Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure

Clinical outcome of hypofractionated breath-hold image-guided SABR of primary lung tumors and lung metastases

Background: Stereotactic Ablative RadioTherapy (SABR) of lung tumors/metastases has been shown to be an effective treatment modality with low toxicity. Outcome and toxicity were retrospectively evaluated in a unique single-institution cohort treated with intensity-modulated image-guided breath-hold SABR (igSABR) without external immobilization. The dose–response relationship is analyzed based on Biologically Equivalent Dose (BED). Patients and methods: 50 lesions in 43 patients with primary NSCLC (n = 27) or lung-metastases of various primaries (n = 16) were consecutively treated with igSABR with Active-Breathing-Coordinator (ABC®) and repeat-breath-hold cone-beam-CT. After an initial dose-finding/-escalation period, 5x12 Gy for peripheral lesions and single doses of 5 Gy to varying dose levels for central lesions were applied. Overall-survival (OS), progression-free-survival (PFS), progression pattern, local control (LC) and toxicity were analyzed. Results: The median BED2 was 83 Gy. 12 lesions were treated with a BED2 of &lt;80 Gy, and 38 lesions with a BED2 of <80 Gy. Median follow-up was 15 months. Actuarial 1- and 2-year OS were 67% and 43%; respectively. Cause of death was non-disease-related in 27%. Actuarial 1- and 2-year PFS was 42% and 28%. Progression site was predominantly distant. Actuarial 1- and 2 year LC was 90% and 85%. LC showed a trend for a correlation to BED2 (p = 0.1167). Pneumonitis requiring conservative treatment occurred in 23%. Conclusion: Intensity-modulated breath-hold igSABR results in high LC-rates and low toxicity in this unfavorable patient cohort with inoperable lung tumors or metastases. A BED2 of <80 Gy was associated with reduced local control

PPARγ Loss Leads to Reduced Fertility

The peroxisome proliferation-activated receptor gamma (PPARγ) is expressed in many cell types including mammary epithelium, ovary, macrophages, and B- and T-cells. PPARγ has an anti-proliferative effect in pre-adipocytes and mammary epithelial cells, and treatment with its ligands reduced the progression of carcinogen-induced mammary tumors in mice. Because PPARγ-null mice die in utero it has not been possible to study its role in development and tumorigenesis in vivo. To investigate whether PPARγ is required for the establishment and physiology of different cell types, a cell-specific deletion of the gene was carried out in mice using the Cre-loxP recombination system. We deleted the PPARγ gene in mammary epithelium using WAP-Cre transgenic mice and in epithelial cells, B- and T-cells, and ovary cells using MMTV-Cre mice. The presence of PPARγ was not required for functional development of the mammary gland during pregnancy and for the establishment of B- and T-cells. In addition, no increase in mammary tumors was observed. However, loss of the PPARγ gene in oocytes and granulosa cells resulted in impaired fertility. These mice have normal populations of follicles, they ovulate and develop corpora lutea. Although progesterone levels are decreased and implantation rates are reduced, the exact cause of the impaired fertility remains to be determined

3,4-Methylenedioxymethamphetamine Alters Left Ventricular Function and Activates Nuclear Factor-Kappa B (NF-κB) in a Time and Dose Dependent Manner

3,4-Methylenedioxymethamphetamine (MDMA) is an illicit psychoactive drug with cardiovascular effects that have not been fully described. In the current study, we observed the effects of acute MDMA on rabbit left ventricular function. We also observed the effects of MDMA on nuclear factor-kappa B (NF-κB) activity in cultured rat ventricular myocytes (H9c2). In the rabbit, MDMA (2 mg/kg) alone caused a significant increase in heart rate and a significant decrease in the duration of the cardiac cycle. Inhibition of nitric oxide synthase (NOS) by pretreatment with L-NAME (10 mg/kg) alone caused significant dysfunction in heart rate, systolic pressure, diastolic pressure, duration of relaxation, duration of cardiac cycle, and mean left ventricular pressure. Pretreatment with L-NAME followed by treatment with MDMA caused significant dysfunction in additional parameters that were not abnormal upon exposure to either compound in isolation: duration of contraction, inotropy, and pulse pressure. Exposure to 1.0 mM MDMA for 6 h or 2.0 μM MDMA for 12 h caused increased nuclear localization of NF-κB in cultured H9c2 cells. The current results suggest that MDMA is acutely detrimental to heart function and that an intact cardiovascular NOS system is important to help mitigate early sequelae in some functional parameters. The delayed timing of NF-κB activation suggests that this factor may be relevant to MDMA induced cardiomyopathy of later onset

Secure Password-Based Authenticated Key Exchange For Web Services

This paper discusses an implementation of an authenticated key-exchange method (AuthA) rendered on message primitives defined in the WS-Trust and WS-SecureConversation specifications. This IEEE-specified cryptographic method is proven-secure for password-based authentication and key exchange, while the WS-Trust and WS-SecureConversation are emerging Web Services Security specifications that extend the standardized WS-Security specification. A prototype of the presented protocol is integrated in the WS-ResourceFramework-compliant Globus Toolkit V4. Further hardening of the implementation is expected to result in a version that will be shipped with future Globus Toolkit releases. This could help address the current unavailability of decent shared-secret-based authentication options in the Web Services and Grid world. Future work will also be dedicated to integrate One-Time-Password (OTP) features in the authentication protocol

Policy-driven Negotiation for Authorization in the Grid

Abstract — In many Grid services deployments, the clients and servers reside in different administrative domains. Hence, there is a requirement both to discover each other’s authorization policy, in order to be able to present the right assertions that allow access, and to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client and servers are semantically annotated with policies that protect their resources. These annotations specify both constraints and capabilities that are used during a negotiation to reason about and communicate the need to see certain credentials from the other party and to determine whether requested credentials can be obtained and revealed. The result of the negotiation is a state where both parties have satisfied their policy constraints for a subsequent interaction or where such interaction is disallowed by either or both. Furthermore, we present an implementation of a prototype, based on the PEERTRUST policy language and its reasoning engine, that is integrated in the Web services runtime component of the Globus Toolkit. The negotiation process is facilitated through the implementation of WSRF-compliant service interfaces for protocol message exchanges. I

Policydriven negotiation for authorization in the semantic grid

As in many Grid Services deployments the clients and servers reside in different administrative domains, there is both a requirement to discover each other’s authorization policy in order to be able to present the right assertions that allow access, as well as to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client and servers are semantically annotated with policies that protect their resources. These annotations specify both constraints and capabilities, which are used during a negotiation to reason about and to communicate the need to see certain credentials from the other party, and to determine whether requested credentials can be obtained and revealed. The end result of the negotiation is a state where either both parties have satisfied their policy constraints for a subsequent interaction, or where such interaction is disallowed by either or both. Furthermore, the implementation of a prototype is discussed that is based on the PEERTRUST policy language and a reasoning engine, which are integrated in the webservices runtime of the Globus Toolkit. The negotiation process is facilitated through the implementation of WSRF-compliant service interfaces for the protocol message exchanges