ViSaG
From Gridgroup wiki
Contents |
ViSaG : Virtual Safe GRID
ViSaG is a resesarch project funded by HES-SO (RCSO-TIC, http://tic.rcso.ch/), and realized between September 2010 and January 2012. It focuses on improving the security of a grid computing middleware with the help of virtualization. With the conviction that a decentralized approach brings decisive advantages in grid computing, we investigated how the use of virtual machines can act as the necessary "security isolation" mechanism between the grid activities and the normal use of the computer: the idea is to dynamically wrap the computations in fresh virtual machines, created on the fly when needed. The project includes a demonstration application in the field of video analysis for person detection. We consider a security audit as a good way to validate the realization.
Main Results
- POP-C++ has been extended to (a) systematically use SSH for every communication, and (b) wrap POP-C++ computations in virtual machines. Whereas our realization uses ESXi virtual machines, we rely on libvirt for most of the virtualization operations. Encrypted communications and VM management are now available in the official release POP-C++ v2.0.
- Our work gave us the opportunity to study deeper virtualization technologies and VMWare ESXi in particular. We synthesized our observations in the form of "best practices" for the situations where virtualization technologies are intended to increase the security of a system.
- An demonstration application has been developed. It is a video analysis program that uses History of Gradients to detect persons in images. The application runs under the new POP-C++ framework. A POP-C++ network of machines lying in 2 different sites (hepia - EIA-FR), with different administrative domains and firewalls in-between, has been set up to demonstrate that the application can indeed take advantage of heterogeneous grids.
- A security audit has been conducted following the OSSTMM methodology. The results essentially confirm our hypotheses about the security of our infrastructure.
Participants
- Prof. Frédéric Bapst (EIA-FR)
- Prof. Pierre Kuonen (EIA-FR)
- Prof. Gérald Litzistorf (hepia)
- Prof. François Tièche (HE-Arc)
- Prof. Jean-Roland Schuler (EIA-FR)
- Valentin Clément (EIA-FR)
- Cédric Penas (hepia)
- Samuel Nussbaum (HE-Arc)
Documentation
- Security.pdf: study on virtualization and security in the context of the ViSaG project
- Road_to_visag.pdf: technical discussion of how POP-C++ has been adapted to assign jobs to ESXi virtual machines, created on-the-fly when needed
- Popc_secure1.pdf: technical discussion of how POP-C++ has been adapted to systematically use SSH encryption
- User_manual_addon.pdf: extension of the official POP-C++ user manual, for the ViSaG release
- VisagSecurityAudit.pdf: report for the security audit of a ViSaG installation
