Christopher Kunz

I’m currently at eScience 2009 in Oxford. I’ll present my paper on Friday and try to keep loose track of things via my twitter timeline. Follow me if you want, my paper’s abstract is below.

Design and Implementation of a Grid Proxy Auditing Infrastructure

Christopher Kunz, Christian Szongott, Jan Wiebelitz, Christian Grimm
Regional Computing Center for Lower Saxony
Gottfried Wilhelm Leibniz Universitaet
Hannover, Germany
{kunz,szongott,wiebelitz,grimm}@rvs.uni-hannover.de

Abstract

Single sign-on and delegation of rights are key requirements
for modern Grid infrastructures. These requirements
are usually facilitated by X.509 und Private-Key Infrastructures
(PKI) and proxy certificates. Proxy certificates, however,
can be obtained and abused by a malicious third party.
There is currently no method for end users to detect such
abuse.
We have designed a solution that enables a thorough auditing
of Grid proxy usage in Globus-based Grids and
implemented a service that accepts auditing information
via a web service interface and saves them to a back-end
database. We introduce modifications to the Grid Security
Infrastructure that allow sending audit trails from within
Globus components if the user desires to track credential usage.
A web-based front-end shows all logged information.
With our approach, expert users can now closely monitor
how their credentials are used after job submission. This
will help build trust in Grid infrastructures and delegated
authentication and authorization.

I have recently installed SilverStripe to test if it fits into our shared hosting concept. Read after the break about my impressions.

Over the last months, a drought has started in this blog and the two or three readers that might still be left deserve a status update. In fact, I would like to recap the last couple of months to get my head clear and tell all of you what’s been going on.

If you’re interested in what I’ve been doing these past weeks, just click on the extended entry and you shall be enlightened.

As usual, the first day of OGF25 was filled with political and administrative talks. The “Transition to EGI” talk gave an overview about what will happen when the EGEE project transitions into EGI, about what the national Grid initiatives have to do and when to do it. For my taste, the “why” was a bit undercovered, though.
Now, the opening plenary is still underway, with a vivid presentation by a SalesForce represantative about all things Cloud. I think he’s getting carried away a bit, but there’s wifi so I don’t mind too much.

For all those who want to read more about different aspects of the conference, you can follow me, EGEE and GridTalk on Twitter, for example. Blog coverage is copious too, with the OGSA-DAI blog and GridTalk to only name a few.

After this talk, I’ll have to decide between data management and workflow management. Both very interesting topics for our GDI-Grid project... Hm.

Finally, my dissertation project is taking off... my concept paper regarding my thesis idea was accepted to ICNS 2009, the Fifth International Conference on Networ king and Services. The paper is titled A Concept for Grid Credential Lifecycle Management and Heuristic Credential Abuse Detection, I’ll upload an abstract here as soon as it’s somehow published.

The conference will take place in Valencia, April 2009, and you can find more details on the ICNS web site.

It is not usually my custom to comment negatively or nitpick on other people's articles in magazines, especially not in magazines I have written for. This time however, I really must raise my voice to point out a couple of (well, actually a lot of) issues in an article about SQL injection in the current (October/November) issue of the german "PHP Magazin". I stumbled upon this when Pelle Boese of Mobile SEO fame told me about it.

As a couple of you should still remember, I wrote for that magazine until about one and a half years ago. I stopped writing for a couple of reasons. First and foremost, my shift towards Grid computing, my master's thesis and work took too much time. However, the, let's say, lean editorial process always kinda weirded me out. Mostly, manuscripts were printed as written, with no editorial changes at all. This is very trusting, but sometimes leads to fuck-ups like the one below.

As a project employee for GDI-Grid (spatial data infrastructure grid), I’ll go to OGF22, the Open Grid Forum later this month. We have organized a session slot of 90 minutes (thanks to Christian Kiehle for that) which is being filled with 3 sessions; one is held by yours truly while the other two are delivered by Christian Kiehle of lat//lon and Andreas Krüger of Technical University Berlin. The nice thing about this is that I finally get to visit the states, although only for a couple days (I’ll be in Boston from 22nd till 26th, return flight’s midday on the 27th).

So if anybody is in the vicinity of Boston/Cambridge, MA and cares to have a beer with me, just drop me a line.

By now, my master’s thesis should have been submitted for 4 days already... well, it isn’t. On Saturday the 26th of May, I started feeling sick and by Sunday it was evident that I had a tonsillitis (which is not all too unusual since I have that about twice per year). Usually, antibiotics and some pain killers against the sore throat help and the whole thing is done within 2-3 days. This time, however, it wasn’t. After seeing a doctor on Monday (everything was closed since it’s some christian holiday here, so I had to visit the emergency services), I started taking the antibiotics and quickly went through all the painkillers I still had.

Story continues....

In Grid-Systemen muß sichergestellt werden, daß ein
Benutzer zu jedem Punkt und von jeder Komponente eindeutig
identifiziert werden kann. Das ist notwendig, damit zum einen Grid-Jobs
nicht im Namen (und auf Rechnung) unbeteiligter Benutzer in Auftrag
gegeben werden, und zum anderen, um die sensitiven Daten und Jobs der
Benutzer vor Fremdzugriff zu schützen.

Um das Ziel der eindeutigen Authentifizierung und
lückenlosen Identifizierung zu erreichen, bedienen sich heutige
Grid-Projekte (Globus/gLite) einer Public Key Infrastructure (PKI).
Diese etabliert eine auf global vertrauenswürdigen CAs (Certificate
Authorities) basierende Chain of Trust und verwendet Zertifikate zur
Authentifizierung eines Grid-Jobs.

Das MyProxy Credential Repository basiert auf der
Idee, kurzlebige Proxy-Zertifikate für die tatsächlichen Jobs zu
verwenden, die bei Kompromittierung nicht für so große Probleme sorgen
wie ein kompromittiertes langlebiges Zertifikat nebst Private Key.

Die Präsentation wurde im Rahmen des Seminars
“Grid-Computing” am Fachbereich Rechnernetze und Distributed Virtual
Reality der Uni Hannover zusammen mit Ralf Gröper gehalten.

Mehr Infos gibts hier