1 / 29

NCSA CyberSecurity Research and Development

NCSA CyberSecurity Research and Development. http://security.ncsa.uiuc.edu/research/. NCSA Security Research and Development. Part of National Center for Supercomputing Applications at the University of Illinois Ten person team of researchers and developers Funding from NSF and ONR

Download Presentation

NCSA CyberSecurity Research and Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NCSA CyberSecurityResearch and Development http://security.ncsa.uiuc.edu/research/

  2. NCSA Security Research and Development • Part of National Center for Supercomputing Applications at the University of Illinois • Ten person team of researchers and developers • Funding from NSF and ONR • Lead for the National Center for Advanced Secure Systems Research • www.ncassr.org • Part of University of Illinois Information Trust Institute • www.iti.uiuc.edu National Center for Supercomputing Applications

  3. Technology R&D SELS - Secure Email Lists Mithril - Adaptive Security for Collaborative Computing FLAIM - Log Anonymization MyProxy - Credential Management SSH Key Management GridShib - Identity Federtation for Grids TCIP - Trusted CyberInfrastructure for the Power Grid Applied Security ITTF - Illinois Terrorism Task Force Credentialing Project Security for CyberEnvironments MAEVis, Astronomy NCSA Security R&D Projects Overview National Center for Supercomputing Applications

  4. SELS: A Secure Email List Service • Provides message-level security for emails exchanged on mailing lists • Confidentiality, Integrity, and Authentication • Minimally trusted List Server • Novel feature: List Server does not get access to email plaintext • Proxy encryption techniques enable transformation of ciphertext • Development with COTS and open-source components • Integrated with GnuPG on subscriber side; no need for software installation • Integrated with Mailman on server side with easy installation and setup • Use Case Scenarios: Lists of • System administrators exchanging emails for infrastructure protection and incident response • Healthcare researchers exchanging emails on sensitive data • URL: http://sels.ncsa.uiuc.edu; contact: hkhurana@ncsa.uiuc.edu National Center for Supercomputing Applications

  5. IB-MKD: Identity Based Message Key Distribution for Secure Email • Provides encryption for emails • Novel feature: No long term public keys for end users • Knowledge of email address sufficient for encryption • Domain Based Administration • Trusted Key Distribution Center (KDC) distributes message keys to domain users • Leverages DNS for key distribution • KDC public keys distributed via DNS using Yahoo’s domainkey technology • S/MIME based implementation • Minor modifications to S/MIME using Java/Bouncycastle library • URL: http://www.ncsa.uiuc.edu/People/hkhurana/IWAP06.pdf • Contact: {hkhurana, jbasney}@ncsa.uiuc.edu National Center for Supercomputing Applications

  6. MITHRIL • Collaboration between NCSA, PNNL, NRL CCS • Development of mechanisms for adaptable security for open, collaborative computing systems • Maximize usability while allowing rapid, automated response to security incidents • Four sub-components: • Credentials Management, SELS • See slides elsewhere • Continuous Mouse Biometrics • Intrusion Detection and Response system • Contact: Von Welch vwelch@ncsa.uiuc.edu • http://www.ncsa.uiuc.edu/People/hkhurana/WENS06.pdf National Center for Supercomputing Applications

  7. Mithril: Computer Mouse Biometrics • Project lead by PNNL • Detects unauthorized users at console by building profile of authorized user’s biometric mouse movement patterns • Can analyze and detect changes in pattern in near-real time • Contact: Doug Schultz douglas.schulz@pnl.gov National Center for Supercomputing Applications

  8. Mithril: Intrusion Detection and Response System • Detect, correlate and respond to incidents • Differentiate between isolated incidents and sustained attacks • Built from open-source components: • Prelude, SEC, cfEngine • TattleTale: NCSA-developed process monitoring system to detect illicit privileged access National Center for Supercomputing Applications

  9. Network/System/Audit Log Anonymization • NCSA produces ~5 GBytes of logs per day. • Real-world logs are useful for investigations, education, testing of tools, and network/security research. • However, real-world logs often contain sensitive information. • Privacy issues exist for both the individual users and the organization. • Network topology could be useful to attackers. • Services running on machines and trust relationships between systems could be useful to attackers. National Center for Supercomputing Applications

  10. FLAIM – Framework for Log Anonymization and Information Management Solution – Anonymization to meet the needs of both parties • Data owner is concerned with privacy/security • Analyst is concerned with information loss • FLAIM has a rich policy language expressive enough to often define policies that meet needs of both • E.g., one can obscure IP addresses, but preserve the subnet structure for networking researchers • FLAIM is very flexible • Modular, allowing I/O modules for multiple logs to be built • Plethora of anonymization primitives to apply to many fields • http://flaim.ncsa.uiuc.edu/flaim.html National Center for Supercomputing Applications

  11. FLAIM – Into the future • Analyze trade-offs between information loss and privacy • Create a metric of log utility and analyze effect of anonymization on metric. • Create a metric of the strength of an anonymization scheme. • We can move beyond computer/network logs • Reuse the anonymization engine and policy engine, a.ka. FLAIM-Core. • Module API is flexible enough to support any data in a record/field format. National Center for Supercomputing Applications

  12. Credential Management • Users are poor at managing electronic credentials such as digital keys • Hardware tokens are one solution • But not always available • E.g. different system platforms in science communities • Credential Management allows for these credentials to be managed for the user • By profession IT staff in secure machine rooms • Provide control and monitoring over credential use National Center for Supercomputing Applications

  13. MyProxy • Open Source software for managing PKI credentials • Online CA issues short-lived certificates • Online credential repository securely stores PKI credentials • Supports many authentication methods:passphrase, certificate, PAM, SASL, Kerberos, OTP • Integrates with job managers for automated credential renewal • Distributed in Globus Toolkit, VDT, NMI, CoG Kits, TG CTSS, and Univa Globus Enterprise • MyProxy on TeraGrid • MyProxy CA provides certificates to users via User Portal Login • User Portal and Ticket System use MyProxy authentication • MyProxy integrates with Science Gateway web portals • For more information • http://myproxy.ncsa.uiuc.edu/ • Contact: jbasney@ncsa.uiuc.edu Used by TeraGrid LCG FusionGridPRAGMAEGEE ESG LNCC CCG OSG and others… National Center for Supercomputing Applications

  14. Secure Shell Key Management • Secure Shell (SSH) is common way to access high-end resources at NCSA • User managed RSA keys a common, easy authentication mechanism • But these keys get easily stolen, shared • Solution: Manage RSA keys centrally, allow user access through standard SSH Remote Agent protocol and tools • Contact: jbasney@ncsa.uiuc.edu National Center for Supercomputing Applications

  15. SSH Key Management • SSH Key Server • Maintains private RSA keys Client Authenticates via site mechanisms e.g. Kerberos, OTP Public Key Distribution Client accesses private RSA key via ssh-agent Compute Resource RSA-authenticated access National Center for Supercomputing Applications

  16. GSI-OpenSSH • Modified version of OpenSSH supporting X.509 authentication and proxy delegation • Provides a single sign-on remote login and file transfer service • Included in Globus Toolkit, VDT, NMI, TG CTSS • Standards-based • RFC 3820: X.509 Proxy Certificates • RFC 4462: GSSAPI for SSH • For more information: • http://grid.ncsa.uiuc.edu/ssh/ • Contact: jbasney@ncsa.uiuc.edu Used by TeraGrid UK NGS NRC Canada LSC DataGrid INRIA NMI B&T TIGRE and others… National Center for Supercomputing Applications

  17. NCASSR PKI Testbed • Equipment: • Servers, laptops, workstations, and PDAs • Contact and contactless smartcards and readers • Secure co-processors for credential servers • Fingerprint readers • Supporting: • ITTF smartcard credentialing project • Hardware-secured credential repositories • Smartcard authentication for grids and HPC • For more information: • http://pkilab.ncsa.uiuc.edu/ • Contact: jmuggli@ncsa.uiuc.edu National Center for Supercomputing Applications

  18. Trusted CyberInfrastructurefor Power Grids (TCIP) • NSF CyberTrust center at Illinois Trust Institute • Additional funding from DOE, DHS • Partners: Dartmouth, Washington State, Cornell • Addressing security challenges motivated by our national power grid • http://tcip.iti.uiuc.edu National Center for Supercomputing Applications

  19. TCIP: Emergency Credentialing and Authorization (NCSA Focus) • Real-time power grid operations requires real-time data access to understand and prevent system faults • But, day-to-day data access regulated by policy and competition • Solution is to allow for short-term credentialing of operators to allow for emergency authorization for data access • Combine with strong auditing for post-emergency validation • Investigate methods for determining when emergency occurs and proper changes to authorization policy to allow for prevention of system failure • Contact: {vwelch,hkhurana}@ncsa.uiuc.edu National Center for Supercomputing Applications

  20. GridShib: Grid-Shibboleth Integration • Integration of Internet2’s Shibboleth with Computational Grids via the Globus Toolkit • Allow for use of Campus Identity Management for Grid Authentication and Authorization • Allow leveraging of Shibboleth software and deployments to support Grids • Utilizing Web Services security standards (SAML) • Contact: Von Welch • vwelch@ncsa.uiuc.edu • http://gridshib.globus.org National Center for Supercomputing Applications

  21. NCASSR CyberCrime Investigation Environment • CyberCrime incidents typically span multiple systems, domains and even continents • Investigative teams comprise multiple individuals from multiple sites and have complex data management and analysis requirements National Center for Supercomputing Applications

  22. NCASSR CyberCrime Investigation Environment • We are developing a environment to facilitate this distributed investigations • Includes facilities for data management, anonymization, sharing and analysis • Plus components for collaboration • All contained in a secured collaboration environment • Contact: {rbutler,vwelch}@ncsa.uiuc.edu National Center for Supercomputing Applications

  23. Illinois Terrorism Task Force http://www.illinois.gov/security/ittf/ • Mission • Created May 2000 to implement a comprehensive coordinated strategy for domestic preparedness in the state of Illinois, bringing together agencies, organizations, and associations representing all disciplines in the war against terrorism. • Members include: • American Red Cross • Associated Fire Fighters of Illinois • FBI • Illinois Governor’s Office • Illinois State Police • U.S. Attorney’s Office • FEMA (Region V) National Center for Supercomputing Applications

  24. + ITTF Credentialing Project • Goal: Pre-issue credentials to incident responders for identification and tracking at the incident perimeter • Smartcards printed with photo ID • Electronic authentication includes: • Fingerprint biometric • Identity certificate issued by State of Illinois PKI • Cross-certified with Federal Bridge CA • Signed certifications (team, weapons, hazmat) National Center for Supercomputing Applications

  25. ITTF Credentialing Project • 5,000 initial credentials for pilot project • Plan to grow to 100,000 credentials • Every Illinois firefighter, police officer, EMT • Pre-certified volunteers (Red Cross, etc.) • Designed for general-purpose use state-wide • Secure building and computer system access • Interoperability with Federal standards • Partners: UIC Contact: jbasney@ncsa.uiuc.edu National Center for Supercomputing Applications

  26. Astronomy (LSST / NVO / DES) • Communities: LSST, NVO, DES, IVOA, NOAO, NRAO, STSCI • Need: Grid Security Solution for a Portal Environment • Distinguishing Features/Requirements • Inter-DNS-Domain Single Sign-On (SSO) Across Portals • Interoperability Across Multiple Grid Security Domains • Limit Trust of Portal Servers • Preserve Options/Flexibility for Power Users • Our Work • Security Architecture for Astronomy Community • Implementation of Working Prototype • Key Software Components Used • MyProxy, Pubcookie, PURSe • Contact: mfreemon@ncsa.uiuc.edu National Center for Supercomputing Applications

  27. MAEViz Portal Single Sign-on • Complex environment with web portal (Sakai), java web start applications and back-end services • Provided Grid-enabled single sign-on based on MyProxy across all components http://grid.ncsa.uiuc.edu/papers/sws-myproxy-jws.pdf National Center for Supercomputing Applications

  28. Security for Large Collaborative Compute Infrastructures (LCCIs) • Provides a set of requirements for securing LCCIs • Example LCCIs: TeraGrid, LHC Grid, GENI • Risk and threat analysis • Identification of unique and magnified threats to LCCIs • Exploration of security policies and procedures • Prevention, detection, and response • Collaboration among sites crucial for security • Identification of requirements • Security architecture, agreements, implementation plan, management authority • URL: http://www.ncsa.uiuc.edu/People/hkhurana/TrustColFinal.pdf; contact: {hkhurana, jbasney, vwelch}@ncsa.uiuc.edu National Center for Supercomputing Applications

  29. Software Protection Adoptability Study • ITI and SAIC are working with the Software Protection Center (SPC) at Wright-Patterson Air Force Base to study how use of software protection technology may affect work-flow, and impact adoptability of that technology by its targeted customers. • This project is funded through the Software Protection Initiative, whose mission is to prevent the unauthorized distribution and exploitation of application software critical to national security. • Contact: vwelch@ncsa.uiuc.edu National Center for Supercomputing Applications

More Related