1 / 15

Jie Xu (Project PI) A joint 3-year EPSRC/DTI-funded research project involving:

The e-Demand Project (A Demand-Led Service-Based Architecture for Dependable e-Science Applications). Jie Xu (Project PI) A joint 3-year EPSRC/DTI-funded research project involving: Universities of Durham, Leeds and Newcastle. Project Summary. Funding Sources: DTI/EPSRC (THBB/008/00112C)

melvyn
Download Presentation

Jie Xu (Project PI) A joint 3-year EPSRC/DTI-funded research project involving:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The e-Demand Project(A Demand-Led Service-Based Architecture for Dependable e-Science Applications) Jie Xu (Project PI) A joint 3-year EPSRC/DTI-funded research project involving: Universities of Durham, Leeds and Newcastle

  2. Project Summary Funding Sources: DTI/EPSRC (THBB/008/00112C) Industrial Partners (Sun, Sharp and Sparkle Computer Technology) Total Grant - £636,900 (managed by NEReSC) Duration: April 2002 - April 2005 Investigators: Jie Xu (Distributed Systems & Dependability, Leeds) Keith Bennett (Service-Based Architecture, SoE, Durham) Malcolm Munro & Nick Holliman (Visualisation, CS, Durham) Research Staff: Paul Townend, Nik Looker, Erica Yang, and Stuart Charters Hardware Testbed: A Sun 32 CPU UltraGrid computer connected to a network of Sun servers and workstations (e-Demand Laboratory) and to the White Rose Grid

  3. e-Demand:A Software-BasedSolution The Demand-Led Service-Based Architecture - New service-based model for organising flexible Grid applications - An instance of the service-based test architecture Fault-Injection-Based Evaluation of Grid Middleware - The FITMVS tool, supported by clusters of workstations - Grid-FIT: Evaluation with respect to faults/attacks/performance (The White Rose Grid Booth, see Nik Looker, Binka Gwynne) Support for Dependable e-Science Applications - Instance-Level Authentication and Identity Management & Attack- Tolerant Information Service – ATIR (Dacheng Zhang & Dr. Erica Yang) - FT-Grid: Topologically-Aware Fault Tolerance (Paul Townend) - 3D visualisation service for e-Science Applications (Stuart Charters)

  4. Demand Finding Service consumer Contractor/assembly service provider Catalogue/ontology provider Provision Ultra-late binding Publishing e-Action service Service/solution provider Attack-tolerance service 3D visualization service … Service-based Architecture • The architecture that we started with:

  5. Web Services Architecture WS interface external WS architecture access to internal systems internal WS architecture middleware internal service internal service

  6. Service Description, Discovery and Interactions properties & semantics middleware properties QoS cost WS-transaction business protocols protocol infrastructure Directories WSCL BPEL WS-coordination basic & secure messaging interface WSDL SOAP-messaging common base language XML transport HTTP UDDI Description Discovery Interactions

  7. Execution Environment Workflow/Session Management Service Composition Information Integration System Architecture for e-Demand Service Instances Interactions Run-Time Checking & Monitoring Session Control & Management Security Enforcement • Authorisation of actions Role/Task-based Access Control Policy Management • Authentication Identity management Non-repudiation etc ATIR FT-Grid Grid-FIT Service 1 Service 2 Service 3 Message Encrypt/Decrypt Traffic Monitoring & Filtering Grid-based resources (Built on the UK NGS/ White Rose Grid)

  8. Service Testing Architecture: Grid-FIT • Our testing service currently implements network level fault injection. Middleware boundary Server Response (may contain faults) Client Request (may contain faults) Potentially altered response Potentially altered request Intercepted response Intercepted request Fault/Attack Injector (testing service)

  9. Securing Instance-Level Interactions • A complex Web service business session may span diverse security domains and organisational boundaries • Independent authentication and authorisation mechanisms are often needed to protect Web service business sessions from malicious attacks • These authentication and authorization mechanisms must work at the service instance-level • Suppose that three instances, Consumer, Producer, Shipper, compose a session • Shipper is unknown to Consumer as it is selected by Producer at run time • Based on a certificate from the business authority, Consumer then accepts that Shipper is a legal corporation/entity • Consumer also wants to be sure that Shipper is the assigned instance processing the order • Potential solutions

  10. Service Instance Identification • Two key technical issues to address: 1) The Web service instances within a session have to be identified ID-based solution • Using instance identifiers to explicitly identify Web service instances • Suitable for fine-grained management mechanisms which can exercise more precise control over a business session Token-based solution • Using correlation information to identify the conversation/interactions amongst service instances and then implicitly identify the instances involved • Suitable for coarse-grained management mechanisms with less implementation overload 2) How to generate, distribute, and manage the security keys for enforcing the security boundaries of a business session – so as to achieve effective attack/damage confinement

  11. Business Session Key Management • Various key management solutions have been considered and examined • All participating instances within a given session share a security key • Group communication-based approaches • Public key-based solutions (can be combined with ID-based schemes for instance identification) • Our Instance ID authenticator protocol • is an ID-based scheme • Using the Diffie-Hellman protocol to distribute authentication information amongst participating instances of a session • Providing authentication to Web service instances of the same session by appending the MAC code to the sending messages

  12. System Evaluation: Examples ID-based scheme Scalability Model Token-based scheme

  13. Conclusions (1) • The e-Demand project is multi-faceted – it’s looking at service-based architectures, security, testing and fault tolerance. • The main focus of my talk has been to present some results from the e-Demand project in regard to architectures and instance-level interactions. • Important information about Grid-FIT, FT-Grid and ATIR etc can be found in the conf. proceedings. • Some Grid applications have been supported by the e-Demand architecture and services. • Experience with supporting interactions across organisational boundaries

  14. Conclusions (2) • We have designed and implemented a fairly efficient system that supports dependable instance-level interactions, independent of the underlying Grid systems used • To further enhance the dependability of Grid applications, we have developed mechanisms and services for fault/attack detection and tolerance • We have focussed on assessing the dependability of Grid mechanisms and systems based on fault/attack injection techniques

  15. The Way Forward • Continuous collaboration with NEReSC, the GOLD team, and the GT4 team etc • Wider range of Grid connections for larger scale experiments and assessments – the White Rose Grid, the CoLab Gird between UK and China etc • Grid applications in e-Social science domains (the MoSeS project) • Evaluation with a focus on performance and security

More Related