Register
Home Presentation

Presentation

SpackNVD: A Vulnerability Audit Tool for Spack Packages
SessionFirst International Workshop on Cyber Security in High Performance Computing (S-HPC 2022)
DescriptionSecurity models for Linux distro package security and interoperability have traditionally emphasized the use of more recent (more secure) versions at the occasional expense of execution reproducibility. A complementary approach (e.g., Lmod) allows access to multiple sysadmin-approved package versions. Another approach (e.g., Spack) enables a pure user space approach for package selection without system administrator oversight. While maximizing reproducibility, there is no user feedback regarding potential security vulnerabilities. We introduce a general security model for package management and our implementation of SpackNVD, a security auditing tool for Spack. Users may query reported vulnerabilities for specific package versions and can prevent installation where the severity score exceeds a threshold. We emphasize this is a tool, not a solution: Spack users are not expected to be security professionals. However, this information may influence Spack concretizer decisions, and enable users to ask support staff about whether specific package versions are appropriate for use.
Event Type
Workshop
TimeFriday, 18 November 202210:39am - 11:09am CST
LocationC141-143-149
Registration Categories
W
Tags
Security
Session Formats
Recorded
Next PresentationNext Presentation
Panel: "HPC Security – Risk Management, Guidance and Implementation" in Conjunction with the CyberSecurity Working Group
Author/Presenters
Tre' Jeter
Lawrence Livermore National Laboratory
University of Florida
Matthew Bobbitt
Lawrence Livermore National Laboratory
Champlain College
Barry Rountree
Lawrence Livermore National Laboratory
Back To Top Button