SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

Nice to know

The byproduct of today’s massive interconnectivity is that basically nothing and no-one is immune to cyber attacks any longer. Sadly, this can be demonstrated rather trivially. It is therefore not surprising that there is no other research area in computer science with as much social and\ud political impact as computer security. We all know that ‘perfect security’ does not exist. However, when it comes to our IT security research agenda we forget this and dedicate our energies to delivering ‘provably secure’\ud technology. This a limiting factor: including insecurity in our security research is a great challenge which will open new application areas.\ud Taking advantage of this multidisciplinary terrain, ‘Nice to Know’ talks about old lessons we have not learned in the past and a few crucial challenges we have to tackle in the future, both in research and in education

Game Theory Meets Network Security: A Tutorial at ACM CCS

The increasingly pervasive connectivity of today's information systems brings up new challenges to security. Traditional security has accomplished a long way toward protecting well-defined goals such as confidentiality, integrity, availability, and authenticity. However, with the growing sophistication of the attacks and the complexity of the system, the protection using traditional methods could be cost-prohibitive. A new perspective and a new theoretical foundation are needed to understand security from a strategic and decision-making perspective. Game theory provides a natural framework to capture the adversarial and defensive interactions between an attacker and a defender. It provides a quantitative assessment of security, prediction of security outcomes, and a mechanism design tool that can enable security-by-design and reverse the attacker's advantage. This tutorial provides an overview of diverse methodologies from game theory that includes games of incomplete information, dynamic games, mechanism design theory to offer a modern theoretic underpinning of a science of cybersecurity. The tutorial will also discuss open problems and research challenges that the CCS community can address and contribute with an objective to build a multidisciplinary bridge between cybersecurity, economics, game and decision theory

Open Access, Data Management and Emerging Challenges to International Research

The University of Edinburgh’s current position regarding Open Access and Data management – including the introduction of our new policies. As well as the University’s general approach to supporting Open Research and Open Science. Then give his view on the emerging challenges regarding international research, especially the increased administrative research burden and restrictions on the free use of international research data caused by recent legislation and pending legislation (such as the National Security Investment Act) as well as continued effects from BREXIT. Finally covering his recent discussions and work with our new UK Information Commissioner as well as the Scottish government on these subjects

HIL: designing an exokernel for the data center

We propose a new Exokernel-like layer to allow mutually untrusting physically deployed services to efficiently share the resources of a data center. We believe that such a layer offers not only efficiency gains, but may also enable new economic models, new applications, and new security-sensitive uses. A prototype (currently in active use) demonstrates that the proposed layer is viable, and can support a variety of existing provisioning tools and use cases.Partial support for this work was provided by the MassTech Collaborative Research Matching Grant Program, National Science Foundation awards 1347525 and 1149232 as well as the several commercial partners of the Massachusetts Open Cloud who may be found at http://www.massopencloud.or

Reducing Attack Surface of a Web Application by Open Web Application Security Project Compliance

The attack surface of a system is the amount of application area that is exposed to the adversaries. The overall vulnerability can be reduced by reducing the attack surface of a web application. In this paper, we have considered the web components of two versions of an in-house developed project management web application and the attack surface has been calculated prior and post open web application security project (OWASP) compliance based on a security audit to determine and then compare the security of this Project Management Application. OWASP is an open community to provide free tools and guidelines for application security. It was observed that the attack surface of the software reduced by 45 per cent once it was made OWASP compliant. The vulnerable surface exposed by the code even after OWASP compliance was due to the mandatory access points left in the software to ensure accessibility over a network.Defence Science Journal, 2012, 62(5), pp.324-330, DOI:http://dx.doi.org/10.14429/dsj.62.129

Plant health emergencies demand open science:Tackling a cereal killer on the run

Outbreaks of emerging plant diseases and insect pests are increasing at an alarming rate threatening the food security needs of a booming world population. The role of plant pathologists in addressing these threats to plant health is critical. Here, we share our personal experience with the appearance in Bangladesh of a destructive new fungal disease called wheat blast and stress the importance of open-science platforms and crowdsourced community responses in tackling emerging plant diseases. Benefits of the open-science approach include recruitment of multidisciplinary experts, application of cutting-edge methods, and timely replication of data analyses to increase the robustness of the findings. Based on our experiences, we provide some general recommendations and practical guidance for responding to emerging plant diseases