A security framework for distributed batch computing.

摘要

There is an assumption in the design and implementation of many distributed batch computing systems that once a task enters the system, the system can be fully trusted by all participants, even when the system spans administrative boundaries. As a result, execution hosts and other intermediaries have no way of independently confirming the origin of tasks, attackers have an incentive to attack the intermediaries who handle the tasks, and when results are returned to users, they have no way of determining where and how those results were computed. Users need to be able to specify policies that limit the actions their tasks can perform and the uses to which their delegated credentials can be put, and ways to link these policies to their jobs and credentials.;In this thesis, I address these shortcomings by introducing and analyzing a framework of mechanisms that can be used to reduce the trustworthiness requirements of components in the system. The framework protects execution hosts by making the association between a particular task and a particular user explicit rather than implicit. It protects end users by permitting them to specify a policy regarding task confidentiality and integrity to accompany their tasks. Finally, it protects intermediaries by making them less attractive to attackers. With relaxed trustworthiness requirements on intermediaries, the benefits of sharing tasks and resources between different administrative domains may be realized without relaxing security policies.