Resource Body Guard - protecting resource from locally executed software

Overview

Condor is capable of executing any program submitted to it. When running on remote resource, a program can perform various activities, such as reading and writing files, opening network connections and communicating with other remote entities, e.g. database, or hierarchical storage. But what if an executable submitted to Condor is a malicious software, e.g. virus, performing these actions to steal confidential information from the execution machines, to distribute spam, initiate distributed coordinated attack on some server, or trying to "just" cause local resource malfunction by filling up /tmp. Condor does not have mechanisms to prevent such attacks, i.e. restrict an access to specific system resources, such as local file system or network. This problem is particularly critical for the pools with resources running MS Windows, mainly due to the fact that it comes with fairly relaxed default security policy.

This current project aims to provide a solution to the problem of resource protection, by allowing to explicitly control Condor-invoked program access to local system resources. We call our solution a Resource Body Guard (RBG). The vision is to be able to specify Access Control Lists for file system and network, together with restricting the intensity of their usage. For instance, we want to allow a Condor program to write to c:\temp directory, but we disallow it to write more than 500 Kbytes per second and not more than 500MB in total.

There are several technical and algorithmic challenges. First, it is vital for RBG to have minimal impact on the locally invoked programs, and on the non-malicious programs invoked by Condor. Second, a running program should not be able to escape from RBG. And finally, RBG is required to interact with Condor resource allocation process in order to minimize the amount of programs which can be known in advance to not be allowed to run on a resource.

We are currently working only on the aspects of the RBG for file system.

Solution design

FS RBG prototype is implemented as a Windows FS filter driver, with the capabilities to monitor activities of particular process or group of processes, and performing efficient ACL table lookup each time the monitored process attempts to access some file. The detailed Requirements document, describing our approach to building the first prototype can be found here . The detailed High Level Design document for our prototype can be found here .