TY - GEN

T1 - An attack-resilient grid auditing infrastructure

AU - Kunz, Christopher

AU - Wiebelitz, Jan

AU - Smith, Matthew

PY - 2010/6/1

Y1 - 2010/6/1

N2 - As recent experiments have shown, current Grid infrastructures are highly vulnerable against root exploits. In these attacks legitimate Grid user credentials were used to compromise vulnerable Grid head and worker nodes. Any such attack against a distributed working environment is critical. However, in the Grid it is particularly devastating, attacks against the head node affect unencrypted Grid proxy certificates. Using these, an attacker can act with the permissions of the original owner, undermining the Grid security concept. Even after the original attack has been detected and the affected systems have been sanitized, the attacker is still in possession of the stolen proxy. In previous work we introduced an auditing infrastructure that gives Grid users a way to reconstruct usage of their delegated credentials and detect their possibly abuse . We achieve this by including an X.S09 certificate extension in a proxy credential signed by the Grid user - making the users request to track credential usage tamper-proof In this paper, we extend the auditing infrastructure by a novel encryption aware watchdog, which can detect proxy certificate misuse even in the face of complete root compromise of all accessible Grid resources. It correlates network communication in the Grid with the auditing infrastructure and can thus detect proxy certificate misuse and tampering with the auditing framework.

AB - As recent experiments have shown, current Grid infrastructures are highly vulnerable against root exploits. In these attacks legitimate Grid user credentials were used to compromise vulnerable Grid head and worker nodes. Any such attack against a distributed working environment is critical. However, in the Grid it is particularly devastating, attacks against the head node affect unencrypted Grid proxy certificates. Using these, an attacker can act with the permissions of the original owner, undermining the Grid security concept. Even after the original attack has been detected and the affected systems have been sanitized, the attacker is still in possession of the stolen proxy. In previous work we introduced an auditing infrastructure that gives Grid users a way to reconstruct usage of their delegated credentials and detect their possibly abuse . We achieve this by including an X.S09 certificate extension in a proxy credential signed by the Grid user - making the users request to track credential usage tamper-proof In this paper, we extend the auditing infrastructure by a novel encryption aware watchdog, which can detect proxy certificate misuse even in the face of complete root compromise of all accessible Grid resources. It correlates network communication in the Grid with the auditing infrastructure and can thus detect proxy certificate misuse and tampering with the auditing framework.

KW - Abuse detection

KW - Auditing

KW - Certificate

KW - Network security

KW - Network sniffing

KW - OCSP

KW - PKI

KW - Proxy certificate

KW - Revocation

KW - Security

KW - SSL

KW - TLS

KW - X.509

UR - http://www.scopus.com/inward/record.url?scp=77957658761&partnerID=8YFLogxK

U2 - 10.1109/WCINS.2010.5541857

DO - 10.1109/WCINS.2010.5541857

M3 - Conference contribution

AN - SCOPUS:77957658761

SN - 9781424458516

T3 - Proceedings - 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, WCNIS 2010

SP - 635

EP - 639

BT - Proceedings - 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, WCNIS 2010

T2 - 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, WCNIS 2010

Y2 - 25 June 2010 through 27 June 2010

ER -