3,999 research outputs found
Managing Dynamic User Communities in a Grid of Autonomous Resources
One of the fundamental concepts in Grid computing is the creation of Virtual
Organizations (VO's): a set of resource consumers and providers that join
forces to solve a common problem. Typical examples of Virtual Organizations
include collaborations formed around the Large Hadron Collider (LHC)
experiments. To date, Grid computing has been applied on a relatively small
scale, linking dozens of users to a dozen resources, and management of these
VO's was a largely manual operation. With the advance of large collaboration,
linking more than 10000 users with a 1000 sites in 150 counties, a
comprehensive, automated management system is required. It should be simple
enough not to deter users, while at the same time ensuring local site autonomy.
The VO Management Service (VOMS), developed by the EU DataGrid and DataTAG
projects[1, 2], is a secured system for managing authorization for users and
resources in virtual organizations. It extends the existing Grid Security
Infrastructure[3] architecture with embedded VO affiliation assertions that can
be independently verified by all VO members and resource providers. Within the
EU DataGrid project, Grid services for job submission, file- and database
access are being equipped with fine- grained authorization systems that take VO
membership into account. These also give resource owners the ability to ensure
site security and enforce local access policies. This paper will describe the
EU DataGrid security architecture, the VO membership service and the local site
enforcement mechanisms Local Centre Authorization Service (LCAS), Local
Credential Mapping Service(LCMAPS) and the Java Trust and Authorization
Manager.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics
(CHEP03), La Jolla, Ca, USA, March 2003, 7 pages, LaTeX, 5 eps figures. PSN
TUBT00
Distributed Key Management for Secure Role Based Messaging
Secure Role Based Messaging (SRBM) augments messaging systems with role oriented communication in a secure manner. Role occupants can sign and decrypt messages on behalf of roles. This paper identifies the requirements of SRBM and recognises the need for: distributed key shares, fast membership revocation, mandatory security controls and detection of identity spoofing. A shared RSA scheme is constructed. RSA keys are shared and distributed to role occupants and role gate keepers. Role occupants and role gate keepers must cooperate together to use the key shares to sign and decrypt the messages. Role occupant signatures can be verified by an audit service. A SRBM system architecture is developed to show the security related performance of the proposed scheme, which also demonstrates the implementation of fast membership revocation, mandatory security control and prevention of spoofing. It is shown that the proposed scheme has successfully coupled distributed security with mandatory security controls to realize secure role based messaging
Credibility of Health Information and Digital Media: New Perspectives and Implications for Youth
Part of the Volume on Digital Media, Youth, and Credibility. This chapter considers the role of Web technologies on the availability and consumption of health information. It argues that young people are largely unfamiliar with trusted health sources online, making credibility particularly germane when considering this type of information. The author suggests that networked digital media allow for humans and technologies act as "apomediaries" that can be used to steer consumers to high quality health information, thereby empowering health information seekers of all ages
ReZone: disarming TrustZone with TEE privilege reduction
In TrustZone-assisted TEEs, the trusted OS has unrestricted
access to both secure and normal world memory. Unfortunately, this architectural limitation has opened an aisle of
exploration for attackers, which have demonstrated how to
leverage a chain of exploits to hijack the trusted OS and gain
full control of the system, targeting (i) the rich execution
environment (REE), (ii) all trusted applications (TAs), and
(iii) the secure monitor. In this paper, we propose REZONE.
The main novelty behind REZONE design relies on leveraging
TrustZone-agnostic hardware primitives available on commercially off-the-shelf (COTS) platforms to restrict the privileges
of the trusted OS. With REZONE, a monolithic TEE is restructured and partitioned into multiple sandboxed domains named
zones, which have only access to private resources. We have
fully implemented REZONE for the i.MX 8MQuad EVK and
integrated it with Android OS and OP-TEE. We extensively
evaluated REZONE using microbenchmarks and real-world
applications. REZONE can sustain popular applications like
DRM-protected video encoding with acceptable performance
overheads. We have surveyed 80 CVE vulnerability reports
and estimate that REZONE could mitigate 86.84% of them.We thank our shepherd Aastha Mehta and the anonymous reviewers for their comments and suggestions. This work was supported by national funds through Centro ALGORITMI / Universidade do Minho, Instituto Superior Técnico / Universidade de Lisboa, and FCT under project UIDB/50021/2020 and UIDB/00319/2020. David Cerdeira was supported by FCT grant SFRH/BD/146231/2019
- …