MyProxy passes independent vulnerability assessment

released 02.23.09

With more than 200 deployments worldwide, NCSA's MyProxy is a core security service in many of today's grid computing infrastructures, including TeraGrid, Enabling Grids for E-sciencE, Earth System Grid, Fusion Grid, and LHC Computing Grid. Today, all of those communities can sleep easier knowing that MyProxy has undergone an independent security evaluation that found no major vulnerabilities.

Jim Kupsch, a security researcher in the University of Wisconsin-Madison Computer Sciences Department, has completed an independent vulnerability assessment of MyProxy. His analysis did not uncover any major security vulnerabilities. The few issues he found were minor and "did not compromise the certificates and their passphrases managed by MyProxy." Kupsch's report credits the simplicity of the MyProxy system design and development model for the small number of issues that were found.

Kupsch's work is part of the Vulnerability Assessment project at UW-Madison led by Barton Miller and funded in part by the National Science Foundation under subcontract with the San Diego Supercomputer Center. The project has also completed vulnerability assessments of Condor and the Storage Resource Broker (SRB), with assessments of gLExec and CrossBroker in progress.

Kupsch reported his findings to Jim Basney, a senior research scientist at NCSA who leads the MyProxy project. Basney released updates to the MyProxy software to address the software bugs discovered by Kupsch's analysis, culminating in this month's release of MyProxy version 4.5. Kupsch's detailed report is now available from the Web sites of the UW-Madison Vulnerability Assessment project and the MyProxy project.

"We are very aware of the trust that people place in the MyProxy software, and we are very careful in our software development practices," Basney explained. "However, having an independent evaluation is extremely reassuring and serves to validate our practices. I am very appreciative of Jim Kupsch's thorough, independent analysis, which has helped us improve the quality and security of the MyProxy software."

MyProxy is mature open-source software that the grid community has been using since 2000. Thirteen developers, from NCSA and from around the world, have contributed to MyProxy over the past nine years. The MyProxy project has been funded primarily by the National Science Foundation through NCSA, the National Laboratory for Applied Network Research (NLANR), the NSF Middleware Initiative (NMI), and the TeraGrid.

While initially designed as a repository for grid credentials to enable secure grid portals, MyProxy has evolved into a full-featured grid authentication solution. MyProxy provides security credentials to TeraGrid users, enabling single sign-on from the TeraGrid User Portal to the 11 TeraGrid partner sites. In the Enabling Grids for E-sciencE project in Europe, MyProxy facilitates renewal of credentials for long-running computations. MyProxy is also used to bridge between grid authentication and other authentication methods such as LDAP and Kerberos.