Quoting from http://www.phreedom.org/research/rogue-ca/
“As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.”
I wrote a program to look through the trusted certs that came with Firefox 3.0.4 for any CAs with MD5 signature algorithms.
[snip]
UPDATE: the list was not relevant because of a feature of the attack (thanks Thomas). Apparently “only RapidSSL and FreeSSL are practically vulnerable”
UPDATE 2: VeriSign responds, no longer possible with RapidSSL. And they’ve been phasing MD5 out across the board.
Besides the good stuff added to Nimbus, this release also introduces something called the AutoContainer which allows you to set up a Globus Java web services environment, from scratch and with security working, within about a minute (requires Linux/OSX and Java 1.5+).
The main new features provided in this release are tools facilitating the deployment, configuration and management of clouds. We also updated our implementation to match the current Amazon EC2 deployment. In addition, the release contains new documentation and bug fixes.
You can download the new release from:
http://workspace.globus.org/downloads/index.html
The full changelog can be found here:
http://workspace.globus.org/vm/changelog.html#TP2.1
Tom Scavo writes on gridshib-user:
We are pleased to announce GridShib for Globus Toolkit v0.6.1:
http://gridshib.globus.org/downloads/gridshib-gt-0_6_1-src.tar.gz
http://gridshib.globus.org/downloads/gridshib-gt-0_6_1-src.zip
Please visit the GridShib for GT home page for an introduction and links to software and documentation:
http://gridshib.globus.org/docs/gridshib-gt-0.6.1/
This version of GridShib for GT is primarily a bug fix release. There is one new feature, and that is, a refactoring of the blacklisting framework that now permits the blacklisting of identity attributes (such as e-mail addresses) in addition to IP addresses and SAML name identifiers. See the CHANGES file for a complete list of changes in this version:
http://gridshib.globus.org/docs/gridshib-gt-0.6.1/CHANGES.txt
Along with GridShib SAML Tools v0.5.0, version 0.6.1 of GridShib for GT will be included in a Capability Kit to supplement the Coordinated TeraGrid Software and Services (CTSS) stack. This is the next step in a focused effort to deploy GridShib software at both the science gateways and resource providers throughout the TeraGrid. This work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank you for your continued support of GridShib!
For those who haven’t heard about the Xen 0wning Trilogy, make sure to check that out here and here.
In a followup post to some apparent misinformation being spread (Microsoft executive “rebuts” our research!), I was surprised by this comment:
Interestingly, if Mr. Riley only attended our Xen 0wning Trilogy at Black Hat, then he would notice that we were actually very positive about Hyper-V. Of course, I pointed out that Xen 3.3 certainly has a more secure architecture right now, but I also said that I knew (from talking to some MS engineers from the virtualization group) that Hyper-V is going to implement similar features in the next version(s) and that this is very good. I also prized the fact it has only about 100k LOC (vs. about 300k LOC in Xen 3.3).
Xen 3.3 has grown to 300k lines of code for the hypervisor?
At what point does the “tight security auditability” argument start to exponentially diminish for hypervisors in ring 0?
Tom Scavo announces some great news:
Today, it is with great pleasure that the GridShib Project announces the immediate release of GridShib for Globus Toolkit v0.6.0. This release culminates a 20-month effort to bring SAML-based attribute push to X.509-based Grids.
GridShib for Globus Toolkit (GT) is an implementation of a Grid Service Provider, an entity much like a SAML Service Provider but for Grids. A Grid Service Provider consumes X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509-based Grids.
Most everything you need to know about GridShib for GT is on this web page:
http://gridshib.globus.org/docs/gridshib-gt-0.6.0/readme.html
On this readme page, you will find more detailed information about the GridShib for GT software as well as links to downloads and documentation.
A major advance in this version of GridShib for GT is support for the TeraGrid Science Gateway use case where an intermediary makes a grid request on behalf of a browser user. The Gateway binds a SAML token to an X.509 proxy certificate and makes a request to a gridshib-enabled web service. On the service side, GridShib for GT consumes the SAML token and makes an access control decision based on the security information in the token.
As a SAML-consuming software component, GridShib for GT complements the previously released GridShib SAML Tools and GridShib Certification Authority (CA), which are SAML-producing software components. These three components together enable attribute-based authorization in X.509-based Grids. See the Quick Start for step-by-step instructions that show how to use GridShib for GT v0.6, GridShib SAML Tools v0.3, and GridShib CA v0.5.1 together on Windows and UNIX systems:
http://gridshib.globus.org/docs/gridshib/quick-start.html
For links to all GridShib software downloads and additional documentation, visit the GridShib Downloads page:
http://gridshib.globus.org/download.html
Funding for GridShib software has been provided by the NSF NMI program and the NSF TeraGrid program.
Tom Scavo
For the entire GridShib Team
Very interesting.
Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems
Part of the abstract:
we introduce a virtual-machine-based system called Overshadow that protects the privacy and integrity of application data, even in the event of a total OS compromise. Overshadow presents an application with a normal view of its resources, but the OS with an encrypted view. This allows the operating system to carry out the complex task of managing an application’s resources, without allowing it to read or modify them
We are pleased to announce GridShib SAML Tools v0.3.0, the final release in the v0.3.0 development cycle:
http://gridshib.globus.org/docs/gridshib-saml-tools-0.3.0/readme.html
http://gridshib.globus.org/download.html#saml-tools
The GridShib SAML Tools are a suite of standalone client tools that issue SAML assertions and optionally bind these assertions to X.509 proxy certificates. To try out the software before downloading, visit our online demo:
https://computer.ncsa.uiuc.edu/gst-demo/
The GridShib SAML Tools require only Java 1.4 (or later) and Ant 1.6 (or later). Proxy certificates issued by the SAML Tools are compatible with GridShib for Globus Toolkit v0.6.0 Alpha (or later).
There have been significant changes in this version of the GridShib SAML Tools since the previous release:
http://gridshib.globus.org/docs/gridshib-saml-tools-0.3.0/CHANGES.txt
Important new features of GridShib SAML Tools v0.3.0 include:
- enhanced command-line interface
- new command-line options for the SAML Assertion Issuer Tool, including the option to output a DER-encoded ASN.1 structure
- new X.509 Binding Tool, to bind arbitrary content to a non-critical extension of an X.509 proxy certificate
- new SAML Security Info Tool, for examining the contents of X.509-bound SAML tokens
- expanded Java API, for producing and consuming SAML assertions and X.509 proxy certificates
- support for the TeraGrid Science Gateway Use Case
This development cycle was largely driven by the TeraGrid Science Gateway Use Case:
http://gridshib.globus.org/docs/gridshib-saml-tools-0.3.0/teragrid/readme.html
Science Gateways use the SAML Tools to enable auditing, incident response, and access control in Globus-based grids.
To learn more about this and other use cases, visit the “About GridShib” page:
http://gridshib.globus.org/about.html
While the GridShib SAML Tools produce X.509-bound SAML tokens, the complementary software component GridShib for Globus Toolkit consumes them. The latter is scheduled for release later this month or early next. See the roadmap on the GridShib home page for the latest updates.
Tom Scavo
For the GridShib Team
This Better Know a VM entry, Virtual Cluster Appliances, gives an overview of VM contextualization technology which is scheduled to be part of the next workspace service release. This is not just relevant to classic grid computing, but any situation where you’d like to automatically launch many virtual machines that work together and want them to securely organize themselves and adapt to the deployment environment. It can even be used for one VM, we’ll look at such cases later.
See http://gridshib.globus.org/ for news updates, several new items were just added.
Announce [2007-11-11]
Tom Scavo gives a presentation of a paper entitled A Grid Authorization Model for Science Gateways at the GCE07 Workshop at SC07.
Announce [2007-11-01]
The OASIS membership approves the Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x and the Metadata Extension for SAML V2.0 and V1.x Query Requesters as OASIS Standards. (GridShib implements both of these Standards.)
Announce [2007-10-31]
The OGSA Attribute Exchange Profile Version 1.0 is submitted to the OGF Authz-WG.
Announce [2007-10-12]
A paper by Tom Scavo and Von Welch entitled A Grid Authorization Model for Science Gateways has been accepted by the Grid Computing Environments (GCE) Workshop at SC07.
Announce [2007-10-01]
The GridShib SAML Tools have been integrated into the MAEViz portal.
Announce [2007-09-14]
The GridShib SAML Tools have been integrated into SimpleCred, a component of the SimpleGrid portal framework.
The GridShib Project is pleased to announce the release of GridShib SAML Tools v0.2.0, which is available now from the GridShib Downloads page:
http://gridshib.globus.org/download.html#saml-tools
The GridShib SAML Tools, an easy-to-install, standalone software package requiring only java and ant, let you issue or request SAML assertions and optionally bind these assertions to X.509 proxy certificates. You can try an online demo of the GridShib SAML Tools before downloading:
https://computer.ncsa.uiuc.edu/gst-demo/
Version 0.2.0 of the GridShib SAML Tools includes the following new features:
- New command-line options and configuration parameters (IdP.entityID, authnInstant, dateTime.pattern)
- Support for multi-valued attributes
- Introducing the GridShib Security Framework
- Support for RFC3820-compliant proxy certificates
- Updated Globus SAML Library (source code included)
- Java API (gridshib-common-0_2_0.jar) for developers
See the CHANGES file for a complete list of enhancements and bug fixes:
http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/tool/java/doc/CHANGES.txt?revision=1.5&view=markup
For developers, there is a Java API (with javadoc documentation) and sample code illustrating the use of the Security Framework. GridShib SAML Tools supports both the production and the consumption of X.509-bound SAML assertions.
GridShib SAML Tools v0.2.0 is compatible with the forthcoming GridShib for GT v0.6.0.
Tom Scavo
for the GridShib Team
Tom Scavo writes:
The GridShib Project is pleased to announce the immediate release of GridShib SAML Tools v0.2.0 Technology Preview 2, the first release of the GridShib SAML Tools specifically for developers.
http://gridshib.globus.org/downloads/gridshib-saml-tools-0_2_0-tp2-src.tar.gz
http://gridshib.globus.org/downloads/gridshib-saml-tools-0_2_0-tp2-src.zip
http://gridshib.globus.org/docs/gridshib-saml-tools-0.2.0-tp2/readme.html
http://gridshib.globus.org/docs/gridshib-saml-tools-0.2.0-tp2/install.html
http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/tool/java/doc/CHANGES.txt?revision=1.4&view=markup
Technology Preview 2 includes the following new features:
- Support for multi-valued attributes
- Complete source code distribution, including the Globus SAML Library
- New GridShib Common Java API (gridshib-common-0_2_0.jar) includes:
- the GridShib Security Framework, a standalone implementation of the X.509 Binding for SAML Assertions
- the Loadable interface and its implementations
- the EntityMap interface and its implementations
- the GridShib Entity Mapper, a container for EntityMap implementations
- Extensive javadoc documentation
- New top-level build file for developers (available from CVS only)
This is the last TP-level release of v0.2.0. We anticipate the final version of GridShib SAML Tools v0.2.0 will be released Aug 24, 2007.
