OSG AC Report: Security

14 February 2018

Short List:

  • Vulnerabilities since last AC report
  • Next security exercise
  • Security Effort
  • Followup/Questions

Vulns Handled Since 14 Dec:

1Linux kernel vulnerability (Dec 19th, 2017)


  • A 'use-after-free' flaw was reported in the Linux kernel, within the XFRM framework; it may lead to privilege escalation when user namespaces are enabled. This vulnerability is exploitable on systems that have enabled a non-default EL7 kernel boot option to allow the use of unprivileged user namespaces, i.e. the non-setuid version of Singularity

  • https://ticket.opensciencegrid.org/35687/


Vulns Handled Since 14 Dec:

Spectre and Meltdown attacks (Jan 4th, 2018)

  • Two attacks, Meltdown and Spectre, widely circulated.

  • These exploit design flaws in the way affected processor designs have implemented speculative execution of instructions. The exploitation could enable access to sensitive data in the memory of any computing device.

  • Relevant software patches incur a high performance penalty.

  • https://ticket.grid.iu.edu/35754

  • 2 follow-up messages were sent on Jan 10th and Jan 22nd


Future Security Exercises:

  • Our next security exercise will be sometime in March, with a warning email going out a week before.

  • Non security team members who would enjoy a turn at playing on the red team ("attacker" during an exercise) may email Zalak Shah (zsshah@iu.edu) and he'll add you to the list that we pull from for each exercise.

  • We do a postmortem of each exercise on the Monday following the exercise during our regular Security Team call (4:30pm Eastern) if anyone would like to join us.
    (we're on Zoom, email Zalak for connection details)

Security Effort:

  • Over the course of this year, Security Team Effort has gone from 1.35 FTE to 0.65 FTE

  • SecTeam has cut all of our outside-OSG meetings, and are beginning to cut some internal ones in order to focus more working time on providing security services to OSG.

  • If you feel something is being overlooked, please drop me an email directly and I'll address it if I can, or at least let you know what effort we do/don't have to put toward a particular issue.

Q & A

(or just throw snowballs at me)