[knem-devel] knem security

Mark Dixon m.c.dixon at leeds.ac.uk
Fri Jul 12 11:49:23 CEST 2013

Hi Brice,

Thanks very much for a very, very useful reply :)

On Fri, 12 Jul 2013, Brice Goglin wrote:
> Contrary to Limic, a malicious user cannot create "fake KNEM cookies"
> pointing to memory regions that have not been explicitly declared to
> KNEM by another process.

I find that very reassuring indeed. BTW, when you say Limic, do you 
include the latest versions of LiMIC2 there?

> There has been some talk about restricting cross-application KNEM access
> to same user only. Right now, you would have to restrict accesses to
> /dev/knem to a single user or group to do so.
> KNEM was somehow designed with the idea that it's only used in HPC
> environment, and the idea that people that care about such risks would
> not let multiple users/jobs use the same nodes simultaneously.

We operate in both shared and exclusive node access (depending on what a 
particular job asks for) - so we could enable knem and twiddle /dev/knem 
for exclusive jobs only :)

Unfortunately, users are even more impatient with queuing than with 
application performance. Even if their application is faster with 
exclusive node access, they'll submit jobs that share nodes - it'll run 
earlier because it's easier to schedule :(

So we would find per-user security *very* useful indeed - particularly as 
nodes continue to acquire cores faster than applications are rewritten to 
scale further.

> Does that help?

Greatly :)


Mark Dixon                       Email    : m.c.dixon at leeds.ac.uk
HPC/Grid Systems Support         Tel (int): 35429
Information Systems Services     Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK

More information about the knem-devel mailing list