irods security
play

IRODS Security Wayne Schroeder Data Intensive Cyber Environments - PowerPoint PPT Presentation

Sep 17, 2022 •102 likes •210 views

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for Neural Computation (INC), University of California San Diego irods.org, dice.unc.edu, diceresearch.org Outline General Comments What Guarding

  1. IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for Neural Computation (INC), University of California San Diego irods.org, dice.unc.edu, diceresearch.org

  2. Outline  General Comments  What Guarding Against  Authentication  Trust Model  IRODS Counter-Measures  Administrator Responsibilities  Future

  3. Overview  Computer Software Never Completely Secure • Ease-of-use vs. security • Ease-of-Implementation, cost/benefit • Encryption time • Attacks/Counter-Measures  Open Source Tends to be More Secure • Vulnerabilities must be Handled Responsibly • Needs to be Collaborative

  4. What We Are Guarding Against  IRODS Does What It Should • Users Are Who They Say • Access Controls Enforced (Read/Write) • Resist Denial-Of-Service Attacks • Resist SQL Injection Attacks  Host OS Remains Secure

  5. Protect OS  Running as non-root helps  Buffer Overflows Avoided  Rstrcpy, etc  Open Source

  6. Authentication  IRODS Password/GSI/Kerberos Network Secure  Have to be  Keys Can Be Stolen and Used  Host/NFS Needs to be Secure  GSI Credentials Time-Limited  IRODS Credentials  Not Plain-text Credential (iinit)  But Source to Unscramble Is Open  NFS May Expose on Network

  7. Trust  Client Code Not Trusted  Client Code Not Trusted  Client Code Not Trusted  Can't be (Network Often Not Secure)  Can't be (Network Often Not Secure)  Can't be (Network Often Not Secure)  Server Code Is Trusted  Server Code Is Trusted  Server Code Is Trusted  Has To Be  Has To Be  Has To Be  Micro-Service Is Server Code  Micro-Service Is Server Code  Micro-Service Is Server Code  IRODS Admins Are Trusted  IRODS Admins Are Trusted  IRODS Admins Are Trusted  ICAT DB/Admins Are Trusted  ICAT DB/Admins Are Trusted  ICAT DB/Admins Are Trusted

  8. Some iRODS Counter-Measures  Buffer Overflow Checks Throughout – OSX 10.6 Noticed Some Inconsistencies; – Fixed in 2.3  Client/Server Call (rc/rs) Privilege Levels  Some Admin-only (e.g. chlSimpleQuery)  Server/Agent Fork/Exec Mechanism  Planned Addition of Multi-Threading  Use of Bind-Variables  DB Treats as Name; avoid SQL injection

  9. IRODS Admin Responsibilities  Keep Server Access Secure – Good passwords, OS Patches, etc  Keep IRODS source code secure  Proper user-level access control  Check Added Micro-Services  Keep Passwords Secure  Optionally: – Configure remoteZoneSID (man-in-middle) – User irodsServerDN if using GSI

  10. Future Work  Ongoing Security Analysis (UNC, Simon Spero)  University Analysis U of Wisconsin (Barton Miller/ James Kupsch) – Collaborative Project as done with SRB; Highly Effective  Bug Fixes  Continue On-Going; Balanced with Other Needs/ Requirements – Enough For Most Instances – Without Placing Too Much Burden on Users/ Admins/Developers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix client usage II. iRODS Data (Grid) Administration installing server and iCAT setting up users adding new resources to a data grid/zone

718 views • 42 slides
iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS

iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS

iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS Getting Started unix client usage II. iRODS Data Grid Administration installing server and iCAT setting up users adding new resources

1.05k views • 71 slides
iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell

iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell

iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell Russell, Ph.D. June 9-12, 2020 @terrellrussell iRODS User Group Meeting 2020 Chief Technologist, iRODS Consortium Virtual Event 1 iRODS

276 views • 8 slides
More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

Transforming Science Through Data-driven Discovery More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous work shows how to proxy iRODS for high availability. High Availability iRODS System (HAIRS)

424 views • 19 slides
iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June

iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June

iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June 9-12, 2020 Applications Engineer iRODS User Group Meeting 2020 iRODS Consortium Virtual Event 1 Existing Cacheless Limitations While the

677 views • 18 slides
Managing Next Generation Sequence Data at Syngenta with iRODS Todd Moughamer Classification:

Managing Next Generation Sequence Data at Syngenta with iRODS Todd Moughamer Classification:

Managing Next Generation Sequence Data at Syngenta with iRODS Todd Moughamer Classification: PUBLIC iRODS UGM 2018 Durham, NC June 6 & 7, 2018 Who we are A leading agriculture company helping 90 to improve global food security by

423 views • 13 slides
iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications

iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications

iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications in Amazon AWS Cloud Mohammad Shaikh | Oleg Moiseyenko Scientific Cloud Computing iRODS UGM, Jun 9-11, 2020 R&D, Informatics & Predictive

361 views • 21 slides
iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

An authentication solution for iRODS based on the OpenID Connect protocol iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht, The Netherlands Acronyms PAM Pluggable Authentication Module . Provides

486 views • 13 slides
iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced

iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced

iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced features Data Transfer modes Structured file implementation iRods FUSE implementation Data Transfer Three modes Sequential file

418 views • 15 slides
The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS

The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS

The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS Workshop, Lyon 1 Feb, 2009 Science and Technology Facilities Council STFC Formed by combining CCLRC (labs) & PPARC (PP + astronomy funding)

681 views • 32 slides
iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira

iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira

iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira Bradford, Michael Conway, Michael Shoffner, Justin James iRODS impact on data management for Scienctific domains: 2 Use Cases BRAIN-I A unified

478 views • 23 slides
Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020

Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020

Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020 06/11/20 - Matthieu Caux & Samuel VISCAPI Irods metadata : Archived : False Archived : True Sent : True Sent : False X-Request-Id : Null

146 views • 13 slides
Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting

Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting

Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting 2017, Utrecht. 2017-06-14 Daniel Hanlon (d.hanlon@ucl.ac.uk) - University College London Contents Research Data Services @ UCL iRODS infrastructure

135 views • 9 slides
IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS,

IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS,

IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS, GROUP LEADER DATA MANAGEMENT SERVICES Introducing SURF SURF is the collaborative ICT organisation for Dutch education and research SURF offers

534 views • 35 slides
NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting

NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting

NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting 2019 Software Developer, iRODS Consortium Utrecht, Netherlands NFSRODS - Overview What A new iRODS client Presents iRODS as NFSv4.1 Allows an

541 views • 16 slides
Converged& Fault Tolerant& Distributed& Parallel& iRODS. iRODS User Group

Converged& Fault Tolerant& Distributed& Parallel& iRODS. iRODS User Group

Converged& Fault Tolerant& Distributed& Parallel& iRODS. iRODS User Group Meeting 2017 Aaron Gardner June, 2017 Introduction BioTeam is focused on research

1.06k views • 27 slides
Differentiated access control Differentiated access control to graph data to graph data

Differentiated access control Differentiated access control to graph data to graph data

Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy:

596 views • 15 slides
A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

Introduction Overview Detailed Design Evaluation Related Work Conclusion References A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services Chaoshun Zuo, Qingchuan Zhao , Zhiqiang Lin University of Texas at

1.4k views • 103 slides
Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg,

Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg,

Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg, 10.-11.10.2011 Peter Gietz, Markus Widmer, DAASI International GmbH Peter.gietz@daasi.de Markus.widmer@daasi.de 1 (c) October 2011 DAASI

815 views • 52 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise Artificial Intelligence Laboratory (AI-Lab) Security & Trust Research Unit DIST, University of Genova FBK-IRST Genova Trento A. Armando (U.

879 views • 77 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Le Lecture 14 14 Access Control 2 Recall: Secu curity Service

943 views • 33 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides

More recommend