National Science Foundation (NSF) recently awarded a 3-year grant in the amount of $590,317 to Prof. Zhi Wang, Prof. Xin Yuan, Prof. Viet Tung Hoang, and Dr. Paul van der Mark from FSU Research Computing Center (RCC) for their research in securing high-performance computing. This project, titled “CICI: RSARC: DICE – Data Insurance in the Cluster Environment”, was awarded by the NSF directorate CISE:OACI.
The abstract of the project is as follows: high-performance, distributed computing has become indispensable in solving complex scientific, engineering, and business problems. The integrity of the data generated and stored on computer clusters is of undisputed importance to scientific research and business intelligence, as compromised data can lead to incorrect conclusions and decisions. Unfortunately, existing security mechanisms for high-performance and distributed computing systems are complex, inconsistent, insecure, and difficult to deploy. Many systems utilizing the current security mechanisms simply do not provide sufficient protection and remain vulnerable to even trivial attacks. For example, recent studies have found that thousands of unprotected database installations and computer clusters have been hacked. As such, there is a pressing need to improve the security of high-performance and distributed computing systems.
This project develops a security framework for high-performance and distributed computing systems that employs strong modern cryptographic algorithms, and is easy to reason, deploy, and use without lengthy and error-prone configurations. The project consists of three major components: a container-based virtual cluster, a component to defend against side-channel attacks, and a secure execution ledger for auditing. The first component is the key to enabling authentication, authorization, and data protection for clusters without sacrificing usability or performance. The project team will build the virtual cluster based on the popular Docker container but enhance it with flexible key management, attack surface reduction, and security hardening, including defenses against side-channel attacks. Communications among nodes of a virtual cluster and I/O operations are transparently encrypted to protect the data in transition and at rest. The secure execution ledger provides a global holistic view of program execution in the whole system, allowing auditing the behavior of individual users as well as user groups. By tightly integrating these three components, the project seeks to achieve strong support for the four pillars of the cluster data security: authentication, authorization, auditing, and data protection.