Incubator/Proxy-Audit

Proxy-Audit is an Incubator project that provides an auditing infrastructure for proxy certificates in Globus.

This GlobDev project webpage contains information for project committers and contributors.

Project Overview

Proxy-Audit introduces modifications to the Grid Security Infrastructure (GSI) that allow reporting of proxy usage information to a database, giving the end user an opportunity to review by whom and why his credentials were used.

Furthermore, we plan to implement a heuristic method of automated abuse detection for proxy credentials which will give the user a way to easily detect unauthorized usage of their credentials. This method will employ belief networks to model the Grid infrastructures involved. Our approach will help build end user trust in Grid infrastructures and thus help to promote more widespread Grid usage.

From our point of view, Grid infrastructures in general suffer from a lack of trust in the underlying AuthN and AuthZ mechanisms, making adaptation difficult. In our work in the German national Grid (D-Grid), we have heard concerns about delegation via proxy credentials, especially from an industrial point of view. These issues can partially be addressed on a policy level (both technical and political), but lack of transparency on proxy usage can and should be fixed in the toolkit that most modern Grid infrastructures are at least partially based on – Globus.

Implementing a reliable way of tracking all usage of a proxy credential for (further) delegation and authentication would give users valuable additional information. An abuse detection algorithm would help quell credential abuse and aid users and administrators alike. And finally, proxy credential revocation via a standardized protocol would give control over delegations back to the end user who is ultimately responsible for the credential.

Extending RFC3820 proxy certificates

Grid components need to know how to reach the auditing service. We are using an X.509 certificate extension to convey the URL to an auditing web service and – at the same time – act as an indicator that the end user wished to enable auditing of the credential at hand. Inclusion of such information as an X.509 extension has a number of advantages, with the most important being non-repudiation and accessibility – since the proxy credential is available at any Grid resource, no further in-band or out-of-band communication is necessary.

To make sure that only the EEC owner can enable credential auditing, we have only allow the extension to be present in the first proxy certificate; the one that is derived off the EEC and must be delegated using the EEC’s private key.

The ASN.1 representation of the ProxyAudit extension currently looks like this:

id-ProxyAudit OBJECT IDENTIFIER ::= { 1.3.6.1.4.1.18141.3.100.5.1 }
ProxyAudit ::= SEQUENCE SIZE (1..MAX) OF IA5String

Modifications to the GSI

We have modified the globus_l_gsi_proxy_sign_key() function in the libglobus gsi proxy core library supplied with the Globus Toolkit to include the aforementioned extension in a proxy.

Java WS-Core

C libraries

Auditing Web Service

We implemented a WSRF web service that can easily be deployed into an existing Globus Container out of the box – this ensures portability and facilitates adaptation by Grid infrastructure administrators. The service provides the basic functionality of receiving and storing audit trails which are passed as strings via the web service interface. It does so by instantiating an AuditRecord object for each audit record received via the web service interface and storing the received information in that object. The AuditRecord instance is then stored in the back-end database by way of a Data Access Object (DAO).

Abuse detection mechanism

This is not even in the concept status yet - we are evaluating ways to detect possible abuse, including but not limited to Bayesian networks or Petri nets, but maybe even a traditional rule-based approach might be feasible.

Visualization and user front-end

Proof-of-concept front-end

We currently have a very preliminary frontend that is only used to verifiy if auditing hooks and callouts work. The frontend displays basic information as source and target DN, action, timestamp and proxy serial.

Publications

• Kunz, C.; Wiebelitz, J.; Piger, S.; Grimm, C., "A Concept for Grid Credential Lifecycle Management and Heuristic Credential Abuse Detection", Networking and Services, 2009. ICNS '09. Fifth International Conference on, pp.505-510, 20-25 April 2009, Online@IEEExplore
• Kunz, C., Wiebelitz, J., Piger, S., Grimm, C., "A Concept for Grid Credential Lifecycle Management and heuristic Credential Abuse Detection", Parallel and Distributed Computing, 2009, 8th International Symposium on, pp. 245 - 248 (short paper, to be published), DOI: 10.1109/ISPDC.2009.28
• Kunz, C.; Szongott, C.; Wiebelitz, J.; Grimm, C., "Design and Implementation of a Grid Proxy Auditing Infrastructure", 5th IEEE International Conference on eScience (accepted paper)

Project Metadata

Committers

If you would like to become a committer, guidelines are here.

• Christopher Kunz
• Jim Basney
• Tom Scavo
• Von Welch
• Christian Szongott

Mailing Lists

Mailing lists are available, but not yet in use - they are all very low traffic for now.

How to subscribe
How to unsubscribe
Search the email archives

CVS Repository

CVS repository will be available soon.

Bugzilla

Bugzilla project will be available soon.

Policies

In addition to the Globus Alliance Project Guidelines, Proxy-Audit adheres to the following policies:

(none at this time)