the corresponding file where you built the SRB is also protected, normally at a higher-level directory.
The MCAT database should be backed-up frequently (via DBMS mechanisms), primarily to recover in the event of hardware or software failures; and also to improve security. These backups provide snapshots in time of the SRB state, and comparisons of them could detect unauthorized changes. For example, if checksums are being maintained (see below) an undetected unathorized update to a data object is only possible by both inserting changed data on the storage resource and updating the corresponding MCAT checksum. Occasional comparisons of the MCAT data object checksums would detect changed values. You may want to secure some of these backups on off-line and/or write-once media.
Generally, the commercial DBMS systems are likely to provide more security than the open source ones. Oracle would be a good choice.
But like any other piece of software, buffer-overflow problems like this can occur (more frequently than we would like). The important thing is to fix the problem soon after it is discovered and this was done for OpenSSL. Being open source is generally a security asset, although more attacks may be attempted.
Like other software components that are part of a secure system, the administrator must be aware of new problems as they are discovered and install the patched versions once they are released.
The CA Policy document describes various aspects of how the CA is run and what the certificates issued by that CA mean.
In addition to user authentication, CA digital signitures are often applied to applets so that they can operate outside of the java virtual machine sandbox. See the SDSC Applet setup page.
UMIACS is implementing a simplified web-based CA, embedded into a larger Web application in which the creation, verification and revocation of the certificates will be largely automated and hidden under the hood. The CA part is based on the Bouncy Castle Crypto API and makes use of the standard X.509 certificate protocol (in a way, it is very similar to the related parts of the globus toolkit). This is a Java application and Bouncy Castle is a pure Java implementation of the SSL cryptography library.
The SDSC CA system known as 'CACL' is an on-line CA that will automatically issue certificates to users once they confirm their password on the host system. It is based on OpenSSL CA software, with client and server scripts to integrate the components. This, in various forms, has been in production at SDSC/NPACI since 2000. There is also a recently-developed installation package for CACL (including source code, configuration files, documentation, and an installation script) and a number sites outside of SDSC have installed it, including NARA.
In general, it is better to use more mature Cryptography software, since the verification of proper functioning is a much more involved process than typical software requires. Just verifying basic functionality is a good start, but it must be followed up with a careful analysis that the software actually resists various attacks. Since the OpenSSL software has been around longer and reviewed, tested and challenged by more people, it has a somewhat higher level of trustworthiness than Bouncy Castle. On the other hand, Bouncy Castle is probably quite reliable too.
The question as to which of these or other CA packages to operate depends on many factors, the most significant of which relate to the site's model of use; that is, exactly how they wish to run the CA to support the functions they need, and how the CA packages address those particular needs.
% pwd /usr/local/apps/nmi-2.1/share/certificates % ls -lt total 26 -r--r--r-- 1 globus install 244 Aug 21 2003 4a6cd8b1.signing_policy -r--r--r-- 1 globus install 1574 Jul 7 2003 4a6cd8b1.0 -r--r--r-- 1 globus install 3458 Aug 19 2002 README -r--r--r-- 1 globus install 806 Aug 9 2002 42864e48.0 -r--r--r-- 1 globus install 209 Aug 9 2002 42864e48.signing_policy -r--r--r-- 1 globus install 1298 Aug 9 2002 5aba75cb.0 -r--r--r-- 1 globus install 224 Aug 9 2002 5aba75cb.signing_policy -r--r--r-- 1 globus install 952 Aug 9 2002 6349a761.0 -r--r--r-- 1 globus install 336 Aug 9 2002 6349a761.signing_policy -r--r--r-- 1 globus install 1261 Aug 9 2002 a7792cdb.0 -r--r--r-- 1 globus install 185 Aug 9 2002 a7792cdb.signing_policy -r--r--r-- 1 globus install 1419 Aug 9 2002 b2cb8d2c.0 -r--r--r-- 1 globus install 266 Aug 9 2002 b2cb8d2c.signing_policy -r--r--r-- 1 globus install 1452 Aug 9 2002 b89793e4.0 -r--r--r-- 1 globus install 175 Aug 9 2002 b89793e4.signing_policy -r--r--r-- 1 globus install 1440 Aug 9 2002 bc82f877.0 -r--r--r-- 1 globus install 259 Aug 9 2002 bc82f877.signing_policy % ls -ltd drwxr-sr-x 2 globus install 1024 Feb 18 16:51 ./So at SDSC, the 'globus' login account owns this directory and only it and root can update these files. It would also be worthwhile to keep a paper printout of the file names and checksums of these files, and to periocially check them.
If you wish to add another CA to your set, you need to install the CA's certificate and policy file to this directory. Once that is done, users with certificates issued by that CA will be able to authenticate. Thus you need to be sure that this CA is reliable and that the certificate does actually match the CA you wish to trust.
The user certificates are verified by checking the digital signatures. These are based on RSA public/private key encryption. When a user certificate is issued, the CA signs the certificate by accessing the CA's private key to generate a value to be included in the certificate. When the user's certificate is verified, the software gets the CA's public key out of the CA's certificate (by accessing the directory on the local computer), decrypts, and confirms the value; making it highly likely that the CA's private key was accessed in creating the user's certificate.
The SRB does maintain some information that can be utilized to discover problems if a resource is compromised. In some cases, the SRB MCAT will maintain a checksum that can be compared with the checksum of the data in the resource. Also, the SRB might replicate data to other resources, and it would be possible to compare collections across resources. And if the SRB Data Encryption system is being used, changes in the data would be detected upon being read, and the resource attackers would (likely) need SRB metadata to decrypt the data. But, in general, a compromised resource would be a serious problem and could result in undetected access and modification of data.
When an SRB server authenticates to a resource system, it needs to utilize an available "credential" of some sort to securely identify the process as the user "SRB". For HPSS, for example, this may be a DCE credential that is available on the local machine. To be more secure, this should be stored on a local file system rather than an NFS file system so that the contents are not transmitted on the network. It should be kept with permissions allowing only the SRB user access. And, of course, the SRB server host OS needs to be secure to prevent others from gaining root access and therefore access to the credentials.
Of course, the SRB is dependent on the reliability of the resource as well as its security. If data objects are lost by the resource, they will be lost by the SRB, unless they are replicated to another resource.
If we are using GSI authentication between servers, then we could periodically log in and run a 'grid-proxy-init' but such a manual operation is unreliable. We could create long-lasting proxy certificate via 'grid-proxy-init' but that is essentially the same thing as a plain-text password as intercepting the credential would give long-term access. We could run a script to run grid-proxy-init daily, but that would require a password in a file anyway.
What we usually do is create an unencrypted private key (the one that goes with the public key in the certificate), and configure the server to access those. This is essentially, a plain-text password though, and so care must be taken to prevent the disclosure of the contents of this file.
If we are not using GSI, we normally use ENCRYPT1, with a plain-text password in the .MdasAuth file. Thus care must be taken with this file too.
A developing improved solution is the use of GSI delegation certificates. Instead of the server to server authentication, a proxy certificate from the user is passed to server A and from there to server B. Server B will then authenticate the user's proxy certificate without having to verify A's identity. Such a system was developed in early 2004 by Ananta Manandhar of the CLRC e-Science Centre in the UK, in collaboration with the SRB team. But it is not currently fully integrated such that server to server authentication could be bypassed. GSI is somewhat slower than ENCRYPT1 authentication, particularly with delegation, but on most machines will be completed in under a second.
When using GSI, users will generate delegation certificates for the SRB server to use on their behalf. This, in effect proves to the server in the remote zone that the user is who they say, instead of relying on the server's authentication entirely. Also, these delegation certificates can be passed on to other SRB servers to operate on the user's behalf (for a limited time). Some operations will continue to require remote administrator privilege, in which case the normal server to server authentication will be invoked too.
We are also implementing a similar mechanism for ENCRYPT1 authentication too. The secondary SRB server (cross Zone) will request futher authentication back to the client, providing a new challenge value for the client to respond to. In this way, the remote server is sure to be dealing with a process that has access to the user's password.
Some key features include:
This encryption system is also quite flexible and could be extended in various forms as needed.
Note that the keys are stored "plain-text" in the MCAT, so the security of the MCAT is important (of course, it always is). See the above MCAT section for more information.
The Sput command will have two options to store a file checksum:
-k client checksum mode. Client computes simple checksum (sum -s, --sysv) of the local file and registers with MCAT. No verifica- tion is done on the server side. -K checksum verification mode. After the transfer, the server com- putes the checksum by reading back the file that was just stored. This value is then compared with the source checksum value pro- vided by the client for verification. This verified checksum value is then registered with MCAT.
Sbload will also be able to generate checksums.
The Sget command has a corresponding command to verify those checksums:
-k checksum mode. Retrieves simple checksum (sum -s, --sysv) from the MCAT, retrieves the file, computes it's checksum and compares both checksums.
And the new Schksum utility will perform server-side checksum operations on one or more existing files stored in the SRB space. If the input is a collection and the -r option is specified, a recursive checksum will be carried out for all files in the collection and subcollections. Options will be:
-f force mode. Forces the computation and registration of checksum. -c verification mode. Computes checksum without registering. Verifies newly computed values with the MCAT values. -l list mode. Lists the checkum values stored in MCAT. -r recursively checksum files in the collection and subcollections. -n replNum checksum only the replica with replica number replNum.
This checksum capability can be used to increase the confidence of achieving successful transfers, above and beyond the tcp/ip protocol protections.
In addition, they can be used to increase the security of the SRB system. If the physical image of a particular file has been corrupted or modified in an unauthorized manner, the Scksum and Sget commands will be able to detect it, as long as the MCAT is secure (see above).
For the SRB, in versions 1.x and 2.x, there were risks presented by the server authentication credentials. There was a single MCAT-enabled server for each SRB system, and each server in that grid would need to authenticate as the (or one of the) SRB administrators. Thus if a site were compromised, and the credentials retrieved at one site, the attacker could compromise the entire SRB space of that SRB grid.
For zoneSRB (SRB version 3.0 and beyond), the federation of multiple zones eliminates that problem. Instead of a single SRB administrator (with 'root'-like powers), there are now administrators for each Zone in a Federation, with limited capabilities in remote zones. An SRB server in a Zone that is remote to the local SRB server will authenticate as the administrator in the remote Zone and then be allowed to authenticate users within that remote zone, but little else. Thus a compromise of one Zone will put at risk the data objects owned by users of that Zone, but not the entire Federation of Zones.
Besides this administrator authentication issue, there is little to be concerned about in regards to other SRB systems. The emphasis in computer security is primarily to protect oneself from outside attack. By taking the steps outlined in this document, your local SRB system will be protected, even from remote SRB systems, for the most part.
Of course, there could be situations where a denial-of-service type of attack could be mounted from a remote SRB system. If a rogue SRB system were to generate a huge number of connections to another SRB Zone, it could prevent that SRB Zone system from responding to legitimate requests. But such an attack could be mounted from any internet host by simply running a massive number of process connecting to the SRB host and port. And the results are 'only' to bring the system down, not to modify or intercept information.
The SRB is very safe in all aspects of these. Installing the SRB clients or servers presents essentially no risk to the hosting computer or the network on which it resides.
For any software package, one first needs to have some level of assurance that this software is actually the software you expect it to be, without any form of malicious software (malware) included (spyware, viruses, distributed denial of service (DDoS) attack software, etc). The SRB software is very safe in this regard for a number of reasons. Since it is normally distributed as source in PGP or OpenSSL-Blowfish encrypted tar files, if you received the release decryption password from us, you can be certain that the tar file is our release. Since you are building it from source, it would be difficult for malware to have been inserted within it (someone would notice).
If you download pre-built software from our web site (certain SRB clients) the main concern is that you are actually accessing SDSC's web pages. It is possible to corrupt the network host lookup system (Domain Name System (DNS)) such that the download site (under www.npaci.edu) that your browser connects to is not the real one, and the software could be malware. But the risk of this type attack is low, with the SRB software presenting no greater risk than software from other reputable internet sites. It would be possible to digitally sign binary files should this become a problem.
A large collection of very serious security concerns are raised if a software package requires root access, but the SRB avoids these completely by running exclusively as non-root users. Since root processes have unlimited privileges, malware or a compromise could result in a cascade of security problems. A buffer-overflow exploit could insert malware into commonly used system utilities ('ls', for example) compromising every account on the system. For this reason, any root-level software needs to be very carefully analyzed, and engineers attempt to limit the code that executes at root.
Since the the SRB servers run as non-root users, the possible compromise of that server (which, as explained, is itself very unlikely) would only provide access as that user. An OS is designed to protect itself from most anything non-root users can do and thus would be quite safe.
As described in, Social Engineering Fundamentals, Part I: Hacker Tactics, social engineering is generally a hacker's clever manipulation of the natural human tendency to trust. Their example begins with: "One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. " Please see the article for more, as it is a good example of these types of attacks.
As described in Social Engineering, "A classic social engineering trick is for a hacker to send email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her. As we explain later, it's possible for a hacker to forge email, making it look like it came from somebody you know to be a legitimate system administrator. Often the hacker will send this message to every user on a system, hoping that one or two users will fall for the trick."
Today, the email attack is largely ineffective, but similar types of social engineering present major vulnerabilities.
A recent San Diego ComputorEdge article "Social Engineering: Hacking People", (see page 12 of the PDF file) describes two of the most common common social-engineering attacks. The first involves convincing a user to disclose his or her user ID and password by appearing to be someone from the support team, and the other is impersonating a legitimate employee.
Also see Bruce Schneier's excellent article, "Semantic Attacks: The Third Wave of Network Attacks"
These are examples of systems that may be strong in other respects (say, cryptographically) can be subverted via alternative means. Sometimes the weakest links can be people, via their expectations that others are trustworthy.
As described in Linux Security -- Social Engineering there are three main rules to protect against many of these type of attacks: