The ubiquitous SSH package has demonstrated the importance of secure remote login and execution. As remote execution tools grow in popularity, users require new features and extensions, which are difficult to add to existing systems. REX is a remote execution utility with a novel architecture specifically designed for extensibility as well as security and transparent connection persistence in the face of network complexities such as NAT and dynamic IP addresses. To achieve extensibility, REX bases much of its functionality on a single new abstraction—emulated file descriptor passing across machines. This abstraction is powerful enough for users to extend REX’s functionality in many ways without changing the core software or protocol. REX addresses security in two ways. First, the implementation internally leverages file descriptor passing to split the server into several smaller programs, reducing both privileged and remotely exploitable code. Second, REX selectively delegates authority to processes running on remote machines that need to access other resources. The delegation mechanism lets users incrementally construct trust policies for remote machines. Finally, REX provides mechanisms for accessing servers without globally routable IP addresses, and for resuming sessions when a TCP connection aborts or an endpoint’s IP address changes. Measurements of the system demonstrate that REX’s architecture does not come at the cost of performance. 1
|
1231
|
Globus: A Metacomputing Infrastructure Toolkit
– Foster, Kesselman
- 1997
|
|
867
|
Security architecture for the internet protocol
– Kent, Atkinson
- 1998
|
|
731
|
Scale and Performance in a Distributed File System
– Howard, Kazar, et al.
- 1988
|
|
578
|
Kerberos: An Authentication Service for Open Network Systems
– Steiner, Neuman, et al.
- 1988
|
|
359
|
Authentication in distributed systems: Theory and practice
– LAMPSON, ABADI, et al.
- 1991
|
|
329
|
A Security Architecture for Computational Grids
– Foster, Kesselman, et al.
- 1998
|
|
305
|
AResource Management Architecture for Metacomputing Systems
– Czajkowski, Foster, et al.
- 1998
|
|
150
|
Separating key management from file system security
– MAZIÈRES, KAMINSKY, et al.
- 1999
|
|
145
|
Authentication in the Taos Operating System
– Wobber, Abadi, et al.
- 1993
|
|
135
|
The secure remote password protocol
– Wu
|
|
127
|
GASS: A Data Movement and Access Service for Wide Area Computing Systems
– Foster, Kesselman, et al.
- 1999
|
|
123
|
SSH – secure login connections over the internet
– Ylonen
- 1996
|
|
101
|
A toolkit for user-level file systems
– Mazières
- 2001
|
|
92
|
The Echo distributed file system
– Birrell, Hisgen, et al.
- 1993
|
|
71
|
XDR: External Data Representation Standard
– Srinivasan
- 1995
|
|
63
|
A DNS RR for specifying the location of services
– Gulbrandsen, Vixie
- 2000
|
|
61
|
A modification of the RSA public-key encryption procedure
– Williams
- 1980
|
|
58
|
A national-scale authentication infrastructure
– Butler, Engert, et al.
- 2000
|
|
57
|
HMAC: Keyed-Hashing for Message Authentication,” RFC 2104
– Krawczyk, Bellare, et al.
- 1997
|
|
49
|
Preventing privilege escalation
– Provos, Friedl, et al.
- 2003
|
|
49
|
Reliable network connections
– Zandy, Miller
|
|
43
|
Netpipe: A network protocol independent performance evaluator
– Snell, Mikler, et al.
- 1996
|
|
28
|
X.509 Proxy Certificates for Dynamic Delegation
– Welch, Foster, et al.
- 2004
|
|
25
|
The use of name spaces in plan 9
– Pike, Presotto, et al.
- 1993
|
|
16
|
A Session-Based Architecture for Internet Mobility
– Snoeren
- 2002
|
|
15
|
Address Allocation for Private Internets, RFC1918
– Rekhter, Moskowitz, et al.
- 1996
|
|
12
|
Security in plan 9
– Cox, Grosse, et al.
- 2002
|
|
11
|
Protection and control of information in multics
– Saltzer
- 1974
|
|
11
|
Stel: Secure telnet
– Vincenzetti, Taino, et al.
- 1995
|
|
8
|
Interprocess communication in the eighth edition UNIX system
– Presotto, Ritchie
- 1985
|
|
7
|
A stream cipher encryption algorithm “ARCFOUR”. Internet-Draft draft-kaukonen-cipher-arcfour-03.txt
– Kaukonen, Thayer
- 1999
|
|
5
|
Recommendation X.509: The Directory Authentication Framework
– 509
- 1988
|
|
4
|
Implementing a secure rlogin environment: A case study of using a secure network layer protocol
– Kim, Orman, et al.
- 1995
|
