4,909 research outputs found
AliEnFS - a Linux File System for the AliEn Grid Services
Among the services offered by the AliEn (ALICE Environment
http://alien.cern.ch) Grid framework there is a virtual file catalogue to allow
transparent access to distributed data-sets using various file transfer
protocols. (AliEn File System) integrates the AliEn file catalogue as
a new file system type into the Linux kernel using LUFS, a hybrid user space
file system framework (Open Source http://lufs.sourceforge.net). LUFS uses a
special kernel interface level called VFS (Virtual File System Switch) to
communicate via a generalised file system interface to the AliEn file system
daemon. The AliEn framework is used for authentication, catalogue browsing,
file registration and read/write transfer operations. A C++ API implements the
generic file system operations. The goal of AliEnFS is to allow users easy
interactive access to a worldwide distributed virtual file system using
familiar shell commands (f.e. cp,ls,rm ...) The paper discusses general aspects
of Grid File Systems, the AliEn implementation and present and future
developments for the AliEn Grid File System.Comment: 9 pages, 12 figure
The Clarens Web Service Framework for Distributed Scientific Analysis in Grid Projects
Large scientific collaborations are moving towards service oriented architecutres for implementation and deployment of globally distributed systems. Clarens is a high performance, easy to deploy Web Service framework that supports the construction of such globally distributed systems. This paper discusses some of the core functionality of Clarens that the authors believe is important for building distributed systems based on Web Services that support scientific analysis
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
BrowserID is a complex, real-world Single Sign-On (SSO) System for web
applications recently developed by Mozilla. It employs new HTML5 features (such
as web messaging and web storage) and cryptographic assertions to provide
decentralized login, with the intent to respect users' privacy. It can operate
in a primary and a secondary identity provider mode. While in the primary mode
BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode
there is one IdP only, namely Mozilla's default IdP.
We recently proposed an expressive general model for the web infrastructure
and, based on this web model, analyzed the security of the secondary IdP mode
of BrowserID. The analysis revealed several severe vulnerabilities.
In this paper, we complement our prior work by analyzing the even more
complex primary IdP mode of BrowserID. We do not only study authentication
properties as before, but also privacy properties. During our analysis we
discovered new and practical attacks that do not apply to the secondary mode:
an identity injection attack, which violates a central authentication property
of SSO systems, and attacks that break an important privacy promise of
BrowserID and which do not seem to be fixable without a major redesign of the
system. Some of our attacks on privacy make use of a browser side channel that
has not gained a lot of attention so far.
For the authentication bug, we propose a fix and formally prove in a slight
extension of our general web model that the fixed system satisfies all the
requirements we consider. This constitutes the most complex formal analysis of
a web application based on an expressive model of the web infrastructure so
far.
As another contribution, we identify and prove important security properties
of generic web features in the extended web model to facilitate future analysis
efforts of web standards and web applications.Comment: arXiv admin note: substantial text overlap with arXiv:1403.186
PIM-Enclave: Bringing Confidential Computation Inside Memory
Demand for data-intensive workloads and confidential computing are the
prominent research directions shaping the future of cloud computing. Computer
architectures are evolving to accommodate the computing of large data better.
Protecting the computation of sensitive data is also an imperative yet
challenging objective; processor-supported secure enclaves serve as the key
element in confidential computing in the cloud. However, side-channel attacks
are threatening their security boundaries. The current processor architectures
consume a considerable portion of its cycles in moving data. Near data
computation is a promising approach that minimizes redundant data movement by
placing computation inside storage. In this paper, we present a novel design
for Processing-In-Memory (PIM) as a data-intensive workload accelerator for
confidential computing. Based on our observation that moving computation closer
to memory can achieve efficiency of computation and confidentiality of the
processed information simultaneously, we study the advantages of confidential
computing \emph{inside} memory. We then explain our security model and
programming model developed for PIM-based computation offloading. We construct
our findings into a software-hardware co-design, which we call PIM-Enclave. Our
design illustrates the advantages of PIM-based confidential computing
acceleration. Our evaluation shows PIM-Enclave can provide a side-channel
resistant secure computation offloading and run data-intensive applications
with negligible performance overhead compared to baseline PIM model
BEHAVIORAL CHARACTERIZATION OF ATTACKS ON THE REMOTE DESKTOP PROTOCOL
The Remote Desktop Protocol (RDP) is popular for enabling remote access and administration of Windows systems; however, attackers can take advantage of RDP to cause harm to critical systems using it. Detection and classification of RDP attacks is a challenge because most RDP traffic is encrypted, and it is not always clear which connections to a system are malicious after manual decryption of RDP traffic. In this research, we used open-source tools to generate and analyze RDP attack data using a power-grid honeypot under our control. We developed methods for detecting and characterizing RDP attacks through malicious signatures, Windows event log entries, and network traffic metadata. Testing and evaluation of our characterization methods on actual attack data collected by four instances of our honeypot showed that we could effectively delineate benign and malicious RDP traffic and classify the severity of RDP attacks on unprotected or misconfigured Windows systems. The classification of attack patterns and severity levels can inform defenders of adversarial behavior in RDP attacks. Our results can also help protect national critical infrastructure, including Department of Defense systems.DOE, Washington DC 20805Civilian, SFSApproved for public release. Distribution is unlimited
- …