In the first half of 2019, Trusted CI collaborated with the Sylabs team and the Open Science Grid (OSG) to assess the security of Singularity (https://sylabs.io/singularity/), an open source container platform optimized for high-performance computing (HPC) and scientific environments. This software assurance engagement is one of the most recent performed by Trusted CI; previous ones have included Open OnDemand and HTCondor-CE.
The goal of Singularity is to provide an easy-to-use, secure, and reproducible environment for scientists to transport their studies between computational resources. As more communities are using the Singularity software and collaborating with Sylabs, an in-depth security assessment becomes an important aspect of the software development process.
In the Trusted CI engagement, we conducted a thorough architectural and code review, performing an in-depth vulnerability assessment of Singularity by applying the First Principle Vulnerability Assessment (FPVA) methodology. The FPVA analysis started by mapping out the architecture and resources of the system (see figure 1 below), paying attention to trust and privilege used across the system, and identifying the high value assets in the system. From there we performed a detailed code inspection of the parts of the code that have access to the high value assets.
Overall, Singularity is well-engineered with careful attention to detail. In our engagement final report we discuss the parts of Singularity that were inspected and no issues were found. These parts included the majority of the functionality in the execution of a Singularity container. Though it is impossible to certify that code is free of vulnerabilities, we have substantially increased our confidence in the security of those parts of the code. We also commented on design complexities where we see no current problems in the code but that need special care to prevent future vulnerabilities from being introduced when the software is updated. We made a couple of suggestions to enhance the security of Singularity. We also worked with the Singularity team to help improve their documentation related to security features.
Trusted CI, in agreement with Sylabs, published the engagement final report at the following URL: http://hdl.handle.net/2142/104612.
 |
| Figure 1. Architectural diagram for Singularity run/exec/shell. |
