Protection of a Shared HPC Cluster

Abstract : The security of shared High Performance Com- puting clusters is still an open research problem. Existing solutions deal with sandboxing and Discretionary Access Con- trol for controlling remote connections. Guaranteeing security properties for a shared cluster is complex since users demand an environment at the same time efficient and preventing confidentiality and integrity violations. This paper studies two different approaches for protecting remote interactive accesses against malicious operations. Those two approaches leverage the SELinux protection. They have been successfully implemented using standard MAC from SELinux, and guar- antee supplementary security properties thanks to our PIGA HIPS. The paper compares those two different approaches. It presents a real use case for the security of a shared cluster that allows interactive connections for users while preventing confidentiality and integrity violations. We propose a new approach to extend the protection offered by SELinux. One of the two policies studied previously is used as a basis, and PIGA is used to define new security properties that cannot be guaranteed by SELinux. These new properties are defined in the article, in a language specific to PIGA. Their objective is to prevent complex or indirect malicious activities that use combinations of processes and covert channels. Then PIGA analyses the SELinux policy and finds the remaining allowed illegal activities, either direct or indirect. Finally the article shows how PIGA can be used as an HIPS to enforce these new security properties that cannot be enforced by SELinux alone.
Document type :
Conference papers
Liste complète des métadonnées
Contributor : Jérémy Briffaut <>
Submitted on : Monday, April 19, 2010 - 2:59:28 PM
Last modification on : Thursday, January 17, 2019 - 3:06:04 PM


  • HAL Id : hal-00474285, version 1



Jérémy Briffaut, Mathieu Blanc, Thibault Coullet, Maxime Fonda, Christian Toinard. Protection of a Shared HPC Cluster. The Fourth International Conference on Emerging Security Information, Systems and Technologies, Jul 2010, Venice, Italy. pp.273-279, 2010. 〈hal-00474285〉



Record views