Authentication and Authorization Considerations for a Multi-tenant Service

Distributed cyberinfrastructure requires users (and machines) to perform some sort of authentication and authorization (together simply known as "auth"). In the early days of com- puting, authentication was performed with just a username and password combination, and this is still prevalent today. But during the past several years, we have seen an evolution of approaches and protocols for auth: Kerberos, SSH keys, X.509, OpenID, API keys, OAuth, and more. Not surpris- ingly, there are trade-offs, both technical and social, for each approach. The NSF Science Gateway communities have had to deal with a variety of auth issues. However, most of the early gateways were rather restrictive in their model of access and development. The practice of using community credentials (certificates), a well-intentioned idea to alleviate restrictive access, still posed a barrier to researchers and challenges for security and auditing. And while the web portal-based gate- way clients offered users easy access from a browser, both the interface and the back-end functionality were constrained in the flexibility and extensibility they could provide. Design- ing a well-defined application programming interface (API) to fine-grained, generic gateway services (on secure, hosted cyberinfrastructure), together with an auth approach that has a lower barrier to entry, will hopefully present a more welcoming environment for both users and developers. This paper provides a review and some thoughts on these topics, with a focus on the role of auth between a Science Gateway and a service provider.National Science Foundation, Grant Numbers 1339774 and 1234408

A Credential Store for Multi-tenant Science Gateways

Science Gateways bridge multiple computational grids and clouds, acting as overlay cyberinfrastructure. Gateways have three logical tiers: a user interfacing tier, a resource tier and a bridging middleware tier. Different groups may operate these tiers. This introduces three security challenges. First, the gateway middleware must manage multiple types of credentials associated with different resource providers. Second, the separation of the user interface and middleware layers means that security credentials must be securely delegated from the user interface to the middleware. Third, the same middleware may serve multiple gateways, so the middleware must correctly isolate user credentials associated with different gateways. We examine each of these three scenarios, concentrating on the requirements and implementation of the middleware layer. We propose and investigate the use of a Credential Store to solve the three security challenges

A Brave New World: Studies on the Deployment and Security of the Emerging IPv6 Internet.

Recent IPv4 address exhaustion events are ushering in a new era of rapid transition to the next generation Internet protocol---IPv6. Via Internet-scale experiments and data analysis, this dissertation characterizes the adoption and security of the emerging IPv6 network. The work includes three studies, each the largest of its kind, examining various facets of the new network protocol's deployment, routing maturity, and security. The first study provides an analysis of ten years of IPv6 deployment data, including quantifying twelve metrics across ten global-scale datasets, and affording a holistic understanding of the state and recent progress of the IPv6 transition. Based on cross-dataset analysis of relative global adoption rates and across features of the protocol, we find evidence of a marked shift in the pace and nature of adoption in recent years and observe that higher-level metrics of adoption lag lower-level metrics. Next, a network telescope study covering the IPv6 address space of the majority of allocated networks provides insight into the early state of IPv6 routing. Our analyses suggest that routing of average IPv6 prefixes is less stable than that of IPv4. This instability is responsible for the majority of the captured misdirected IPv6 traffic. Observed dark (unallocated destination) IPv6 traffic shows substantial differences from the unwanted traffic seen in IPv4---in both character and scale. Finally, a third study examines the state of IPv6 network security policy. We tested a sample of 25 thousand routers and 520 thousand servers against sets of TCP and UDP ports commonly targeted by attackers. We found systemic discrepancies between intended security policy---as codified in IPv4---and deployed IPv6 policy. Such lapses in ensuring that the IPv6 network is properly managed and secured are leaving thousands of important devices more vulnerable to attack than before IPv6 was enabled. Taken together, findings from our three studies suggest that IPv6 has reached a level and pace of adoption, and shows patterns of use, that indicates serious production employment of the protocol on a broad scale. However, weaker IPv6 routing and security are evident, and these are leaving early dual-stack networks less robust than the IPv4 networks they augment.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120689/1/jczyz_1.pd

A methodology for developing scientific software applications in science gateways

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonDistributed Computing Infrastructures (DCIs) have emerged as a viable and affordable solution to the computing needs of communities of practice that may require the need to improve system performance or enhance the availability of their scientific applications. According to the literature, the ease of access and several other issues which relate to the interoperability among different resources are the biggest challenges surrounding the use of these infrastructures. The traditional method of using a Command Line Interface (CLI) to access these resources is difficult and can make the learning curve quite steep. This approach can result in the low uptake of DCIs as it prevents potential users of the infrastructures from adopting the technology. Science Gateways have emerged as a viable option that are used to realise the high-level scientific domain-specific user interfaces that hide all the details of the underlying infrastructures and expose only the science-specific aspects of the scientific applications to be executed in the various DCIs. A Science Gateway is a digital interface to advanced technologies which is used to provide adequate support for science and engineering research and education. The focus of this study therefore is to propose and implement a Methodology for dEveloping Scientific Software Applications in science GatEways (MESSAGE). This will be achieved by testing an approach which is considered to be appropriate for developing applications in Science Gateways. In the course of this study, several Science Gateway functionalities obtained from the review of literature which may be utilised to provide services for different communities of practice are highlighted. To implement the identified functionalities, this study utilises the methodology for developing scientific software applications in Science Gateways. In order to achieve this purpose, this research therefore adopts the Catania Science Gateway Framework (CSGF) and the Future Gateway approach to implement the methods and ideas described in the proposed methodology, as well the essential services of Science Gateways discussed throughout the thesis. In addition, three different set of scientific software applications are utilised for the implementation of the proposed methodology. While the first application primarily serves as the case study for implementing the methodology discussed in this thesis, a second application is used to evaluate the entire process. Furthermore, several other real-life scientific applications developed (using two distinctly different Science Gateway frameworks) are also utilised for the purpose of evaluation. Subsequently, a revised MESSAGE methodology for developing scientific software applications in Science Gateways is discussed in the latter Chapter of this thesis. Following from the implementation of both scientific software applications which sees the use of portlets to execute single experiments, a study was also conducted to investigate ways in which Science Gateways may be utilised for the execution of multiple experiments in a distributed environment. Finally, similar to making different scientific software applications accessible and available (worldwide) to the communities that need them, the processes involved in making their associated research outputs (such as data, software and results) easily accessible and readily available are also discussed. The main contribution of this thesis is the MESSAGE methodology for developing scientific software applications in Science Gateways. Other contributions which are also made in different aspects of this research include a framework of the essential services required in generic Science Gateways and an approach to developing and executing multiple experiments (via Science Gateway interfaces) within a distributed environment. To a lesser extent, this study also utilises the Open Access Document Repository (OADR) (and other related technologies) to demonstrate accessibility and availability of research outputs associated with specific scientific software applications, thereby introducing the concept (and thus laying the foundation) of an Open Science research

Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions

Investigation into performance of IPV4 and IPV6 transition mechanisms and distributed NAT-PT implementation

Master'sMASTER OF SCIENC

Assessing the technical, economic and policy-centered feasibility of a proposed satellite communication system for the developing world

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics; and, (S.M.)--Massachusetts Institute of Technology, Sloan School of Management, Technology and Policy Program, 2005.Includes bibliographical references (p. 213-217).Satellite communication systems remain one of the most under utilized development mediums in less industrialized countries. This research proposes to establish a low cost satellite communications system tailored specifically for the developing world (+/- 30⁰ latitude). The technical, economic and policy related frontiers of the problem are integrated within a MATLAB based satellite communication constellation simulation which is used to assess the feasibility of the proposed satellite system. The analysis demonstrates that with technical advances that would allow higher capacity systems at lower costs and a renewed policy framework in line with the present state of the satellite system industry, it could be feasible to establish a low earth orbit satellite communications system for the developing world. The inputs to the satellite simulation are the proposed system's desired design variables and other relevant parameters. The outputs are system performance, capacity and cost. The Pareto optimal solution trade space is generated by the simulation model using a full-factorial run that probes the entire design space. The application of choice is short messaging services (SMS), chosen for its ability to provide proven connectivity at moderate costs. The capacity and cost of the most ideal Pareto architecture is contrasted against demand in the defined developing world region. The simulation also accounts for the necessary policy considerations and assesses the feasibility of the proposed system amidst the existing industry policy and regulatory framework. Additionally, data regarding the current economic standing of the region and how this forms an underlying basis for the digital divide is presented and assessed.(cont.) The policy and regulatory constraints on the acceleration of telecommunications development throughout the developing world are discussed. This thesis elaborates upon the need for a focus on design for affordability if satellite communication systems are to realize their immense potential for the delivery of needed social services to the world's marginalized.by Ayanna Terehas Samuels.S.M

Spectrum Allocation Algorithms for Cognitive Radio Mesh Networks

Empowered by the cognitive radio technology, and motivated by the sporadic channel utilization, both spatially and temporally, dynamic spectrum access networks (also referred to as cognitive radio networks and next generation wireless networks) have emerged as a solution to improve spectrum utilization and provide more flexibility to wireless communication. A cognitive radio network is composed of wireless users, referred to as secondary users, which are allowed to use licensed spectrum bands as long as their are no primary, licensed, users occupying the channel in their vicinity. This restricted spectrum access strategy leads to heterogeneity in channel availability among secondary users. This heterogeneity forms a significant source of performance degradation for cognitive radio networks, and poses a great challenge on protocol design. In this dissertation, we propose spectrum allocation algorithms that take into consideration the heterogeneity property and its effect on the network performance. The spectrum allocation solutions proposed in this dissertation address three major objectives in cognitive radio mesh networks. The first objective is maximizing the network coverage, in terms of the total number of served clients, and at the same time simplifying the communication coordination function. To address this objective, we proposed a received based channel allocation strategy that alleviates the need for a common control channel, thus simplifying the coordination function, and at the same time maximizes the number of clients served with link reliability guarantees. We show the superiority of the proposed allocation strategy over other existing strategies. The second objective is improving the multicast throughput to compensate for the performance degradation caused by channel heterogeneity. We proposed a scheduling algorithm that schedules multicast transmissions over both time and frequency and integrates that with the use of network coding. This algorithm achieves a significant gain, measured as the reduction in the total multicast time, as the simulation results prove. We also proposed a failure recovery algorithm that can adaptively adjust the schedule in response to temporary changes in channel availability. The last objective is minimizing the effect of channel switching on the end-to-end delay and network throughput. Channel switching can be a significant source of delay and bandwidth wastage, especially if the secondary users are utilizing a wide spectrum band. To address this issue, we proposed an on-demand multicast routing algorithm for cognitive radio mesh networks based on dynamic programming. The algorithm finds the best available route in terms of end-to-end delay, taking into consideration the switching latency at individual nodes and the transmission time on different channels. We also presented the extensibility of the proposed algorithm to different routing metric. Furthermore, a route recovery algorithm that takes into consideration the overhead of rerouting and the route cost was also proposed. The gain of these algorithms was proved by simulation