NCSA CyberSecurity Research and Development

NCSA CyberSecurityResearch and Development

NCSA CyberSecurityResearch and Development

http://security.ncsa.uiuc.edu/research/

National Center for Supercomputing Applications

NCSA Security Research and Development

• Part of National Center for Supercomputing Applications at the University of Illinois

• Ten person team of researchers and developers

• Funding from NSF and ONR

• Lead for the National Center for Advanced Secure Systems Research– www.ncassr.org

• Part of University of Illinois Information Trust Institute– www.iti.uiuc.edu


NCSA Security R&D Projects Overview

Technology R&D

• SELS - Secure Email Lists

• Mithril - Adaptive Security for Collaborative Computing

• FLAIM - Log Anonymization

• MyProxy - Credential Management

• SSH Key Management

• GridShib - Identity Federtation for Grids

• TCIP - Trusted CyberInfrastructure for the Power Grid

Applied Security

• ITTF - Illinois Terrorism Task Force Credentialing Project

• Security for CyberEnvironments– MAEVis, Astronomy


SELS: A Secure Email List Service

• Provides message-level security for emails exchanged on mailing lists– Confidentiality, Integrity, and Authentication

• Minimally trusted List Server– Novel feature: List Server does not get access to email plaintext

– Proxy encryption techniques enable transformation of ciphertext

• Development with COTS and open-source components– Integrated with GnuPG on subscriber side; no need for software installation

– Integrated with Mailman on server side with easy installation and setup

• Use Case Scenarios: Lists of– System administrators exchanging emails for infrastructure protection and incident

response

– Healthcare researchers exchanging emails on sensitive data

• URL: http://sels.ncsa.uiuc.edu; contact: [email protected]


IB-MKD: Identity Based Message Key Distribution for Secure Email• Provides encryption for emails

– Novel feature: No long term public keys for end users

– Knowledge of email address sufficient for encryption

• Domain Based Administration– Trusted Key Distribution Center (KDC) distributes message keys to

domain users

• Leverages DNS for key distribution– KDC public keys distributed via DNS using Yahoo’s domainkey

technology

• S/MIME based implementation– Minor modifications to S/MIME using Java/Bouncycastle library

• URL: http://www.ncsa.uiuc.edu/People/hkhurana/IWAP06.pdf

• Contact: {hkhurana, jbasney}@ncsa.uiuc.edu


MITHRIL

• Collaboration between NCSA, PNNL, NRL CCS

• Development of mechanisms for adaptable security for open, collaborative computing systems

• Maximize usability while allowing rapid, automated response to security incidents

• Four sub-components:– Credentials Management, SELS

• See slides elsewhere

– Continuous Mouse Biometrics

– Intrusion Detection and Response system

• Contact: Von Welch [email protected]• http://www.ncsa.uiuc.edu/People/hkhurana/WENS06.pdf

mailto:[email protected]


Mithril: Computer Mouse Biometrics

• Project lead by PNNL

•Detects unauthorized users at console by building profile of authorized user’s biometric mouse movement patterns

•Can analyze and detect changes in pattern in near-real time

•Contact: Doug Schultz [email protected]


Mithril: Intrusion Detection and Response System

•Detect, correlate and respond to incidents

•Differentiate between isolated incidents and sustained attacks

• Built from open-source components:– Prelude, SEC, cfEngine

• TattleTale: NCSA-developed process monitoring system to detect illicit privileged access


Network/System/Audit Log Anonymization

•NCSA produces ~5 GBytes of logs per day.

•Real-world logs are useful for investigations, education, testing of tools, and network/security research.

•However, real-world logs often contain sensitive information.– Privacy issues exist for both the individual users and

the organization.

– Network topology could be useful to attackers.

– Services running on machines and trust relationships between systems could be useful to attackers.


FLAIM – Framework for Log Anonymization and Information Management

Solution – Anonymization to meet the needs of both parties – Data owner is concerned with privacy/security– Analyst is concerned with information loss– FLAIM has a rich policy language expressive enough to

often define policies that meet needs of both•E.g., one can obscure IP addresses, but preserve the subnet structure

for networking researchers

• FLAIM is very flexible– Modular, allowing I/O modules for multiple logs to be built– Plethora of anonymization primitives to apply to many fields

• http://flaim.ncsa.uiuc.edu/flaim.html


FLAIM – Into the future

•Analyze trade-offs between information loss and privacy– Create a metric of log utility and analyze effect of

anonymization on metric.

– Create a metric of the strength of an anonymization scheme.

•We can move beyond computer/network logs– Reuse the anonymization engine and policy engine,

a.ka. FLAIM-Core.

– Module API is flexible enough to support any data in a record/field format.


Credential Management

•Users are poor at managing electronic credentials such as digital keys

•Hardware tokens are one solution– But not always available– E.g. different system platforms in science communities

•Credential Management allows for these credentials to be managed for the user– By profession IT staff in secure machine rooms– Provide control and monitoring over credential use


• Open Source software for managing PKI credentials– Online CA issues short-lived certificates– Online credential repository securely stores PKI credentials– Supports many authentication methods:

passphrase, certificate, PAM, SASL, Kerberos, OTP– Integrates with job managers for automated credential renewal– Distributed in Globus Toolkit, VDT, NMI, CoG Kits, TG CTSS, and

Univa Globus Enterprise

• MyProxy on TeraGrid– MyProxy CA provides certificates to users via User Portal Login– User Portal and Ticket System use MyProxy authentication– MyProxy integrates with Science Gateway web portals

• For more information– http://myproxy.ncsa.uiuc.edu/– Contact: [email protected]

MyProxy

Used byTeraGrid

LCGFusionGridPRAGMAEGEEESGLNCCCCGOSG

and others…


Secure Shell Key Management

• Secure Shell (SSH) is common way to access high-end resources at NCSA

•User managed RSA keys a common, easy authentication mechanism

• But these keys get easily stolen, shared

• Solution: Manage RSA keys centrally, allow user access through standard SSH Remote Agent protocol and tools

• Contact: [email protected]


SSH Key Management

SSH Key Server•Maintains private RSA keys

Client Authenticatesvia site mechanismse.g. Kerberos, OTP

Client accessesprivate RSA keyvia ssh-agent

Public KeyDistribution

RSA-authenticatedaccess

ComputeResource


GSI-OpenSSH

•Modified version of OpenSSH supporting X.509 authentication and proxy delegation– Provides a single sign-on remote login and file

transfer service

– Included in Globus Toolkit, VDT, NMI, TG CTSS

• Standards-based– RFC 3820: X.509 Proxy Certificates

– RFC 4462: GSSAPI for SSH

• For more information:– http://grid.ncsa.uiuc.edu/ssh/

– Contact: [email protected]

Used byTeraGridUK NGS

NRC CanadaLSC DataGrid

INRIANMI B&TTIGRE

and others…


NCASSR PKI Testbed

• Equipment:– Servers, laptops, workstations, and PDAs

– Contact and contactless smartcards and readers

– Secure co-processors for credential servers

– Fingerprint readers

• Supporting:– ITTF smartcard credentialing project

– Hardware-secured credential repositories

– Smartcard authentication for grids and HPC

• For more information:– http://pkilab.ncsa.uiuc.edu/

– Contact: [email protected]


Trusted CyberInfrastructurefor Power Grids (TCIP)• NSF CyberTrust center

at Illinois Trust Institute– Additional funding from

DOE, DHS

– Partners: Dartmouth, Washington State, Cornell

• Addressing security challenges motivated by our national power grid

• http://tcip.iti.uiuc.edu


TCIP: Emergency Credentialing and Authorization (NCSA Focus)• Real-time power grid operations requires real-time

data access to understand and prevent system faults• But, day-to-day data access regulated by policy and

competition• Solution is to allow for short-term credentialing of

operators to allow for emergency authorization for data access– Combine with strong auditing for post-emergency validation

• Investigate methods for determining when emergency occurs and proper changes to authorization policy to allow for prevention of system failure

• Contact: {vwelch,hkhurana}@ncsa.uiuc.edu


GridShib: Grid-Shibboleth Integration

• Integration of Internet2’s Shibboleth with Computational Grids via the Globus Toolkit

• Allow for use of Campus Identity Management for Grid Authentication and Authorization– Allow leveraging of Shibboleth software and deployments to

support Grids– Utilizing Web Services security standards (SAML)

•Contact: Von Welch

[email protected]•http://gridshib.globus.org


NCASSR CyberCrime Investigation Environment

• CyberCrime incidents typically span multiple systems, domains and even continents

• Investigative teams comprise multiple individuals from multiple sites and have complex data management and analysis requirements


NCASSR CyberCrime Investigation Environment

• We are developing a environment to facilitate this distributed investigations

• Includes facilities for data management, anonymization, sharing and analysis

• Plus components for collaboration

• All contained in a secured collaboration environment

• Contact: {rbutler,vwelch}@ncsa.uiuc.edu


American Red CrossAssociated Fire Fighters of IllinoisFBI

Illinois Governor’s OfficeIllinois State PoliceU.S. Attorney’s OfficeFEMA (Region V)

Illinois Terrorism Task Force

http://www.illinois.gov/security/ittf/

•Mission– Created May 2000 to implement a comprehensive

coordinated strategy for domestic preparedness in the state of Illinois, bringing together agencies, organizations, and associations representing all disciplines in the war against terrorism.

•Members include:


ITTF Credentialing Project

•Goal: Pre-issue credentials to incident responders for identification and tracking at the incident perimeter– Smartcards printed with photo ID

– Electronic authentication includes:•Fingerprint biometric

• Identity certificate issued by State of Illinois PKI– Cross-certified with Federal Bridge CA

•Signed certifications (team, weapons, hazmat)+


UIC

ITTF Credentialing Project

• 5,000 initial credentials for pilot project

• Plan to grow to 100,000 credentials– Every Illinois firefighter, police officer, EMT

– Pre-certified volunteers (Red Cross, etc.)

•Designed for general-purpose use state-wide– Secure building and computer system access

– Interoperability with Federal standards

• Partners:

Contact: [email protected]


Astronomy (LSST / NVO / DES)

• Communities: LSST, NVO, DES, IVOA, NOAO, NRAO, STSCI

• Need: Grid Security Solution for a Portal Environment

• Distinguishing Features/Requirements– Inter-DNS-Domain Single Sign-On (SSO) Across Portals

– Interoperability Across Multiple Grid Security Domains

– Limit Trust of Portal Servers

– Preserve Options/Flexibility for Power Users

• Our Work– Security Architecture for Astronomy Community

– Implementation of Working Prototype

• Key Software Components Used– MyProxy, Pubcookie, PURSe

• Contact: [email protected]


MAEViz Portal Single Sign-on

• Complex environment with web portal (Sakai), java web start applications and back-end services

• Provided Grid-enabled single sign-on based on MyProxy across all components

http://grid.ncsa.uiuc.edu/papers/sws-myproxy-jws.pdf


Security for Large Collaborative Compute Infrastructures (LCCIs)• Provides a set of requirements for securing LCCIs

– Example LCCIs: TeraGrid, LHC Grid, GENI

• Risk and threat analysis– Identification of unique and magnified threats to LCCIs

• Exploration of security policies and procedures– Prevention, detection, and response

– Collaboration among sites crucial for security

• Identification of requirements– Security architecture, agreements, implementation plan, management

authority• URL: http://www.ncsa.uiuc.edu/People/hkhurana/TrustColFinal.pdf; contact:

{hkhurana, jbasney, vwelch}@ncsa.uiuc.edu


Software Protection Adoptability Study

• ITI and SAIC are working with the Software Protection Center (SPC) at Wright-Patterson Air Force Base to study how use of software protection technology may affect work-flow, and impact adoptability of that technology by its targeted customers.

• This project is funded through the Software Protection Initiative, whose mission is to prevent the unauthorized distribution and exploitation of application software critical to national security.

•Contact: [email protected]

NCSA CyberSecurity Research and Development

Documents

Transcript of NCSA CyberSecurity Research and Development