SC22 Proceedings

The International Conference for High Performance Computing, Networking, Storage, and Analysis

Workshops Archive

SpackNVD: A Vulnerability Audit Tool for Spack Packages

Workshop: First International Workshop on Cyber Security in High Performance Computing (S-HPC 2022)

Authors: Tre' Jeter (Lawrence Livermore National Laboratory, University of Florida); Matthew Bobbitt (Lawrence Livermore National Laboratory, Champlain College); and Barry Rountree (Lawrence Livermore National Laboratory)

Abstract: Security models for Linux distro package security and interoperability have traditionally emphasized the use of more recent (more secure) versions at the occasional expense of execution reproducibility. A complementary approach (e.g., Lmod) allows access to multiple sysadmin-approved package versions. Another approach (e.g., Spack) enables a pure user space approach for package selection without system administrator oversight. While maximizing reproducibility, there is no user feedback regarding potential security vulnerabilities. We introduce a general security model for package management and our implementation of SpackNVD, a security auditing tool for Spack. Users may query reported vulnerabilities for specific package versions and can prevent installation where the severity score exceeds a threshold. We emphasize this is a tool, not a solution: Spack users are not expected to be security professionals. However, this information may influence Spack concretizer decisions, and enable users to ask support staff about whether specific package versions are appropriate for use.

Back to First International Workshop on Cyber Security in High Performance Computing (S-HPC 2022) Archive Listing

Back to Full Workshop Archive Listing