June 22–26, 2014
Leipzig, Germany

Session Details

Name: BoF 20: Hacking & Securing Supercomputers
Time: Wednesday, June 25, 2014
03:15 pm - 04:15 pm
Room:   Hall 4
CCL - Congress Center Leipzig
Breaks:04:15 pm - 05:15 pm Coffee Break
Presenter:   John Fitzpatrick, MWR InfoSecurity
Abstract:   In the relatively short time we have been working with supercomputers, we have been able to uncover a number of significant, high-impact vulnerabilities. These vulnerabilities affect supercomputers manufactured by every major vendor whose systems we have had an opportunity to look at, as well as almost all of the core HPC software and technologies we have targeted. It is probable that every supercomputer in the top 500 is affected by at least some of the vulnerabilities we have uncovered, and if not, affected by something we have not yet found.
In short, the supercomputer industry is trailing behind other industries when it comes to security, and it could take a while to catch up. The intention of this talk is to act as a catalyst in supporting this process. However, for this to be effective, it will require collaboration from several parties including supercomputer vendors, developers, and the end customer.
This talk details the types of vulnerabilities we have identified, and the approach we took to in order to discover them. Using real-life examples, this talk will describe how architectural oversights have introduced weaknesses, as well as situations where technologies, used without their threat model being fully considered, have introduced vulnerabilities. The intention is to raise awareness of how security issues can manifest themselves, and allow the audience members to translate this directly on to their own environments, or to the systems or software they produce.
However, understanding these issues is only the first step. Addressing the root cause of security issues is a different matter. A lot of lessons have been learned in the security world, and the intention is to pass on some of these lessons to allow the audience to make better informed decisions when it comes to security. We can't look at every supercomputer, but what we can do is share our experience and security knowledge in order to help everyone involved.