Reliable Accounting
in Grid Economic Transactions
Luigi Catuogno1 , Pompeo Faruolo1 ,
Umberto Ferraro Petrillo1 , and Ivan Visconti2
1
Dipartimento di Informatica e Applicazioni, Università degli Studi di Salerno
Via S. Allende - 84081 Baronissi (SA), Italy
{luicat,pomfar,umbfer}@dia.unisa.it
2
Département d’Informatique, École Normale Supérieure
45, rue d’Ulm, 75230 Paris Cedex 05
[email protected]
Abstract. In the Grid computing model a remote service is provided
by a resource owner to a client. The resource owner executes a client job
and charges the client for a corresponding fee. In this paper we discuss
the main weakness of many existing models for performing such a kind
of transaction, i.e., the strong assumption that both the resource owner
and the clients are honest. Then, we propose a new security model in
which either the resource owners or the clients (or both) may not be
honest. Our model introduces a trusted third party, referred to as “Grid
Manager”. We describe in details the role of the Grid Manager and argue
the advantages of our proposal with respect to the current state-of-the
art.
1
Introduction
Recently a new model of distributed computing referred to as “Grid computing”
is emerging. In this model several users share their computational, storage and
communication resources for making a global Grid environment [1]. Client users
are interested in accessing these resources, therefore they locate the resource
providers that better match their requirements and assign them the jobs to be
executed, all with the help of the Grid infrastructure. Grid computing has been
initially conceived as a way, for the scientific community, to execute computationally intensive jobs. Nowadays, the Grid computing is rapidly evolving as to
become a business opportunity in which the actors share their resources in order
to make profit. This trend has motivated the development of economic models
aiming at defining rules for pricing, trading and charging for services provided
by a Grid. A simple approach that is commonly used to this end is to charge
the jobs executed on a Grid according to the amount of the resources that they
consume. This approach requires the installation of an accounting system in order to somehow measure the resources consumed by a job during its life span,
and to translate this measurement into a chargeable price.
H. Jin, Y. Pan, N. Xiao, and J. Sun (Eds.): GCC 2004 Workshops, LNCS 3252, pp. 514–521, 2004.
c Springer-Verlag Berlin Heidelberg 2004
Reliable Accounting in Grid Economic Transactions
515
The existing accounting systems rely on the assumption that all parties of
a Grid economic transaction are honest. We observe that this assumption is
unrealistic. Indeed, both parties of a transaction may cheat in order to increase
their profit. On one hand, the resource owner could pretend to be paid for an
amount of resources greater than the one that he has actually used for the
fulfillment of a job. On the other hand, a client could refuse to pay for a service
by claiming that he has been cheated out.
In this paper, we propose a new model for building a reliable accounting
system. Our model requires the existence of a trusted party in the Grid that
guarantees the execution of reliable Grid economic transactions, even in case
that clients and resource owners are corrupted. This authority has a trusted
and private computing infrastructure that can be used to verify the amount of
resources needed to execute a job and to compare this information with the one
claimed by a resource owner upon the execution of the same job. The private
infrastructure is also used for performing a periodical verification of the behavior
of the resource owners in order to discover potential frauds.
This paper is organized as follows. In Section 2 we introduce Grid economic
transactions and we briefly review the existing Grid accounting systems. In Section 3 we discuss some of the security issues that arise when implementing Grid
economic transactions. In particular, we discuss some possible tasks that a corrupted resource owner can perform in order to fraud a user, by cheating on
the cost of a job. Finally, in Section 4 we present and analyze our model for
performing reliable accounting on the Grid.
2
Grid Economic Transactions
In a typical Grid economic transaction we distinguish two parties: a resource
owner R, that joins a Grid with his hardware and software infrastructure, and
a client C, that asks the Grid for the execution of a job J. The aim of R is to
make a profit by providing his infrastructure for the execution of client jobs. The
aim of C is to execute the job J without having the corresponding hardware
and software infrastructure; thus she pays a fee for obtaining such a service
from the Grid. The interaction between these two parties is mediated by the
Grid infrastructure. This party is a broker that offers to the users the services
needed for discovering, choosing and accessing the resources that best match
their requirements. The execution cost of J is determined according to some
quantitative (e.g., the total amount of resources required for the execution of J)
or qualitative (e.g., the computational power of the server) metrics.
The implementation of Grid transactions where clients are charged according to the resource consumption of their jobs, requires the introduction of an
accounting system for measuring and collecting the resource usage data of the
jobs executed on the Grid.
The Open Grid Service Architecture (OGSA) [1], currently the de facto standard for the implementation of Grids, includes an accounting subsystem composed by several services to be used as building blocks for developing a “Grid
516
Luigi Catuogno et al.
economy”. The metering service is used to measure the resource usage of a job.
The rating service concerns the translation of data about consumed resources
into chargeable prices. The accounting service charges a specific user for the cost
computed by the rating service. The billing service interacts with some external
financial services in order to manage users payments.
The current state-of-the art presents several accounting systems as the Grid
Service Accounting Extensions [2], the Grid Economic Services Architecture [3],
SNUPI [4] and GridBank [5]. In such systems, each grid node runs a “monitor
agent”, a process that measures the resource usage of every job executed by
the node. Measurements are accomplished by means of the operating system
accounting facilities or through the profiling features of the employed real-time
environment (e.g., the Java virtual machine). The agents send the collected
information to a trusted third-party that manages the accounting process.
3
Security Issued in Grid Economic Transactions
The use of any of the existing accounting systems in the fulfillment of a Grid
economic transaction brings up several security issues. Consider the following
metaphor. When a person buys some fruits she can verify by herself their weight
and, thus, she is able to trivially evaluate the corresponding total cost. Such a
verification cannot be performed in Grid transactions when the cost of a job
depends on the resources it requires. Indeed, an user will likely not known in advance the exact amount of resources needed for accomplishing her job. Moreover,
in many cases, she is not able to verify this by herself since she does not have
the corresponding hardware and software infrastructure. Thus, the price that an
user has to pay is completely due to the amount of resources that the monitor
agent, running on the resource owner machine, reports.
The strong assumption that all parties are honest does not correspond to the
real context of Grids. Indeed, since the resource owners join a Grid for making
a profit, they are strongly motivated in deviating from the specification of the
standard protocol in order to increase their profit. For instance, a resource owner
can easily cheat by specifying an amount of resources used to execute a job that
is different (actually greater) with respect to the real one. In a similar way, a
client could refuse to pay for a service by claiming that he has been cheated out.
A consequence of such a weakness is that a user pays too much or does not pay
at all and thus the quality of the service offered by the Grid decreases.
Cheating an Accounting System. We now discuss some malicious activities of a
corrupted resource owner that tries to fraud a user by cheating on the amount
of consumed resources for the execution of a job. We observed in Section 2 that
the existing accounting systems meter the resource usage of a job by running a
monitoring software agent on the machine hosting the job itself. This approach
relies on a strong assumption: the monitor agent trusts the hardware and the
operating system it is running on. Indeed, a malicious resource owner could cheat
a monitoring agent that is running on his infrastructure without even modifying
Reliable Accounting in Grid Economic Transactions
517
the agent code. This can be done by leveraging the underlying operating system
in order to provide incorrect information to the monitoring software, since this
information is obtained by querying the hosting operating system.
Another possible strategy for cheating is to corrupt, at run time, the monitoring agent by means of techniques of intrusion, such as [6], in order to deviate
its execution. In such a case, the other modules of the accounting system that
interact with the monitoring agent do not realize that it has been tampered.
Finally, a malicious resource owner can also cheat by running a corrupted
monitoring agent instead of the one distributed by the accounting system.
As it comes out trivially, in these cases, neither the accounting service nor
the user that issued the job could be able to detect such a fraud.
4
Secure Grid Transactions
In this section we present our architecture for the execution of secure Grid transactions. We first introduce the model on which we base our architecture, then we
describe and analyze the execution of Grid transactions in the proposed model.
4.1
The Model
The accounting and monitoring systems proposed in the past require the existence of a trusted third party (see Section 2). In our model, we follow the same
lead of the previous proposals assuming the existence of a trusted third party,
in particular we try to exploit the reliability of such a party in order to design
secure transactions on the Grid. We refer to the Grid Manager (GM), as the interface between clients and resource owners (in Section 2 we referred to such a
party as the Grid infrastructure). GM decides which resource of the Grid has to
be used in order to satisfy a client request.
Note that the aim of GM is to have as many resource owners as possible in order
to execute the jobs of a lot of clients. Therefore GM is interested in protecting
both users from corrupted resource owners and resource owners from corrupted
users. In order to achieve that the GM has a private computing infrastructure
to verify the real amount of resources needed to execute a job. Since GM has an
“institutional” role, we assume that it is the only trusted party of our model.
Monitoring. The execution of a transaction in a Grid is a remote service between
a client that needs the execution of a job and a resource owner that has the
hardware and software resources to execute the job. In the last stage of such a
remote service the resource owner charges the client for the amount of resources
that he has used for executing the job. Since an honest client simply pays the
charged amount, a malicious resource owner could try to cheat by charging the
client for resources that he has not spent during the execution of the job.
GM performs the following monitoring activity in order to detect the existence
of malicious resource owners in the Grid.
518
Luigi Catuogno et al.
– GM maintains a set S of “testing” jobs such that the distribution of the
resources needed for their execution is statistically close to the distribution
of the resources needed by the jobs submitted by the users.
– GM randomly chooses a resource owner and assigns him a job randomly chosen
from S. Note that since the resources needed by the jobs chosen from S
have the same statistical distribution of the resources needed by the jobs
submitted by real clients, the resource owner cannot distinguish a testing
job from a real client job. Consequently, in case a malicious resource owner
tries to cheat, the monitoring of GM detects such a malicious activity.
Note that the trade-off between testing jobs and real client jobs defines a quality
metric of the Grid.
Fraud Verification. The monitoring of GM is not a catch-all solution with respect
to malicious resource owners. In particular, in order to preserve the performance
of the Grid, the workload of the monitoring must be bounded by a percentage
of the overall workload.
The aim of this procedure is to detect malicious resource owners that are not
discovered by the monitoring. Fraud verification is a procedure invoked from a
client that feels cheated. In this case GM executes the job on his private infrastructure in order to verify whether the client has been fraud by the resource
owner.
4.2
The Architecture
In this section we describe our proposal for the execution of reliable transactions
in the Grid computing model introduced above.
Set-Up of the System. GM generates a pair (pkGM , skGM ) respectively of public and private keys for a secure digital signature scheme. We suggest to use
the RSA encryption scheme implemented with the optimal asymmetric encryption padding. Such scheme has been proved to be secure (in the adaptive chosen
ciphertext attack sense [7]) in [8] considering the random oracle model [9]. Moreover, GM chooses a function h from a family of collision resistant hash functions.
We assume that GM possesses an heterogeneous hardware and software infrastructure. Such an infrastructure is composed by a minimal set of heterogeneous
workstations that can be used to measure the amount of resources needed by any
job executed in the Grid. Moreover we assume that GM possesses a database in
which he can log the transcripts of the transactions performed in the Grid. After
the set-up of the system, GM will play also the role of certification authority.
User Enrollment. The enrollment is a procedure performed by GM along with a
client or a resource owner.
– Client enrollment: The client performs such a procedure in order to obtain
the privileges for accessing the Grid. The client generates a key pair (pkc , skc )
(with the same requirements described in the set-up) and asks for a digital
Reliable Accounting in Grid Economic Transactions
519
certificate. GM verifies the identity of the client and uses his secret key skGM
to compute a standard digital certificate (X509v.3 [10]) corresponding to the
identity of the client and to his public key pkc .
– Resource owner enrollment: The resource owner performs such a procedure in order to make his hardware and software infrastructure available to
clients. The resource owner generates a key pair (pkr , skr ) (with the same
requirement described in the set-up) and asks for a digital certificate. GM
verifies the identity of the resource owner (optionally, GM could also verify
the hardware and software resources). Finally, as in the previous case, GM
computes a corresponding digital certificate but in this case the public key
encoded is pkr .
Execution of a Transaction. The execution of a transaction, depicted in Fig. 1,
is a procedure in which all the three possible parties are involved: the client C,
the Grid manager GM and the resource owner R. We distinguish the following
steps during the execution of this procedure.
– C submits a job J. He generates a random serial number sc and uses his
secret key skc to compute a digital signature Jˆc of the pair (J, sc ). C sends
the triplet (J, sc , Jˆc ) to GM.
– GM verifies that Jˆc is a valid signature of (J, sc ) with respect to the public
key pkc and that sc has never been received in the past from C. Then GM
computes HJ = h(J) and stores the triplet (HJ , sc , Jˆc ) in his database.
Note that the size of the triplet is constant and independent of the size of
the job J. Then GM generates a random serial number sGM and uses skGM
to compute a signature ĤJ of (HJ , sGM ), chooses a resource owner R among
the available resource owners and sends him (J, sGM , ĤJ ).
– R verifies that ĤJ is a valid signature of (HJ , sGM ) with respect to the public
key of GM and that he has not received in the past the same serial sGM from
GM. Then R executes the job J and measures the resources needed during the
execution. R generates a random serial number sr and uses his secret key skR
to compute a signature IˆR of a digital invoice IR that includes (HJ , sr , sGM )
and a description of the used resources along with their corresponding fee.
The digital invoice IR and the signature IˆR are sent to GM.
– GM verifies that IˆR is a valid signature of IR with respect to the public key
of R, that the invoice refers to a job previously sent by GM to R and that
no other invoice has been sent by R to GM with respect to the same job.
GM adds his fee and uses his secret key skGM to compute and sign a new
digital invoice IGM that includes IR . GM sends to C such a payment request
and updates the database by adding IGM to the previously stored triplet
corresponding to J.
– C verifies that the digital invoice is correctly signed by GM and that refers to
the same job J whose execution he asked for. If C has not received in the
past such an invoice, and if the charged amount belongs to given expected
range, then he pays GM for the charged amount.
– GM receives the payment of C and pays R for his corresponding amount.
520
Luigi Catuogno et al.
If the amount specified in the invoice does not belong to the range expected by
C, he rejects the invoice and asks for a fraud verification procedure, by sending to
GM the job J and the serial number sc previously submitted. GM computes again
the hash HJ of J and verifies that the same job is referred to in the invoice
received from the resource owner. Then GM executes J in his private trusted
infrastructure in order to measure the resources needed by its execution. If the
invoice was correctly computed, GM again charges a fee to the user since he has
to pay for the use of the private infrastructure. If, instead, the amount specified
in the invoice is greater than the measured one, the user is not charged for
the execution of J. In both cases, a ranking process, such as the one presented
in [11], is run to log these behaviors. The outcoming ranks would then be used
to penalize malicious users during the trading phase for the bargaining of new
jobs.
1.
2.
3.
4.
A user submits a job.
GM chooses a resource owner.
GM receives resource usage data.
GM sends an invoice to the user.
5. The user submits the same job to GM.
6. GM executes again the job using his PTI.
7. GM receives trusted usage data.
8. GM compares the two outputs.
Fig. 1. A sketch of the fraud verification procedure.
Verification Issues. As already discussed, during the fraud verification procedure, GM verifies the invoice generated by a resource owner after the execution
of a job by running the same job in his private trusted infrastructure.
A first consequence is that GM is able to verify only the jobs that can be
executed in its private infrastructure. This is not generally an hard problem
since the number of operating systems and hardware architectures spanning the
most part of existing computing infrastructures is small (e.g., Linux/x86, MacOS/PowerPc, Java). By using these architectures in its private infrastructure,
GM would be able to support the verification procedure for a large number of
cases.
A second consequence is that the infrastructure used by GM for verifying a
job could have a different performance (e.g., because of a different clock speed or
Reliable Accounting in Grid Economic Transactions
521
a larger amount of physical memory) with respect to the infrastructure used by
the resource owner. More precisely, the resource usage reported by the different
machines running the same job with the same data files could not be comparable. Indeed, there are some resources as the maximum amount of memory to be
allocated for the execution of a job that can be measured independently of the
overall performance of the system. On the contrary, there are some resources
whose measurement strongly depends on the overall performance of the system
(e.g., the CPU time assigned to the execution of a job). In this last case we
consider two alternatives. The first alternative is to use some a priori knowledge about the performance of a machine in order to normalize the reported
resource usage. The second alternative is to combine these measurements with
some quantitative information able to describe the total amount of work done by
a system while processing a job (e.g., considering the total number of assembler
instructions issued for the execution of a job).
References
1. Foster, I., Kesselman, C., Nick, J., Tuecke, S.: The Physiology of the Grid: An
Open Grid Services Architecture for Distributed Systems Integration. In: Open
Grid Service Infrastructure WG, Global Grid Forum (2002)
2. Beardsmore, A.: Grid Service Accounting Extensions (GSAX).
http://www.doc.ic.ac.uk/ sjn5/GGF/ggf-rus-gsax-01.pdf
3. Grid Economic Services Architecture (GESA).
http://www.doc.ic.ac.uk/ sjn5/GGF/draft-ggf-gesa-services-1.pdf (2003)
4. Hazlewood, V., Bean, R., Yoshimot, K.: SNUPI: A grid accounting and performance system employing portal services and RDBMS back-end. In: The 5th LCI
International Conference on Linux Clusters: The HPC Revolution. (2004) 18–20
5. Barmouta, A., Buyya, R.: GridBank: A Grid Accounting Service Architecture
(GASA) for Distribuited System Sharing and Integration. In: The 17th International Parallel and Distributed Processing Symposium (IPDPS 2003). (2003) 22–26
6. Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Overflows: Attacks and
Defenses for the Vulnerability of the decade. In: DARPA Information Survivability
Conference an Expo (DISCEX). Volume 2., IEEE Computer Society Press (2000)
119–129
7. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions
of Security for Public-Key Encryption Schemes. In: Advances in Cryptology CRYPTO. (1998) 26–45
8. Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: Rsa-oaep is secure under the
rsa assumption. In: Advances in Cryptology - CRYPTO. (2001) 260–274
9. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications
Security. (1993) 62–73
10. Housley, R., Ford, W., Polk, W., Solo, D.: Internet X509 Public Key Infrastructure:
Certificate and CRL Profile. Network Working Group. (2002) RFC 3280
11. W. Chen, W.Z., Yang1, G.: On the Malicious Participants Problem in Computational Grid. In: Grid and Cooperative Computing: Second International Workshop,(GCC 2003). Volume 3032 of Lecture Notes in Computer Science., SpringerVerlag (2004) 839–848