Análise de vulnerabilidades e incidentes de segurança em grades de computação voluntária
Resumo
As Grades de Computação Voluntária, além de apresentar vários dos problemas tradicionais de segurança inerentes aos sistemas informação, possuem seus próprios desafios a serem enfrentados como anonimato dos voluntários, falsificação de resultados e de créditos e projetos mal-intencionados. Este artigo apresenta uma análise dos principais desafios de segurança enfrentados por estes sistemas, os ataques a que eles estão sujeitos e algumas contra-medidas para evitá-los. É apresentado também um histórico dos incidentes ocorridos e das vulnerabilidades descobertas nos principais sistemas.
Referências
Anderson, D. (2001). Wired Cheaters Bow to Peer Pressure. http://www.wired.com/science/discoveries/news/2001/02/41838.
Berkeley (2009). University of California - The Search of Extraterrestrial Intelligence Project. http://setiathome.berkeley.edu/.
BOINC (2006). Do we have a Boinc virus? http://setiathome.berkeley.edu/forum_thread.php?id=27739&nowrap=true.
BOINC (2009a). All Projects Stats.com. http://www.allprojectstats.com/.
BOINC (2009b). Open-source software for volunteer computing and grid computing. http://boinc.berkeley.edu/.
BOINC (2009c). Security issues in volunteer computing. http://boinc.berkeley.edu/trac/wiki/SecurityIssues.
Buyya, R. (2002). Grid Computing Info Centre: Frequently Asked Questions. http://www.gridcomputing.com/gridfaq.html.
CERT.br (2006). Cartilha de Segurança para Internet. Núcleo de Informação e Coordenação do Ponto BR.
Chakrabarti, A., Damodaran, A., and Sengupta, S. (2008). Grid computing security: A taxonomy. IEEE Security and Privacy, 6(1):44–51.
CVE-2001-1553 (2001). Vulnerability Summary for CVE-2001-1553. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1553.
CVE-2003-1118 (2003). Vulnerability Summary for CVE-2003-1118. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1118.
CVE-2004-1115 (2004). Vulnerability Summary for CVE-2004-1115. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1115.
CVE-2007-4899 (2007). Vulnerability Summary for CVE-2007-4899. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4899.
CVE-2009-0126 (2009). Vulnerability Summary for CVE-2009-0126. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0126.
Distributed.net (2009a). http://www.distributed.net.
Distributed.net (2009b). Trojans, worms and viruses. http://www.distributed.net/trojans.php.
GIMPS (2009). Great Internet Mersenne Prime Search. http://www.mersenne.org/.
Harrison, A. (2001). Is Distributed Computing A Crime? http://www.securityfocus.com/news/300.
ISC (2008). Internet Domain Survey. http://ftp.isc.org/www/survey/reports/2008/07/.
IWS (2009). Internet World Stats - Usage and Population Statistics. http://www.internetworldstats.com/stats.htm.
Martin, A. and Yau, P.-W. (2007). Grid security: Next steps. Inf. Secur. Tech. Rep., 12(3):113–122.
McAfee (2001). W32/Hadra@M. http://vil.nai.com/vil/content/v_99108.htm.
McNett, D. (1998). MacOS Meggs RC5 Security Advisory. http://lists.distributed.net/pipermail/announce/1998/000049.html.
MITRE (2009). Common Weakness Enumeration. http://cwe.mitre.org/.
Nasby, J. (1999). Spam to distributed.net team members. http://lists.distributed.net/pipermail/announce/1999/000071.html.
NIC.br (2008). TIC Domicílios e Usuários - Pesquisa sobre o Uso das Tecnologias da Informação e da Comunicação no Brasil. http://www.cetic.br/indicadores.htm.
Sarmenta, L. F. G. (2001). Volunteer Computing. PhD thesis, MIT Department of Electrical Engineering and Computer Science.
Sarmenta, L. F. G. (2002). Sabotage-tolerance mechanisms for volunteer computing systems. Future Generation Computer Systems, 18(4):561–572.
SETI@home (2001). Security Issues. http://arstechnica.com/archive/2001/0501-1.html.
Stainforth, D., Martin, A., Simpson, A., Christensen, C., Kettleborough, J., Aina, T., and Allen, M. (2004). Security principles for public-resource modeling research. In WETICE, pages 319–324.
Top500 (2008). Top 500 Supercomputer sites - TOP500 List. http://www.top500.org/list/2008/11/100.
XtremWeb (2009). The Open Source Platform for Desktop Grids. http://www.xtremweb.net/.
Yero, E. J. H., de Oliveira Lucchese, F., Sambatti, F. S., von Zuben, M., and Henriques, M. A. A. (2005). JOIN: the implementation of a Java-based massively parallel grid. Future Gener. Comput. Syst., 21(5):791–810.
Berkeley (2009). University of California - The Search of Extraterrestrial Intelligence Project. http://setiathome.berkeley.edu/.
BOINC (2006). Do we have a Boinc virus? http://setiathome.berkeley.edu/forum_thread.php?id=27739&nowrap=true.
BOINC (2009a). All Projects Stats.com. http://www.allprojectstats.com/.
BOINC (2009b). Open-source software for volunteer computing and grid computing. http://boinc.berkeley.edu/.
BOINC (2009c). Security issues in volunteer computing. http://boinc.berkeley.edu/trac/wiki/SecurityIssues.
Buyya, R. (2002). Grid Computing Info Centre: Frequently Asked Questions. http://www.gridcomputing.com/gridfaq.html.
CERT.br (2006). Cartilha de Segurança para Internet. Núcleo de Informação e Coordenação do Ponto BR.
Chakrabarti, A., Damodaran, A., and Sengupta, S. (2008). Grid computing security: A taxonomy. IEEE Security and Privacy, 6(1):44–51.
CVE-2001-1553 (2001). Vulnerability Summary for CVE-2001-1553. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1553.
CVE-2003-1118 (2003). Vulnerability Summary for CVE-2003-1118. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1118.
CVE-2004-1115 (2004). Vulnerability Summary for CVE-2004-1115. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1115.
CVE-2007-4899 (2007). Vulnerability Summary for CVE-2007-4899. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4899.
CVE-2009-0126 (2009). Vulnerability Summary for CVE-2009-0126. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0126.
Distributed.net (2009a). http://www.distributed.net.
Distributed.net (2009b). Trojans, worms and viruses. http://www.distributed.net/trojans.php.
GIMPS (2009). Great Internet Mersenne Prime Search. http://www.mersenne.org/.
Harrison, A. (2001). Is Distributed Computing A Crime? http://www.securityfocus.com/news/300.
ISC (2008). Internet Domain Survey. http://ftp.isc.org/www/survey/reports/2008/07/.
IWS (2009). Internet World Stats - Usage and Population Statistics. http://www.internetworldstats.com/stats.htm.
Martin, A. and Yau, P.-W. (2007). Grid security: Next steps. Inf. Secur. Tech. Rep., 12(3):113–122.
McAfee (2001). W32/Hadra@M. http://vil.nai.com/vil/content/v_99108.htm.
McNett, D. (1998). MacOS Meggs RC5 Security Advisory. http://lists.distributed.net/pipermail/announce/1998/000049.html.
MITRE (2009). Common Weakness Enumeration. http://cwe.mitre.org/.
Nasby, J. (1999). Spam to distributed.net team members. http://lists.distributed.net/pipermail/announce/1999/000071.html.
NIC.br (2008). TIC Domicílios e Usuários - Pesquisa sobre o Uso das Tecnologias da Informação e da Comunicação no Brasil. http://www.cetic.br/indicadores.htm.
Sarmenta, L. F. G. (2001). Volunteer Computing. PhD thesis, MIT Department of Electrical Engineering and Computer Science.
Sarmenta, L. F. G. (2002). Sabotage-tolerance mechanisms for volunteer computing systems. Future Generation Computer Systems, 18(4):561–572.
SETI@home (2001). Security Issues. http://arstechnica.com/archive/2001/0501-1.html.
Stainforth, D., Martin, A., Simpson, A., Christensen, C., Kettleborough, J., Aina, T., and Allen, M. (2004). Security principles for public-resource modeling research. In WETICE, pages 319–324.
Top500 (2008). Top 500 Supercomputer sites - TOP500 List. http://www.top500.org/list/2008/11/100.
XtremWeb (2009). The Open Source Platform for Desktop Grids. http://www.xtremweb.net/.
Yero, E. J. H., de Oliveira Lucchese, F., Sambatti, F. S., von Zuben, M., and Henriques, M. A. A. (2005). JOIN: the implementation of a Java-based massively parallel grid. Future Gener. Comput. Syst., 21(5):791–810.
Publicado
28/09/2009
Como Citar
VON ZUBEN, Miriam; HENRIQUES, Marco Aurélio de Amaral.
Análise de vulnerabilidades e incidentes de segurança em grades de computação voluntária. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 9. , 2009, Campinas.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 217-230.
DOI: https://doi.org/10.5753/sbseg.2009.20634.
