Improving Mandatory Access Control for HPC clusters
hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. A cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. Linux has been chosen as an operating system for the...
Gespeichert in:
| Veröffentlicht in: | Future generation computer systems 2013-03, Vol.29 (3), p.876-885 |
|---|---|
| Hauptverfasser: | , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 885 |
|---|---|
| container_issue | 3 |
| container_start_page | 876 |
| container_title | Future generation computer systems |
| container_volume | 29 |
| creator | Blanc, M. Lalande, J.-F. |
| description | hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. A cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. Linux has been chosen as an operating system for the CEA’s computing platforms. However, strong system security solutions such as SELinux are usually difficult to set up in large environments.
This article presents how we have adapted a mac mechanism in order to enforce confidentiality and integrity between a large number of users. First we define our security objectives, and show how they direct our technical choices. Then we present how confinement was achieved using the SELinux security mechanism, and how various attack scenarios were addressed. We then focus on the use of Mandatory Categories, access control on high bandwidth network filesystems and the integration of new users and applications. We discuss some residual technical challenges. Finally, we present benchmark results and validate the acceptable performance impact of our deployment on a modern cluster.
► Deployment of Mandatory Access Control in an open HPC cluster. ► Guarantee security properties even in case of vulnerability. ► Integrate constraints of a production environment. ► Ensure a low performance impact. ► Propose solutions regarding network file systems. |
| doi_str_mv | 10.1016/j.future.2012.03.020 |
| format | Article |
| fullrecord | <record><control><sourceid>elsevier_hal_p</sourceid><recordid>TN_cdi_hal_primary_oai_HAL_hal_00691844v1</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167739X12000854</els_id><sourcerecordid>S0167739X12000854</sourcerecordid><originalsourceid>FETCH-LOGICAL-c340t-e15273d5d2427ff18119d29309373caa06950b02df6a040de9089735422d34cf3</originalsourceid><addsrcrecordid>eNp9kE1LAzEURYMoWKv_wMVsXcz4XpJpZjZCGbQtVHSh4C7EfGjKdFKSaaH_3ikjLl09uNxz4R1CbhEKBJzdbwq37_fRFhSQFsAKoHBGJlgJmgvE8pxMhprIBas_LslVShsAQMFwQthqu4vh4Luv7Fl1RvUhHrO51jalrAldH0ObuRCz5WuT6XafehvTNblwqk325vdOyfvT41uzzNcvi1UzX-eacehziyUVzJSGciqcwwqxNrRmUDPBtFIwq0v4BGrcTAEHY2uoasFKTqlhXDs2JXfj7rdq5S76rYpHGZSXy_lanjIYJrDi_IBDl49dHUNK0bo_AEGeJMmNHCXJkyQJTA6SBuxhxOzwx8HbKJP2ttPW-Gh1L03w_w_8AErjb5Y</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Improving Mandatory Access Control for HPC clusters</title><source>Access via ScienceDirect (Elsevier)</source><creator>Blanc, M. ; Lalande, J.-F.</creator><creatorcontrib>Blanc, M. ; Lalande, J.-F.</creatorcontrib><description>hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. A cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. Linux has been chosen as an operating system for the CEA’s computing platforms. However, strong system security solutions such as SELinux are usually difficult to set up in large environments.
This article presents how we have adapted a mac mechanism in order to enforce confidentiality and integrity between a large number of users. First we define our security objectives, and show how they direct our technical choices. Then we present how confinement was achieved using the SELinux security mechanism, and how various attack scenarios were addressed. We then focus on the use of Mandatory Categories, access control on high bandwidth network filesystems and the integration of new users and applications. We discuss some residual technical challenges. Finally, we present benchmark results and validate the acceptable performance impact of our deployment on a modern cluster.
► Deployment of Mandatory Access Control in an open HPC cluster. ► Guarantee security properties even in case of vulnerability. ► Integrate constraints of a production environment. ► Ensure a low performance impact. ► Propose solutions regarding network file systems.</description><identifier>ISSN: 0167-739X</identifier><identifier>EISSN: 1872-7115</identifier><identifier>DOI: 10.1016/j.future.2012.03.020</identifier><language>eng</language><publisher>Elsevier B.V</publisher><subject>Access control ; Benchmarking ; Computer Science ; Cryptography and Security ; hpc clusters</subject><ispartof>Future generation computer systems, 2013-03, Vol.29 (3), p.876-885</ispartof><rights>2012 Elsevier B.V.</rights><rights>Distributed under a Creative Commons Attribution 4.0 International License</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c340t-e15273d5d2427ff18119d29309373caa06950b02df6a040de9089735422d34cf3</citedby><cites>FETCH-LOGICAL-c340t-e15273d5d2427ff18119d29309373caa06950b02df6a040de9089735422d34cf3</cites><orcidid>0000-0003-4984-2199</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.future.2012.03.020$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>230,314,780,784,885,3550,27924,27925,45995</link.rule.ids><backlink>$$Uhttps://hal.science/hal-00691844$$DView record in HAL$$Hfree_for_read</backlink></links><search><creatorcontrib>Blanc, M.</creatorcontrib><creatorcontrib>Lalande, J.-F.</creatorcontrib><title>Improving Mandatory Access Control for HPC clusters</title><title>Future generation computer systems</title><description>hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. A cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. Linux has been chosen as an operating system for the CEA’s computing platforms. However, strong system security solutions such as SELinux are usually difficult to set up in large environments.
This article presents how we have adapted a mac mechanism in order to enforce confidentiality and integrity between a large number of users. First we define our security objectives, and show how they direct our technical choices. Then we present how confinement was achieved using the SELinux security mechanism, and how various attack scenarios were addressed. We then focus on the use of Mandatory Categories, access control on high bandwidth network filesystems and the integration of new users and applications. We discuss some residual technical challenges. Finally, we present benchmark results and validate the acceptable performance impact of our deployment on a modern cluster.
► Deployment of Mandatory Access Control in an open HPC cluster. ► Guarantee security properties even in case of vulnerability. ► Integrate constraints of a production environment. ► Ensure a low performance impact. ► Propose solutions regarding network file systems.</description><subject>Access control</subject><subject>Benchmarking</subject><subject>Computer Science</subject><subject>Cryptography and Security</subject><subject>hpc clusters</subject><issn>0167-739X</issn><issn>1872-7115</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEURYMoWKv_wMVsXcz4XpJpZjZCGbQtVHSh4C7EfGjKdFKSaaH_3ikjLl09uNxz4R1CbhEKBJzdbwq37_fRFhSQFsAKoHBGJlgJmgvE8pxMhprIBas_LslVShsAQMFwQthqu4vh4Luv7Fl1RvUhHrO51jalrAldH0ObuRCz5WuT6XafehvTNblwqk325vdOyfvT41uzzNcvi1UzX-eacehziyUVzJSGciqcwwqxNrRmUDPBtFIwq0v4BGrcTAEHY2uoasFKTqlhXDs2JXfj7rdq5S76rYpHGZSXy_lanjIYJrDi_IBDl49dHUNK0bo_AEGeJMmNHCXJkyQJTA6SBuxhxOzwx8HbKJP2ttPW-Gh1L03w_w_8AErjb5Y</recordid><startdate>201303</startdate><enddate>201303</enddate><creator>Blanc, M.</creator><creator>Lalande, J.-F.</creator><general>Elsevier B.V</general><general>Elsevier</general><scope>AAYXX</scope><scope>CITATION</scope><scope>1XC</scope><orcidid>https://orcid.org/0000-0003-4984-2199</orcidid></search><sort><creationdate>201303</creationdate><title>Improving Mandatory Access Control for HPC clusters</title><author>Blanc, M. ; Lalande, J.-F.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c340t-e15273d5d2427ff18119d29309373caa06950b02df6a040de9089735422d34cf3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Access control</topic><topic>Benchmarking</topic><topic>Computer Science</topic><topic>Cryptography and Security</topic><topic>hpc clusters</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Blanc, M.</creatorcontrib><creatorcontrib>Lalande, J.-F.</creatorcontrib><collection>CrossRef</collection><collection>Hyper Article en Ligne (HAL)</collection><jtitle>Future generation computer systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Blanc, M.</au><au>Lalande, J.-F.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Improving Mandatory Access Control for HPC clusters</atitle><jtitle>Future generation computer systems</jtitle><date>2013-03</date><risdate>2013</risdate><volume>29</volume><issue>3</issue><spage>876</spage><epage>885</epage><pages>876-885</pages><issn>0167-739X</issn><eissn>1872-7115</eissn><abstract>hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. A cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. Linux has been chosen as an operating system for the CEA’s computing platforms. However, strong system security solutions such as SELinux are usually difficult to set up in large environments.
This article presents how we have adapted a mac mechanism in order to enforce confidentiality and integrity between a large number of users. First we define our security objectives, and show how they direct our technical choices. Then we present how confinement was achieved using the SELinux security mechanism, and how various attack scenarios were addressed. We then focus on the use of Mandatory Categories, access control on high bandwidth network filesystems and the integration of new users and applications. We discuss some residual technical challenges. Finally, we present benchmark results and validate the acceptable performance impact of our deployment on a modern cluster.
► Deployment of Mandatory Access Control in an open HPC cluster. ► Guarantee security properties even in case of vulnerability. ► Integrate constraints of a production environment. ► Ensure a low performance impact. ► Propose solutions regarding network file systems.</abstract><pub>Elsevier B.V</pub><doi>10.1016/j.future.2012.03.020</doi><tpages>10</tpages><orcidid>https://orcid.org/0000-0003-4984-2199</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0167-739X |
| ispartof | Future generation computer systems, 2013-03, Vol.29 (3), p.876-885 |
| issn | 0167-739X 1872-7115 |
| language | eng |
| recordid | cdi_hal_primary_oai_HAL_hal_00691844v1 |
| source | Access via ScienceDirect (Elsevier) |
| subjects | Access control Benchmarking Computer Science Cryptography and Security hpc clusters |
| title | Improving Mandatory Access Control for HPC clusters |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-29T19%3A32%3A37IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_hal_p&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Improving%20Mandatory%20Access%20Control%20for%20HPC%20clusters&rft.jtitle=Future%20generation%20computer%20systems&rft.au=Blanc,%20M.&rft.date=2013-03&rft.volume=29&rft.issue=3&rft.spage=876&rft.epage=885&rft.pages=876-885&rft.issn=0167-739X&rft.eissn=1872-7115&rft_id=info:doi/10.1016/j.future.2012.03.020&rft_dat=%3Celsevier_hal_p%3ES0167739X12000854%3C/elsevier_hal_p%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_els_id=S0167739X12000854&rfr_iscdi=true |