Fine Grained Access Control for Computational Services

Grid environment concerns the sharing of a large set of resources among entities that belong to Virtual Organizations. To this aim, the environment instantiates interactions among entities that belong to distinct administrative domains, that are potentially unknown, and among which no trust relationships exist a priori. For instance, a grid user that provides a computational service, executes unknown applications on its local computational resources on behalf on unknown grid users. In this context, the environment must provide an adequate support to guarantee security in these interactions. To improve the security of the grid environment, this paper proposes to adopt a continuous usage control model to monitor accesses to grid computational services, i.e. to monitor the behaviour of the applications executed on these services on behalf of grid users. This approach requires the definition of a security policy that describes the admitted application behaviour, and the integration in the grid security infrastructure of a component that monitors the application behaviour and that enforces this security policy. This paper also presents the architecture of the prototype of computational service monitor we have developed, along with some performance figures and its integration into the Globus framework

On Usage Control for GRID Systems

This paper introduces a formal model, an architecture and a prototype implementation for usage control on GRID systems. The usage control model (UCON) is a new access control paradigm proposed by Park and Sandhu that encompasses and extends several existing models (e.g. MAC, DAC, Bell-Lapadula, RBAC, etc). Its main novelty is based on continuity of the access monitoring and mutability of attributes of subjects and objects. We identified this model as a perfect candidate for managing access/usage control in GRID systems due to their peculiarities, where continuity of control is a central issue. Here we adapt the original UCON model to develop a full model for usage control in GRID systems. We use as policy specification language a process description language and show how this is suitable to model the usage policy models of the original UCON model. We also describe a possible architecture to implement the usage control model. Moreover, we describe a prototype implementation for usage control of GRID computational services, and we show how our language can be used to define a security policy that regulates the usage of network communications to protect the local computational service from the applications that are executed on behalf of remote GRID users

Access and Usage Control in Grid

Grid is a computational environment where heterogeneous resources are virtualized and outsourced to multiple users across the Internet. The increasing popularity of the resources visualization is explained by the emerging suitability of such technology for automated execution of heavy parts of business and research processes. Efficient and flexible framework for the access and usage control over Grid resources is a prominent challenge. The primary objective of this thesis is to design the novel access and usage control model providing the fine-grained and continuous control over computational Grid resources. The approach takes into account peculiarities of Grid: service-oriented architecture, long-lived interactions, heterogeneity and distribution of resources, openness and high dynamics. We tackle the access and usage control problem in Grid by Usage CONtrol (UCON) model, which presents the continuity of control and mutability of authorization information used to make access decisions. Authorization information is formed by attributes of the resource requestor, the resource provider and the environment where the system operates. Our access and usage control model is considered on three levels of abstraction: policy, enforcement and implementation. The policy level introduces security policies designed to specify the desired granularity of control: coarse-grained policies that manages access and usage of Grid services, and fine-grained policies that monitor the usage of underlying resources allocated for a particular Grid service instance. We introduce U-XACML and exploit POLPA policy languages to specify and formalize security policies. Next, the policy level presents attribute management models. Trust negotiations are applied to collect a set of attributes needed to produce access decisions. In case of mutable attributes, a risk-aware access and usage control model is given to approximate the continuous control and timely acquisition of fresh attribute values. The enforcement level presents the architecture of the state-full reference monitor designed to enforce security policies on coarse- and fine-grained levels of control. The implementation level presents a proof-of-concept realization of our access and usage control model in Globus Toolkit, the most widely used middleware to setup computational Grids

A synergistic reputation-policy based trust model for Grid resource selection

In the context of Grid computing, reputation-based trust management systems are playing an increasingly important role for supporting coordinated resource sharing and ensuring provision of quality of service. However, the existing Grid reputation-based trust management systems are considered limited as they are bounded to esoteric reputation-based trust models encompassing predefined metrics for calculating and selecting trusted computing resources and as a result, they prevent external involvement in the trust and reputation evaluation processes. This thesis suggests an alternative approach for reputation modelling founded on its core argument proclaiming that reputation is a subjective matter as well as context dependent. Consequently, it offers a synergistic reputation-policy based trust model for Grid resource selection. This exoteric trust model introduces a novel paradigm for evaluating Grid resources, in which Grid client applications (e.g. monitoring toolkits and resource brokers) are endeavoured to carry out an active participation in the trust and reputation evaluation processes. This is achieved by augmenting the standard reputation queries with a set of reputation-policy assertions constituting as complete trust metrics supplied into the reputation algorithm. Consecutively, the Grid Reputation-Policy Trust management system (GREPTrust) provides a concrete implementation for the trust model and it’s underlying artifacts whilst the GREPTrust testbed provides an adequate infrastructure for comparing the reputationpolicy trust model with a production available esoteric model (GridPP). Based on a computational finance case study, an internal workflow simulation utilises the GREPTrust testbed in order to empirically assess the criteria by which the synergistic reputation-policy based trust model outperforms esoteric trust models regarding resource selection and consequently provides substantive evidence that the reputation-policy paradigm is a welcome addition to the Grid computing community

Supporting SLA Provisioning in Grids by Risk Management Processes

Gridtechnologien haben heutzutage einen hohen Entwicklungsstand erreicht, aber für die Etablierung eines kommerziellen Grids ist es erforderlich, Defizite in den Bereichen Sicherheit, Vertrauenswürdigkeit und Verlässlichkeit zu beheben. Anwender fordern eine Ausführung ihrer Applikation (Grid Jobs) gemäß einer gewünschten Priorität und Qualität. Um vertraglich derartige Aspekte einzufordern, können Service Level Agreements (SLAs) zwischen Dienstbenutzern und Dienstanbietern verhandelt werden. Dienstanbieter kennen jedoch die Unzuverlässigkeit von Grid Ressourcen und sind daher vorsichtig, strenge Forderungen zu akzeptieren und entsprechende Qualitäten zu garantieren. Können strenge Forderungen jedoch nicht vertraglich vereinbart werden, so bevorzugen es viele Anwender, eigene Rechenressourcen zu verwenden. Zwar ist die Unterhaltung eigener Ressourcen in vielen Fällen teurer, aber sie haben die Kontrolle über ihre Applikation, was ihnen mehr Sicherheit bietet. Für die Etablierung eines kommerziellen Grids ist es daher unerlässlich, dass Grid Provider auch strenge SLAs akzeptieren. Damit Provider strenge SLAs akzeptieren können, benötigen sie Abschätzungen dafür, dass sie die SLA nicht erfüllen können (Risikoberechnung). Des Weiteren sollten solche Abschätzungen als Entscheidungskriterium bei der Ressourcenallokation oder Initiierung von Fehlertoleranzmaßnahmen fungieren (Risikomanagement). Diese Arbeit integriert die Betrachtung von Risiken in die Abläufe des Providers, die in die Erbringung von SLAs involviert sind. Während der SLA Verhandlung wird evaluiert welche Ressourcen für die Diensterbringung verwendet werden. Basierend darauf wird die Fehlerwahrscheinlichkeit dieser Ressourcen und der SLA Erbringung im Gesamten berechnet. Falls die mögliche Fehlerwahrscheinlichkeit zu hoch ist, können risikoreduzierende Maßnahmen durchgeführt werden, so dass die SLA akzeptiert werden kann. Die berechnete Fehlerwahrscheinlichkeit wird von Provider und Benutzer ebenfalls bei der Bestimmung des Preises und der Konventionalstrafe betrachtet. Nach dem Vertragsabschluss ist es für die Vermeidung von SLA Verletzungen aus Grid Provider Sicht essentiell, Ressourcenausfälle kompensieren zu können. Die Verwendung von Fehlertoleranzmaßnahmen in Zusammenhang mit einer Risikobetrachtung unterstützt Grid Provider bei der Bewältigung dieser Aufgabe. Risikomanagementprozesse werden dabei direkt mit dem Ressourcenmanagement verknüpft und sind nicht sichtbar für Anwender. Ein wichtiger Aspekt des entwickelten Risikomanagements sind selbstorganisierende Mechanismen, die eine Fehlertoleranzmaßnahme oder eine Kette solcher initiieren, um auf Instabilitäten oder Ausfälle von Ressourcen zu reagieren. Für kommerzielle Grid Provider ist die Betrachtung finanzieller Aspekte im Ressourcenbetrieb und in der Diensterbringung stets von hoher Bedeutung. Folglich werden alle Entscheidungen unter Berücksichtigung finanzieller Aspekte getroffen, wie zum Beispiel der Gewinnmarge, den Kosten für eine Fehlertoleranzmaßnahme sowie dem erwarteten Profit für eine Jobausführung. Zusammengefasst gilt die Integration von Risikomanagement in die Abläufe eines Grid Providers als initialer Schritt für ein risikobetrachtendes Grid. Es wird die Transparenz, Zuverlässigkeit und Vertrauenswürdigkeit steigern und dient als objektives Kriterium für Entscheidungsprozesse im Ressourcenmanagement. Ein integriertes Risikomanagement bringt enorme Vorteile sowohl während der SLA Verhandlung als auch nach Vertragsabschluss - und damit insgesamt für die Diensterbringung im Rahmen von SLAs.Grid technologies have reached a high level of development, however core shortcomings have been identified relating to security, trust, and dependability of the Grid which reduce its appeal to potential commercial adopters. Users require a job execution with a desired priority and quality. In order to stipulate such requirements, Service Level Agreements (SLA) can be negotiated. These are a powerful instrument enabling the specification of the business relationships between service providers and service users in detail. However, providers are aware of various threats for SLA violations and are reluctant to adopt a mechanism which requires them to meet strict requirements and to guarantee associated quality constraints. If strict guarantees cannot be agreed by contract, many users prefer to operate their own resources instead of using the Grid. This is more expensive but they control their applications, which removes the issues of trust and ensures dependability concerning its successful completion. To establish a commercial Grid environment, it is essential that Grid providers are prepared to accept an approach involving SLAs with associated guarantees. In order to enable providers to accept such SLAs, they need estimates of the likelihood that they are unable to fulfill an SLA, i. e. Risk Assessment. Furthermore the resource management should take into account such estimations when allocating resources or initiating fault-tolerance mechanisms, i. e. Risk Management. This work integrates risk awareness in the provider’s processes which are involved in SLA provisioning: During SLA negotiation they evaluate which resources can be used for service provisioning and estimate the Probability of Failure (PoF) of resources and of fulfilling the SLA. If the estimated PoF is too high, then, by applying risk reduction mechanisms, the provider may be able to reduce it sufficiently to accept the SLA. The estimated PoF will also be considered by the service provider and service consumer when determining the revenue and the contractual penalty. Compared to a service request requiring a relatively low quality of service, providing a more reliable service requires to receive a higher price since more guarantees have to be ensured. If a more reliable service is provided, the consumer might also define a higher contractual penalty. Thus, the PoF is an additional decision making element in the SLA negotiation since it enables end-users to compare different SLA offers by an objective measurement. When providers have accepted an SLA, they have to be able to compensate for resource failures in order to prevent SLA violations. The usage of fault-tolerance mechanisms combined with risk awareness support Grid providers in this task. The Risk Management processes are interlaced with the resource management and thereby transparent for Grid service consumers. An important aspect of the Risk Management developed for the Grid are self-organising mechanisms, which initiate a fault-tolerance action or a chain of them, in order to manage resource instabilities or resource outages. Decisions are made on the basis of financial considerations, such as the profit margin, the cost for performing fault-tolerance, and the expected profit when executing a job. Taking into account such financial factors is of high importance for commercial Grid providers. In conclusion, the integration of Risk Management in the processes of Grid providers is the initial step towards a risk aware Grid. It will increase transparency, reliability, and trust and provides an objective basis for decision processes in the resource management. Risk Management is integrated to address the SLA negotiation as well as the post-negotiation phase and thereby improves the SLA provisioning process in general

Conceptual Models for Assessment & Assurance of Dependability, Security and Privacy in the Eternal CONNECTed World

This is the first deliverable of WP5, which covers Conceptual Models for Assessment & Assurance of Dependability, Security and Privacy in the Eternal CONNECTed World. As described in the project DOW, in this document we cover the following topics: • Metrics definition • Identification of limitations of current V&V approaches and exploration of extensions/refinements/ new developments • Identification of security, privacy and trust models WP5 focus is on dependability concerning the peculiar aspects of the project, i.e., the threats deriving from on-the-fly synthesis of CONNECTors. We explore appropriate means for assessing/guaranteeing that the CONNECTed System yields acceptable levels for non-functional properties, such as reliability (e.g., the CONNECTor will ensure continued communication without interruption), security and privacy (e.g., the transactions do not disclose confidential data), trust (e.g., Networked Systems are put in communication only with parties they trust). After defining a conceptual framework for metrics definition, we present the approaches to dependability in CONNECT, which cover: i) Model-based V&V, ii) Security enforcement and iii) Trust management. The approaches are centered around monitoring, to allow for on-line analysis. Monitoring is performed alongside the functionalities of the CONNECTed System and is used to detect conditions that are deemed relevant by its clients (i.e., the other CONNECT Enablers). A unified lifecycle encompassing dependability analysis, security enforcement and trust management is outlined, spanning over discovery time, synthesis time and execution time

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000