ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Identity Boxing: A New Technique for Consistent Global Identity
Full text PdfPdf (393 KB)
Source Conference on High Performance Networking and Computing archive
Proceedings of the 2005 ACM/IEEE conference on Supercomputing table of contents
Page: 51  
Year of Publication: 2005
ISBN:1-59593-061-2
Author
Douglas Thain  University of Notre Dame
Publisher
IEEE Computer Society  Washington, DC, USA
Bibliometrics
Downloads (6 Weeks): 1,   Downloads (12 Months): 30,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: 10.1109/SC.2005.34

ABSTRACT

Today, users of the grid may easily authenticate themselves to computing resources around the world using a public key security infrastructure. However, users are forced to employ a patchwork of local identities, each assigned by a different local authority. This forces each grid system to provide a mapping from global to local identities, creating a significant administrative burden and inhibiting many possibilities of data sharing. To remedy this, we introduce the technique of identity boxing. This technique allows a high-level identity to be attached directly to each process and resource that a user employs, rendering the local account name irrelevant. This allows a grid user to be known by the same name consistently at all sites, thus reducing administrative burdens and enabling new forms of sharing. We have implemented identity boxing at the user level within a secure system-call interposition agent and applied it to a distributed storage and execution system. The performance overhead of this implementation is only 0.7 to 6.5 percent for a selection of scientific applications, but as high as 35 percent for a metadata-intensive software build. We conclude with some reflections on how the operating system might be modified to better support grid computing.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
A. Acharya , M. Raje, MAPbox: Using Parameterized Behavior Classes to Confine Applications, University of California at Santa Barbara, Santa Barbara, CA, 1999
 
2
[2] W. Allcock, A. Chervenak, I. Foster, C. Kesselman, and S. Tuecke. Protocols and services for distributed data-intensive science. In Proceedings of Advanced Computing and Analysis Techniques in Physics Research, pages 161-163, 2000.
 
3
[3] S. Altschul, W. Gish, W. Miller, E. Myers, and D. Lipman. Basic local alignment search tool. Journal of Molecular Biology, 3(215):403-410, Oct 1990.
 
4
Chaitanya Baru , Reagan Moore , Arcot Rajasekar , Michael Wan, The SDSC storage resource broker, Proceedings of the 1998 conference of the Centre for Advanced Studies on Collaborative research, p.5, November 30-December 03, 1998, Toronto, Ontario, Canada
 
5
John Bent , Douglas Thain , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau , Miron Livny, Explicit control a batch-aware distributed file system, Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation, p.27-27, March 29-31, 2004, San Francisco, California
 
6
John Bent , Venkateshwaran Venkataramani , Nick LeRoy , Alain Roy , Joseph Stanley , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau , Miron Livny, Flexibility, Manageability, and Performance in a Grid Storage Appliance, Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing, p.3, July 24-26, 2002
7
Joseph Bester , Ian Foster , Carl Kesselman , Jean Tedesco , Steven Tuecke, GASS: a data movement and access service for wide area computing systems, Proceedings of the sixth workshop on I/O in parallel and distributed systems, p.78-88, May 05-05, 1999, Atlanta, Georgia, United States  [doi>10.1145/301816.301839]
 
8
David Brumley , Dawn Song, Privtrans: automatically partitioning programs for privilege separation, Proceedings of the 13th conference on USENIX Security Symposium, p.5-5, August 09-13, 2004, San Diego, CA
 
9
Jeffrey S. Chase , David E. Irwin , Laura E. Grit , Justin D. Moore , Sara E. Sprenkle, Dynamic Virtual Clusters in a Grid Site Manager, Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing, p.90, June 22-24, 2003
 
10
Crispin Cowan , Steve Beattie , Greg Kroah-Hartman , Calton Pu , Perry Wagle , Virgil Gligor, SubDomain: Parsimonious Server Security, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
11
Phyllis E. Crandall , Ruth A. Aydt , Andrew A. Chien , Daniel A. Reed, Input/output characteristics of scalable parallel applications, Proceedings of the 1995 ACM/IEEE conference on Supercomputing (CDROM), p.59-es, December 04-08, 1995, San Diego, California, United States  [doi>10.1145/224170.224396]
 
12
[12] T. A. DeFanti, I. Foster, M. E. Papka, and R. Stevens. Overview of the I-WAY: Wide area visual supercomputing. International Journal of Supercomputer Applications, 10(2/3):121-131, 1996.
 
13
Renato J. Figueiredo , Peter A. Dinda , José A. B. Fortes, A Case For Grid Computing On Virtual Machines, Proceedings of the 23rd International Conference on Distributed Computing Systems, p.550, May 19-22, 2003
 
14
[14] J. Foley. An integrated biosphere model of land surface processes, terrestrial carbon balance, and vegetation dynamics. Global Biogeochemical Cycles, 10(4):603-628, 1996.
15
Bryan Ford , Mike Hibler , Jay Lepreau , Patrick Tullmann , Godmar Back , Stephen Clawson, Microkernels meet recursive virtual machines, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.137-151, October 29-November 01, 1996, Seattle, Washington, United States
 
16
[16] I. Foster and C. Kesselman. Globus: A metacomputing intrastructure toolkit. International Journal of Supercomputer Applications, 11(2):115-128, 1997.
17
Ian Foster , Carl Kesselman , Gene Tsudik , Steven Tuecke, A security architecture for computational grids, Proceedings of the 5th ACM conference on Computer and communications security, p.83-92, November 02-05, 1998, San Francisco, California, United States  [doi>10.1145/288090.288111]
 
18
I. Foster , J. Gieraltowski , S. Gose , N. Maltsev , E. May , A. Rodriguez , D. Sulakhe , A. Vaniachine , J. Shank , S. Youssef , D. Adams , R. Baker , W. Deng , J. Smith , D. Yu , I. Legrand , S. Singh , C. Steenberg , Y. Xia , A. Afaq , E. Berman , J. Annis , L. A. T. Bauerdick , M. Ernst , I. Fisk , L. Giacchetti , G. Graham , A. Heavey , J. Kaiser , N. Kuropatkin , R. Pordes , V. Sekhri , J. Weigand , Y. Wu , K. Baker , L. Sorrillo , J. Huth , M. Allen , L. Grundhoefer , J. Hicks , F. Luehring , S. Peck , R. Quick , S. Simms , G. Fekete , J. vandenBerg , K. Cho , K. Kwon , D. Son , H. Park , S. Canon , K. Jackson , D. E. Konerding , J. Lee , D. Olson , I. Sakrejda , B. Tierney , M. Green , R. Miller , J. Letts , T. Martin , D. Bury , C. Dumitrescu , D. Engh , R. Gardner , M. Mambelli , Y. Smirnov , J. Voeckler , M. Wilde , Y. Zhao , X. Zhao , P. Avery , R. Cavanaugh , B. Kim , C. Prescott , J. Rodriguez , A. Zahn , S. McKee , C. Jordan , J. Prewett , T. Thomas , H. Severini , B. Clifford , E. Deelman , L. Flon , C. Kesselman , G. Mehta , N. Olomu , K. Vahi , K. De , P. McGuigan , M. Sosebee , D. Bradley , P. Couvares , A. De Smet , C. Kireyev , E. Paulson , A. Roy , S. Koranda , B. Moe , B. Brown , P. Sheldon, The Grid2003 Production Grid: Principles and Practice, Proceedings of the 13th IEEE International Symposium on High Performance Distributed Computing, p.236-245, June 04-06, 2004  [doi>10.1109/HPDC.2004.36]
 
19
[19] T. Garfinkel. Traps and pitfalls: Practical problems in in system call interposition based security tools. In Network and Distributed Systems Security Symposium, February 2003.
20
Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
 
21
[21] T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Symposium on Network and Distributed System Security, 2004.
 
22
Ian Goldberg , David Wagner , Randi Thomas , Eric A. Brewer, A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.1-1, July 22-25, 1996, San Jose, California
 
23
[23] K. Holtman. CMS data grid system overview and requirements. CMS Note 2001/037, CERN, July 2001.
24
John H. Howard , Michael L. Kazar , Sherri G. Menees , David A. Nichols , M. Satyanarayanan , Robert N. Sidebotham , Michael J. West, Scale and performance in a distributed file system, ACM Transactions on Computer Systems (TOCS), v.6 n.1, p.51-81, Feb. 1988  [doi>10.1145/35037.35059]
 
25
[25] P. Hulith. The AMANDA experiment. In Proceedings of the XVII International Conference on Neutrino Physics and Astrophysics, Helsinki, Finland, June 1996.
 
26
[26] M. Humphrey, F. Knabe, A. Ferrari, and A. Grimshaw. Accountability and control of process creation in metasystems. In Network and Distributed System Security Symposium, February 2000.
27
Sotiris Ioannidis , Steven M. Bellovin , Jonathan M. Smith, Sub-operating systems: a new approach to application security, Proceedings of the 10th workshop on ACM SIGOPS European workshop, July 01-01, 2002, Saint-Emilion, France  [doi>10.1145/1133373.1133394]
 
28
[28] A. K. Jones and W. A. Wulf. Towards the design of secure systems. Software - Practice and Experience, 5(4):321-336, 1975.
29
Michael B. Jones, Interposition agents: transparently interposing user code at the system interface, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.80-93, December 05-08, 1993, Asheville, North Carolina, United States
 
30
Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
 
31
Marcos Laureano , Carlos Maziero , Edgard Jamhour, Intrusion Detection in Virtual Machine Environments, Proceedings of the 30th EUROMICRO Conference (EUROMICRO'04), p.520-525, August 31-September 03, 2004  [doi>10.1109/EUROMICRO.2004.48]
 
32
L. Pearlman , V. Welch , I. Foster , C. Kesselman , S. Tuecke, A Community Authorization Service for Group Collaboration, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), p.50, June 05-07, 2002
 
33
[33] J. Plank, M. Beck, W. Elwasif, T. Moore, M. Swany, and R. Wolski. The Internet Backplane Protocol: Storage in the network. In Proceedings of the Network Storage Symposium, 1999.
 
34
Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
 
35
Niels Provos , Markus Friedl , Peter Honeyman, Preventing privilege escalation, Proceedings of the 12th conference on USENIX Security Symposium, p.16-16, August 04-08, 2003, Washington, DC
36
Constantine P. Sapuntzakis , Ramesh Chandra , Ben Pfaff , Jim Chow , Monica S. Lam , Mendel Rosenblum, Optimizing the migration of virtual computers, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060324]
 
37
[37] A. Shoshani, A. Sim, and J. Gu. Storage resource managers: Middleware components for grid storage. In Proceedings of the Nineteenth IEEE Symposium on Mass Storage Systems, 2002.
 
38
[38] J. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the USENIX Winter Technical Conference, pages 191-200, 1988.
 
39
Douglas Thain , John Bent , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau , Miron Livny, Pipeline and Batch Sharing in Grid Workloads, Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing, p.152, June 22-24, 2003
 
40
Douglas Thain , Sander Klous , Justin Wozniak , Paul Brenner , Aaron Striegel , Jesus Izaguirre, Separating Abstractions from Resources in a Tactical Storage System, Proceedings of the 2005 ACM/IEEE conference on Supercomputing, p.55, November 12-18, 2005  [doi>10.1109/SC.2005.64]
 
41
[41] D. Thain and M. Livny. Parrot: Transparent user-level middleware for data-intensive computing. In Proceedings of the Workshop on Adaptive Grid Middleware, New Orleans, September 2003.
 
42
[42] D. Thain, T. Tannenbaum, and M. Livny. Condor and the grid. In F. Berman, G. Fox, and T. Hey, editors, Grid Computing: Making the Global Infrastructure a Reality. John Wiley, 2003.
 
43
[43] A. Whitaker, M. Shaw, and S. D. Gribble. Denali: Lightweight virtual machines for distributed and networked applications. In USENIX Annual Technical Conference, June 2002.
 
44
Victor C. Zandy , Barton P. Miller , Miron Livny, Process Hijacking, Proceedings of the 8th IEEE International Symposium on High Performance Distributed Computing, p.32, August 03-06, 1999

CITED BY
Paul Z. Kolano, Mesh: secure, lightweight grid middleware using existing SSH infrastructure, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.4 Distributed Systems

  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Authentication


General Terms:
Design, Experimentation, Management, Measurement, Performance, Security

Collaborative Colleagues:
Douglas Thain: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player