Cluster Security with NVisionCC:The Forseti Distributed File
Integrity Checker
Adam J.Lee??,Gregory A.Koenig??,and William Yurcik?
?National Center for Supercomputing Applications
?Department of Computer Science
University of Illinois at Urbana-Champaign
{adamlee,koenig,byurcik}@https://www.doczj.com/doc/e711358019.html,
Abstract
Attackers who are able to compromise a single node in a high performance computing cluster can use that node as a launch point for a number of malicious ac-tions.In many cases,the password used to log into a single node can be used to access a large number of nodes in the system,allowing the attacker to utilize the vast computing and storage capabilities of the compro-mised cluster to sni?network tra?c,carry out brute-force password cracking,launch distributed denial of service attacks,or serve illegal digital content.Often, these types of attackers modify important system?les to collect passwords to other accounts,disable certain logging facilities,or create back-doors into the system.
In this paper,we present Forseti,a distributed?le integrity checker designed speci?cally for the high per-formance computing cluster environment.Forseti was designed to address the shortcomings exhibited by ex-isting host-based intrusion detection systems when used in the cluster environment and to provide a means of detecting changes to critical system?les made by root-level adversaries.We discuss the design and implemen-tation of the Forseti system,present a security analysis of Forseti,examine the performance of the system,and explore how Forseti can be used in concert with other security monitoring techniques to enhance the security of the HPC cluster environment.
1Introduction
Over the course of the last two years,the security of large-scale commodity clusters has become a topic of increasing research and practical interest.Attack-ers who are able to compromise a single node in one of these clusters can use that node as a launch point for a number of malicious actions.In many cases,the password used to log into a single node can be used to access a large number of nodes in the system,al-lowing the attacker to utilize the vast computing and storage capabilities of the compromised cluster to carry out brute-force password cracking,launch distributed denial of service attacks,or serve illegal digital content. Additionally,an attacker can listen to network tra?c for other users to log into their compromised nodes in hopes of learning passwords for other accounts on these systems.
The recent rise in popularity of grid computing has exacerbated this problem by increasing the amount of damage that can be caused with a single compro-mised account.Often times,a password used to log into one cluster node can be used not only to log into other nodes in the same cluster,but also to log into other clusters located throughout the computational grid.This implies that the compromise of a single ac-count on a single cluster node could give an attacker the ability to access many thousands of geographically dis-tributed cluster nodes.The high utilization of clusters participating in grid computing systems allows an at-tacker sni?ng for passwords on a compromised node to gain access to an extremely high number of other user accounts.This technique is not conjecture and was, in fact,used during the TeraGrid compromises that af-fected a large number of clusters world-wide during the Spring of2004[11].During this time period,attackers installed Trojan-horse sshd processes designed to cap-ture the passwords of users logging into compromised nodes so that these passwords could then be used to compromise other nodes throughout the grid.
Host-based?le integrity checkers(e.g.,[2,4,6,10, 12,15,18,24])have been used to help detect these types of attacks on hosts in enterprise computing sys-tems for a number of years.These tools are activated
periodically(usually by means of a scheduler such as cron),to check various properties of critical system ?les,including access permissions,timestamps,and content hashes.These properties are compared to ref-erence values stored in a read-only database;?les whose values di?er from the reference cause an alert to be raised,such as an entry in the system log or an email being sent to the system administrator.Though these systems have worked well in enterprise computing,they su?er several shortcomings when used in large-scale commodity clusters.Installing and managing these tools on the hundreds or thousands of nodes in a large cluster is a time-consuming process involving changes to each node when system software is upgraded.Ad-ditionally,if the signature database is stored on each node,attackers can relatively easily change the the ref-erence copy of the?le https://www.doczj.com/doc/e711358019.html,stly,e?ectively logging the access violations can pose a problem if an attacker has gained root access to the machine,as they could disrupt the logging mechanism and easily cover their tracks.
To address the shortcomings of host-based?le in-tegrity checkers while retaining their strengths,we have designed Forseti,a distributed?le integrity checker that meets the unique needs of the HPC cluster en-vironment.In our tool,the?le integrity database is separated from the nodes to be monitored and by lever-aging the emergent properties of the HPC cluster com-puting environment[25],we can signi?cantly reduce the size of this database.Cluster nodes cannot access the database,meaning that an attacker who has com-promised some number of nodes in the system cannot alter the stored?le signatures.Our system relies on a collector node(not necessarily part of the cluster)to carry out the integrity scans by making remote connec-tions to the nodes in the system,pushing the necessary software to the system,and carrying out the scan.In this way,Forseti has no software footprint on the nodes to be monitored and adding a new node to be scanned is as simple as updating the database to inform the collector node of this change.This system is robust to individual node compromises and,though not fool-proof,is signi?cantly harder to defeat than other host-based systems performing similar function;had Forseti been deployed during the Spring of2004,the TeraGrid attacks could have been detected and stopped much earlier than they were.
The rest of this paper is organized as follows.In Section2we describe our threat model and discuss the conditions in which integrity monitoring can aid in the security monitoring of large-scale commodity clusters. Section3brie?y discusses the design of NVisionCC, the cluster monitoring tool with which Forseti inter-acts.In Section4,we discuss the implementation of our distributed integrity checker and detail its inter-actions with cluster nodes and NVisionCC.We revisit our threat model and discuss the performance of this scanner in Section5,and address related work in Sec-tion6.We then present our conclusions and directions for future work in Section7.
2Threat Model
Throughout this paper,we focus on the use of?le integrity checking as a single tool at the disposal of sys-tem administrators tasked with monitoring the security state of large-scale commodity clusters.As such,we do not advocate the use of Forseti to detect all forms of cluster intrusion,but rather to locate only a particu-lar class of attacks.Any anomalies detected through the use of?le integrity checking are meant to be cross-referenced and correlated with the?ndings of other se-curity monitoring techniques—a task which our com-prehensive cluster monitoring tool,NVisionCC,is de-signed to carry out(e.g.,by examining running system processes[13],open network ports[14],or detecting privilege escalations[20]).
File integrity checking allows system administrators to be noti?ed when the contents or permissions of key system?les is changed.Many times,attackers who compromise nodes in a cluster do so with the intent of carrying out password gathering attacks to escalate their privilege set and gain access to other nodes or clusters.These attacks are usually carried out through the use of rootkits or Trojan-horse system utilities.The tool presented in this paper focuses on attacks executed by a root-level adversary that involve the modi?cation of system?les.In particular,we assume our adversary has the ability to insert,reorder,and replay messages sent on the network,arbitrarily modify?les stored on the compromised nodes,and perform any number of administrative tasks(e.g.,starting and stopping sys-tem services)on the nodes which have been compro-mised.Throughout this paper,we assume that any individual node in the cluster can be compromised and used to carry out arbitrary tasks on behalf of an at-tacker.We relax this assumption and discuss the use of Forseti in single-image clusters(e.g.,Clustermatic systems)in Section5.4.
3Design
In this section,we comment brie?y on the emergent properties of large-scale commodity clusters and de-scribe the ways in which these properties can be used
large-scale commodity clusters,many individual nodes are collected together to form a single logical comput-ing environment.When this larger computing envi-ronment is examined as a whole,a number of useful properties can be observed;the tool presented in this paper leverages one such observation.
The predominant emergent property present in large-scale commodity clusters is the ability to parti-tion the hundreds or thousands of individual nodes into a small number of equivalence classes.Nodes within the same equivalence class are con?gured similarly and exhibit like behaviors.For instance,nodes within the same equivalence class are typically built from the same system images and will thus be con?gured to run the same sets of system services,contain the same system binaries,and exhibit similar communication patterns with other nodes in the system.A list of commonly observed equivalence classes is provided in Table1.
In a previous work[25],we showed that emergent 3.2NVisionCC
NVisionCC is an extension to the Clumon[9]cluster monitoring package which has been enhanced to moni-tor the security-state of large-scale commodity clusters by leveraging their emergent properties[26].As shown in Figure1,the NVisionCC architecture consists of four distinct parts:collection nodes,security analyz-ers,a database,and a web server.Security monitoring within the NVisionCC framework takes place in three phases:information collection,security analysis,and visualization.
During the information collection phase,the NVi-sionCC plug-ins installed on each collector node gather information from the nodes in the cluster through the use of either push or pull mechanisms.Once collected, this information is logged to the NVisionCC database where it can be accessed by other components in the
Equivalence Class Description
Head Head nodes provide an in-
terface for end users to ac-
cess the cluster
Compute Nodes in this class carry out
computations on behalf of
scheduled jobs
Storage Storage nodes provide and
interface to the cluster’s
storage subsystems Management These nodes host the cluster
management software Monitor Nodes in this class may host
cluster performance moni-
toring software
https://www.doczj.com/doc/e711358019.html,mon node equivalence classes system.In addition to containing the observations gathered during the information collection phase,the NVisionCC database is also used to store expected-value pro?les for each of the data items gathered by its plug-ins.Due to the emergent structure of the cluster environment,these pro?les can usually be stored on a per-equivalence-class basis,rather than a per-node basis,thereby greatly reducing the e?ort required to manage the cluster node pro?les.
During security analysis,one or more security ana-lyzer nodes parse the information stored in the NVi-sionCC database to search for unusual patterns.The information returned by the collector nodes is cross-referenced with the appropriate equivalence-class pro-?les stored in the database and any deviations from the expected are logged to an alerts table in the database. Though the information collection and security analy-sis phases of NVisionCC’s operation are logically two separate processes,it is sometimes the case that a par-ticular plug-in executes these two logical processes us-ing a single system process.
The alerts table in the database contains various data about the possible security violations detected by the NVisionCC plug-ins,including the time of the ob-servation,the type of discrepancy detected,and the severity of the deviation.The NVisionCC front-end is a PHP-enabled web-page that allows the current sta-tus of the cluster,including all current alerts,to be visualized on a single screen.Security administrators can access this interface from their workstations to as-sess the security-state of their cluster and take reactive measures to the security alerts that are raised by NVi-sionCC.
node-at-a-time
Figure2.Forseti architecture diagram
3.3Forseti
We now highlight how the Forseti distributed?le integrity checker?ts into the NVisionCC monitoring paradigm.Figure2shows an overview of the Forseti architecture.Essentially,the components of the system can be broken up into three groups:the monitor node (or nodes),the NVisionCC database,and the cluster itself.In addition to containing the con?guration in-formation for NVisionCC,the NVisionCC database is also augmented to contain con?guration information needed by Forseti,including node last scan times and stored signatures for the?les being monitored.
By utilizing the information stored in the NVi-sionCC database,the“monitor node”shown in Fig-ure2actually embodies the functionality of both the “collector node”and“security analyzer”shown in Fig-ure1.This node retrieves equivalence class pro?les from the database,carries out a connection-oriented scan of each node in the cluster and reports any devia-tions from the stored pro?le to the error log table in the NVisionCC database.Detailing and analyzing this scan process in depth is the focus of the remainder of this paper.
4Implementation
In this section,we discuss the design of Forseti, our distributed?le integrity checker.In particular,we overview the setup and con?guration of Forseti and discuss the monitoring process in full detail.
Field Format Description
host type char(60)The equivalence class of hosts that this row applies to.This is a foreign key
linking to the host types table in the NVisionCC database.
filename char(255)The name of a?le that should be monitored by the integrity checker.
sig1char(128)The signature of the?le filename computed using hash algorithm1.·········
sig N char(128)The signature of the?le filename computed using hash algorithm N.
Table2.The file sigs table
4.1Setup
Prior to con?guring NVisionCC to make use of Forseti,the NVisionCC database must be aug-mented to support the integrity checker.The?rst step of this process entails creating the file sigs and forseti last scan database tables required by Forseti.The file sigs table is used to hold the base-line?le signature information for nodes in the cluster. The format of the this table is described in Table2. The forseti last scan table is used by Forseti to keep track of the date and time that each node in the cluster was last successfully integrity checked.We dis-cuss the importance of this table further in Section5.2.
To facilitate the creation of the file sigs table, we have provided config.pl,a Perl script that is to be run from the collector node during the installation process.This script takes as parameters the paths to any number of programs which can be used to com-pute the hash value of the contents of a?le.These pro-grams must conform to the input argument format and digest output format of the Gnu utilities md5sum and sha1sum.Given this list of hash programs,config.pl creates an instance of the file sigs table in the NVi-sionCC database containing one sig column for each hash program(e.g.,if N hash programs are supplied as arguments to config.pl the columns sig1,...,sig N are created).This allows multiple hash values to be stored for each?le being monitored;the importance of storing multiple hash values will be discussed in detail in Section5.2.The config.pl script also generates the other scripts needed by the distributed integrity checker:update sigs.pl and forseti.pl.
After the file sigs table has been created by config.pl,it must be populated with the names of the ?les that are to be monitored and their corresponding signatures.To this end,the update sigs.pl script is to be run once for each equivalence class of nodes in the cluster.At the start of its execution,update sigs.pl is provided with the name of an equivalence class and a list of?les that should be monitored.The script then connects to a representative node of the speci?ed equiv-alence class and copies over the speci?ed hash compu-tation binaries.At this point,each of the N signatures that will be stored in the file sigs table are generated for each of the?les that are to be monitored by Forseti. The information gathered during this process is then inserted into the file sigs table and forms the basis of comparison used each time that Forseti is invoked by NVisionCC.For obvious reasons,it is imperative that the entirety of this setup phase takes place with-out interference;we fully address this requirement in Section5.1.
4.2Monitoring
After the NVisionCC database has been updated to support Forseti,the Forseti plug-in can be activated; this process occurs at an interval which can be con?g-ured from within NVisionCC.Once activated,Forseti follows a very basic algorithm to check for modi?ca-tions to the?les whose signatures were imported to the file sigs table during the previously described setup phase.This process is presented in detail in Figure3.
Forseti takes a very methodical approach to checking the integrity of?les on the nodes of the cluster.The set of nodes is?rst partitioned based on equivalence class and then scanned one partition at a time(Figure3, lines2–6).This allows us to minimize database trans-actions and prevents the integrity scanner from slowing down other NVisionCC plug-ins.Prior to scanning a node,Forseti randomly chooses a hash algorithm and copies a randomly-renamed binary implementing that algorithm over to the cluster node using SCP(Figure3, lines8–11).An SSH session is then opened to the node which is used to execute the hash program on the?les that are to be monitored for that equivalence class and gather the corresponding signatures(Figure3,lines12–13).
In addition to performing the tasks associated with the NVisionCC processing stage of data collection, the forseti.pl script also performs the data analysis stage by comparing the signatures returned during the scan to their expected values and reporting any errors to the NVisionCC database(Figure3,lines14–16).We
1:{#The forseti.pl script}
2:Let C be the set of node equivalence classes
3:for all c∈C do
4:Let N be the set of nodes of type c stored in the NVisionCC database
5:Retrieve F c,the list of?les to be integrity checked for equivalence class c,from the NVi-
sionCC database
6:Retrieve S c,the signatures of the?les in F c, from the NVisionCC database
7:for all n∈N do
8:Choose a hash algorithm,alg,at random
9:Choose a random string,str
10:Rename the binary implementing alg to str 11:SCP str to node n
12:Establish an SSH connection to n
13:Compute str(F c),the hash of each?le in
F c using str
14:if any h∈str(F c)di?ers from its corre-sponding h ∈S c then
15:Log an alert to the NVisionCC database 16:end if
17:Update last scans table for node n
18:end for
19:end for
Figure3.Pseudocode describing the integrity
checking process
have found that in this case,it is more e?cient to com-bine the information gathering and signature mapping as one step and thus take advantage of NVisionCC’s ?exibility to do so.After this process has been com-pleted,the last scan time for the current node is up-dated to re?ect the current time(Figure3,line17).
It is important to note that the account used by Forseti to log into the cluster nodes and carry out its scans should be an unprivileged(i.e.,non-root)ac-count.Forseti requires only read access to the?les that it should monitor,thus it is highly recommended that administrators create an extremely low-privilege “forseti”user with which to carry out these scans.
5Discussion
In this section,we discuss our implementation of Forseti.In particular,we draw attention to how Forseti address the threats identi?ed in our threat model,dis-cuss possible attacks against Forseti,comment its per-formance,and summarize the bene?ts of the Forseti distributed?le integrity checker.
5.1A Key Assumption
Prior to addressing the security of Forseti,we must make one key assumption regarding the state of the NVisionCC database.
Assumption.The NVisionCC database contains ac-curate information.This implies that the database was set up correctly and was not tampered with after instal-lation.
For obvious reasons,it is imperative that the en-tirety of the setup phase takes place using an un-compromised collector node which builds its signature pro?les by contacting uncompromised representative nodes.This is easily accomplished in practice.The col-lector nodes used by NVisionCC should be con?gured to refuse all incoming connections,e?ectively“hard-ening”them against attack.In addition,rather than pro?ling nodes that exist in the cluster,the image for the equivalence class being pro?led should be installed on a fresh node which is disconnected from the rest of the cluster(e.g.,it could be connected to the collector node via a separate management network).In this way, a careful administrator can ensure that the file sigs table contains correct values at the time that it is cre-ated.
To protect the integrity of the NVisionCC database after it is con?gured,it is important to ensure that nodes in the cluster have no means of accessing the NVisionCC database.This is easily accomplished by disabling all access to the database server aside from requests originating from known collector nodes and the management consoles of system administrators.As the collector nodes should be con?gured to block all incoming access requests,it is highly likely that they will remain uncompromised and will not corrupt the NVisionCC database.For these reasons,we do not feel that assuming an accurate NVisionCC database is unreasonable.
5.2Security Analysis
In the threat model presented in Section2,we in-dicated that we assume that our adversary has gained root-level access to some number of nodes in the clus-ter that Forseti is monitoring.In these types of at-tacks,important system?les are often modi?ed;Sec-tion4focused on how Forseti can be used to detect such attacks.However,we cannot consider Forseti to be a comprehensive solution until we have considered scenarios in which the root-level adversary attacks the
Forseti system directly in an e?ort to cover his or her tracks.We now address several such scenarios.
Con?guration Attacks
One common class of attacks against?le integrity mon-itors involves altering the con?guration of the integrity scanning software itself.In general,these types of con-?guration changes can take one of three forms:(1)al-tering the signature database,(2)stopping the scanner altogether so that failed integrity checks are never re-ported,or(3)altering the reporting process which logs integrity violations.We claim that Forseti is resistant to each of these classes of con?guration attack.
With respect to attack(1),we have made the as-sumption in Section5.1that the cluster monitoring network has been con?gured in such as way as to pre-vent unauthorized entities from modifying the NVi-sionCC database.Since the?le integrity signatures are stored in this database rather than on the nodes themselves,Forseti is in fact resistant to this class of attacks.
Forseti is resistant to attack classes(2)and(3)be-cause these processes are not under the control of the compromised host.The?le integrity scans are initiated by a remote collector node,not a local process such as cron.In this way,a compromised cluster node cannot alter the frequency with which integrity checks are ini-tiated.In addition,the reporting process which inserts alerts into the NVisionCC database runs on the col-lector node and thus is not subject to tampering from a compromised cluster node.As mentioned in Sec-tion5.1,the NVisionCC database should only be acces-sible to collector nodes and the management consoles of system administrators,Forseti is resistant against log tampering by a compromised node.This is in sharp contrast to other systems in which the reporting pro-cess takes place locally on the node being monitored and can thus be tampered with by the attacker. Result Spoo?ng
In result spoo?ng attacks,attackers modify the?le hash binary to return a correct hash value despite the fact that the?le being integrity checked has been al-tered.This is often accomplished by modifying the hash binary so that it hashes?les that the attacker has not modi?ed,but returns a cached result for?les that have been tampered with by the attacker.Other times, hashes are redirected to unmodi?ed“reference”copies of modi?ed?les so that a hash computation actually takes place,though an outdated?le is hashed.Forseti o?ers two lines of defense against this particular attack.
Algorithm Output length
MD5[17]128bit
SHA-1[1]160bit
SHA-256256bit
SHA-384384bit
SHA-512512bit
TIGER-192[3]192bit
RIPEMD-160[7]160bit
Table3.Possible hash algorithms for use by
Forseti
The?rst line of defense against this attack addresses the threat of a modi?ed hash binary.To mitigate this threat,Forseti generates a random?lename for the hash binary that is to be used during the integrity checking process and then copies this binary to the node being monitored at scan time.Copying a fresh binary to the node being monitored decreases the risk of the binary being modi?ed before the integrity check is run and the random?lename increases the di?culty that an attacker would have to carry out a execution-path attack,in which an old binary could be run de-spite the fact that a new binary was just copied.In short,an attacker cannot easily attack a binary that they cannot?nd.
The second defense against this attack is Forseti’s support for multiple hash algorithms.Rather than us-ing the supported hash algorithms in some preset or-der,Forseti randomly chooses the hash algorithm to be used to check the?le integrity of a particular node at runtime.This random choice implies that any at-tacker who attempts to pass old scan results to the col-lector node has a probability of success of1/N where N is the number of scan algorithms con?gured during the installation process discussed in Section4.1.Ta-ble3lists a number of candidate algorithms for use by Forseti.A secondary bene?t of Forseti being agnos-tic with respect to the hash algorithms used is that as collisions and other insecurities are discovered in some algorithms(e.g.,[22,21]),they are easily replaced. Availability Attacks
Another way in which an attacker can prevent Forseti from reporting changes to the?les that it monitors is by preventing the integrity checks initiated by the col-lector node from completing successfully.For instance, an easy way to accomplish this task is to prevent the collector node from logging into the cluster nodes to complete the requisite integrity checks.This can be accomplished by disabling the account used to log into
the cluster nodes during the integrity checking process.
Forseti takes a conservative approach to solving this problem.Recall from Figure3that Forseti keeps track of the last time that each node was successfully in-tegrity checked.It is trivial to write another NVi-sionCC plug-in that checks the forseti last scans table and raises an alert if a certain node has not been successfully integrity checked for some period of time, thereby alerting administrators to potential attacks on the Forseti system.This,however,is at the cost of in-creased attack false-positives in the event that a node is down for maintenance.However,in many cases the person monitoring the NVisionCC alert display will be aware of the maintenance operation and can thus dis-miss the alert.In the future,we plan to incorporate this check of the forseti last scans table into Forseti itself.
Intercepted System Calls
One serious attack against any?le integrity checking program can occur when the attacker has the ability to modify the system call table in the operating system kernel.If the attacker has this ability,he can inter-cept calls to the hash binary executed by the Forseti integrity checker and redirect these calls to unmodi?ed reference copies of the?les to be integrity checked1. This is very obviously a serious attack,as the user-level process running the integrity check will have no way of detecting that the results were falsi?ed.
In general,a user-level process has very little means of recourse when running on a compromised operating system,as the trusted computing base can no longer be trusted.As a result,this attack could be launched against any?le integrity checker,not just Forseti.One line of defense that Forseti has against this attack is the fact that the name of the binary that is executed to carry out the integrity checking procedure varies at each run,so the attacker must e?ectively guess which calls made by Forseti are invoking hash programs and which are executing other processes.In some cases the attacker will want Forseti to access the modi?ed copies of programs(such as a modi?ed shell),but other times access should be redirected to the older reference copies.As di?cult as this may make attacking Forseti, it does not solve the problem that an attacker who can intercept and modify system calls can wreak havoc with Forseti.
To address this problem,we propose two solutions as future work.One area of research which our group
1Note that this attack is similar to the result spoo?ng attacks previously mentioned with the exception that the compromise is happening at the kernel level,rather than the user level.is pursuing is that of node virtualization.Rather than executing code on the actual cluster nodes,users will log into virtual nodes running on the physical cluster. In this way,the virtual nodes could periodically be de-stroyed and reinstalled from read only media,thereby removing any Trojan-horse programs.As a second avenue of defense,we have considered constructing another NVisionCC plug-in that monitors results re-turned by a hardware-based kernel integrity checker (e.g.,[16])to detect compromised operating system kernels,though this solution has the downfall of in-creased hardware costs.
5.3Performance
Now that we have discussed the security properties of the Forseti scanner,we wish to discuss its perfor-mance.The timing measurements that we present were measured on a cluster with dual-processor nodes run-ning Red Hat Linux with kernel2.4.21-15.ELsmp.The collector node used to perform the scans was located on the same gigabit Ethernet as the cluster nodes as to minimize round-trip times.This con?guration seems plausible in practice,as the entity performing the secu-rity analysis of the cluster would likely have the ability to attach collector nodes to the Ethernet used by the cluster.Measurements reported are averages over10 trials.
We tested Forseti by checking the compute nodes on our cluster for changes to37?les totaling2.9megabytes in size.On average,we found that Forseti took.9397 seconds per node to carry out the entirety of the in-tegrity checking process;this includes SCPing the hash binary(sha1sum)to the node being monitored,in-tegrity checking the37?les on that node,comparing the results returned to the compute node equivalence class pro?le,and logging any errors to the NVisionCC database.Slightly more than half of this time(.4978 seconds on average)was spent copying the sha1sum bi-nary to the node being scanned.The majority of the remaining.4419seconds is overhead associated with establishing the SSH connection over which the hash computation is carried out—integrity checking the37?les took only.0845seconds on average,once the SSH connection was established.
Overall,we feel that these performance numbers are reasonable.At a scan rate of.9397seconds per node, a single collector node can integrity check a512node cluster in just over8minutes,while two collector nodes sharing this task can reduce the scan time to4minutes. In addition,watching a larger number of?les also poses little problem to Forseti.With sha1sum,we measured a throughput of approximately35.21MB/second,mean-
ing that the number of?les monitored can be increased greatly without reducing the overall performance of Forseti.At these rates,administrators should have no problems con?guring Forseti to track a large number of critical system?les at very reasonable scan intervals.
5.4Use in Single-Image Clusters
We now comment on the use of Forseti on single-image clusters,such as those built using the Cluster-matic[5]or Scyld[19]systems.In these types of clus-ters,the compute nodes tend to be lightweight rather than full system images which essentially reduces the task of integrity checking the cluster to the task of in-tegrity checking the head node.Though it seems that this is a task that could be easily carried out by a host-based?le integrity checker,we contend that the use of Forseti still has several advantages over such a solution. Forseti has the bene?t of keeping the?le signature database stored separately from the head node,which makes the task of corrupting the signature database more di?cult for malicious users or attackers.In ad-dition,if nodes other than the head node are used to store important system?les or executables,these nodes can easily be added to Forseti’s scan path with minimal con?guration changes.In short,though Forseti’s main strengths lie in scanning clusters in which each node runs a complete system image,it can still be useful in single-image clusters.
5.5Summary of Bene?ts
We now conclude our discussion of the Forseti dis-tributed?le integrity checker with a summary of its bene?ts.
Ease of con?guration Initial con?guration of the Forseti system is extremely straight-forward and almost entirely automated.By providing a few parameters to the supplied scripts,the con?gura-tion process for an entire cluster can be completed in seconds.It should also be noted that only a few nodes need to be contacted and integrity checked during this process—one node from each equiv-alence class.This is in contrast to installing a ?le integrity checker designed for the enterprise computing environment,in which each node being monitored would need to be con?gured separately. Ease of maintenance Con?guring new cluster nodes to be integrity checked by Forseti is as easy as up-dating a single table in the NVisionCC database.
Since Forseti does not require any software other
than sshd to be running on the nodes that it moni-tors,simply informing NVisionCC of the existence of the new node is the only step that needs to be taken for Forseti to integrity check the node.In addition,as software on the cluster nodes is up-graded,the update sigs.pl script needs to be run only once per modi?ed node equivalence class to ensure that Forseti functions correctly.Other?le integrity checking systems require the database to be updated for each modi?ed node. Robustness against attack As discussed in Sec-tion5.2,Forseti is robust against large classes of attacks against the system.Any number of cluster nodes can become compromised with minimal ef-fect on the accuracy of Forseti’s integrity checking process.
E?ciency The per-node costs of integrity checking cluster nodes using the Forseti system are very reasonable.In our tests,nodes could be integrity checked in under one second.In the future,we plan to examine parallel integrity checking algo-rithms that could reduce the overall execution time of a cluster-wide Forseti invocation.
In the following section,we discuss related work in the area of?le integrity checking and discuss how Forseti di?ers from existing systems.
6Related Work
File integrity checkers can serve an important role in enforcing a security policy and currently there is a wide spectrum of enterprise?le integrity checkers that have been developed,each with di?erent capabilities. To better understand where the contribution of the Forseti?le integrity checker for HPC cluster security falls within this spectrum,we brie?y survey enterprise ?le integrity checkers as summarized in Table4.Our survey intention is to highlight representative enter-prise?le integrity checkers across the spectrum,not to be exhaustive.
The goal of an enterprise?le integrity checker is to detect and report on directory and?le system changes such as existence,ownership,permissions,and last ac-cess timestamp;these changes that may either be either accidental or malicious.The technique for determin-ing?le system changes has evolved from comparing an entire?le against a saved entire version to comparing a single value calculated from the entire contents of a ?le against a saved single value.For this reason,?le in-tegrity checkers have always had some form of database integration to hold baseline data for comparison.It
Integrity Checker Unique Features Supported Operat-
ing Systems
AIDE[2]Advanced Intrusion Detection Environment.Freeware using regular expres-
sions,requires GNU utilities to compile.
Linux/Unix
chkrootkit[15]Shell script collection of utilities focusing on checking system binaries for
rootkit modi?cation.Independent application with a large number of rootkit
signatures.
Linux/Unix
BinAudit a.k.a.RIACS Auditing Package.Designed to scan many hosts serially.Can
collapse entire output into Email,con?gurable to ignore?le/directory changes
Unix
Data Sentinel[6]Commercial software.Monitors registry,two-?sh encrypted reports stored in
XML,CSV,and HTML.
Windows
Fcheck Reports deviations from system baseline snapshot.Requires Perl,dependent
on external executables.
Linux/Unix,Windows
GFI LANguard System
Integrity Monitor[10]
Freeware and commercial application.Windows,Linux
Integrit[4]Small memory footprint during runtime.Included with Debian Linux dis-
tributions.Modular for database and cryptographic algorithm support.De-
signed for multiple scans as opposed to one complex scan.
Linux/Unix
Osiris[24]Uses OpenSSL for encryption/authentication,monitors resident kernel exten-
sions and changes to local user/group databases.
Windows
Samhain[18]Daemon remembers?le changes to minimize change reports(as opposed to a
process invoked from cron).Monitors rootkits and login activities.Central-
ized administration using secure TCP and PGP-signed database support.
Linux/Unix,Mac OS X
Sentinel Secure,signed log?les with RIPEMD160bit hash.Monitors registry,options
for autoload scan,and secure shutdown and closing processes.
Windows
Tripwire[12]Commercial licensing for Linux/Unix and Windows.Can roll authorized
changes into baseline for future monitoring.
Linux/Unix,Windows Table4.Summary of enterprise?le integrity checkers
is usually the case that the?le integrity database is (1)self-contained without dependence on external pro-grams that may become compromised and(2)in ASCII format in order to provide human-readable access for reading and printing observation.
The message digest or hash value calculated from the contents of a?le for integrity comparison should be both computationally e?cient and infeasible to reverse.An example of an integrity checker which does not follow this design rule is the COPS tool[8]. COPS uses CRC signatures designed for streaming er-ror detection rather than a cryptographic hash func-tion for?le integrity checking.The CRC reversal pro-cess is widely available,meaning that?les can easily be altered in ways that COPS cannot detect.The ?rst widespread?le integrity checker based on cryp-tographic hash value comparisons was Tripwire,which was introduced in1992.While comparing entire?les with previous versions has the advantage of showing exactly what changes were made to?les,in most cases knowing only that a change has been detected is enough along with the obvious resource e?ciency gained from not having to save entire?le systems for comparison.
Scalability is another major factor in comparing?le integrity checkers,in terms of number of host?le sys-tems tested,human monitoring e?ort,and?le sizes (which is the easiest metric to quantify and compare).All enterprise?le integrity checkers exhibit non-linear speed behavior to varying degrees(slower speeds with larger?les)[23].Integrity checkers written in C tend to be the fastest(e.g.,AIDE,BinAudit,Integrit,Osiris, and Samhain)followed by those checkers written in Perl(e.g.,Fcheck)and C++(e.g.,Tripwire).Osiris and Samhain collect reports and data from clients to a centralized server where the system can be more easily administered as opposed to distributed administration across many hosts.Other specialized features that dis-tinguish enterprise?le integrity checkers include warn-ings about incorrect con?gurations,handling race con-ditions in dynamic environments,and handling corner ?le system cases(e.g.?le size equal to zero).
Since very few enterprise installations are uniform, enterprise?le integrity checkers require signi?cant con-tinuous con?guration.Also,since?le system changes on enterprise systems may occur for a multitude of reasons,regular human analysis of reports is essen-tial.There is no standard monitoring interface,syslog format,or message exchange system for enterprise?le integrity checkers.File system change alarms are not typically prioritized across enterprise systems such that alarms that may be more important(e g.on shared production servers)are often obscured by sheer vol-ume.
Monitoring for?le system changes on an enterprise
LAN containing hundreds or thousands of hosts is not the same as monitoring for?le system changes on a HPC cluster with a similar number of nodes—both the security posture and underlying detection techniques need to be signi?cantly di?erent for clusters.With this in mind,the Forseti?le integrity checker and the NVi-sionCC cluster security monitoring system have been speci?cally designed for the unique HPC cluster en-vironment.Forseti scans within HPC cluster equiv-alence classes producing uniform reports from many hosts that can be quickly evaluated against common pro?les.Automated security analysis validates?le in-tegrity and presents changes to human operators us-ing the standard Clumon visual interface(via the NVi-sionCC plug-in).Human management capability does not scale linearly as cluster size in nodes grows increas-ingly larger.For this reason the NVisionCC/Clumon visual interface is designed to be scalable in human terms to represent large HPC clusters graphically(in the thousands of nodes)while simultaneously consol-idating alarms on individual cluster nodes to prevent information overload(for instance one?le change with many corresponding directory changes is shown as a single node alert as opposed to many alerts).The Forseti/NVisionCC visual interface also presents?le integrity changes along with other security events(pro-cess monitoring,privilege escalation,port scans)so a ?le change can be correlated and prioritized with other security events in the HPC cluster https://www.doczj.com/doc/e711358019.html,stly, Forseti/NVisionCC?le integrity checking in the HPC cluster environment context is enhanced in contrast to enterprise systems since the HPC cluster environment is more constrained with generally fewer critical system ?les that change less frequently.
7Summary
In large-scale commodity clusters,it is often the case that the compromise of a single node can lead to the compromise of an entire cluster.In computational grids,a single compromised node can easily lead to the compromise of multiple clusters,as was the case with the TeraGrid break-ins that occurred during the Spring of2004.During these types of attacks,important sys-tem?les are often times modi?ed by attackers to help them gather passwords,avoid logging mechanisms,or open back-doors into the system.To detect these types of attacks,we have designed the Forseti distributed?le integrity scanner.
Unlike other?le integrity monitoring tools and host-based intrusion detection systems,Forseti was designed to meet the needs of the cluster computing environ-ment.Rather than treating a cluster as a collec-tion of hundreds or thousands of independent nodes, Forseti leverages the emergent structure of large-scale commodity clusters to simplify its con?guration and maintenance and increase the security of the system. Forseti was designed as a plug-in to the NVisionCC cluster monitoring package,which provides a conve-nient framework for scheduling the plug-in and provid-ing visual feedback to security analysts.
In this paper,we have presented the details of NVi-sionCC and the Forseti system and examined the secu-rity of Forseti.We highlighted several attacks against the system and showed that even a root-level adver-sary can do very little to falsify results or prevent the system from carrying out its integrity checks without being detected.In addition,we presented preliminary performance results which show that Forseti can mon-itor our test cluster at a rate of just under one second per node.
We currently have several directions for future work. We propose to make minor modi?cations to Forseti to make additional checks on the?les that it monitors,in-cluding modi?cation timestamps and the?le’s current permission set.We also plan to provide a mechanism through which the node scheduler can invoke Forseti on-demand prior to allocating a node to a user,thereby allowing users to have con?dence in the freshness of the integrity scan results for the nodes on which their jobs will run.Our more ambitious plans for future work in-clude further investigating defenses against an attacker who is able to intercept and modify system calls on the nodes being monitored,and investigating parallel node scanning algorithms.
Acknowledgments
The authors would like to thank Nadir Kiyanclar, Forrest Xin Meng,Dmitry Mogilevsky,and Michael Treaster for their thoughts and comments during the design and implementation of Forseti and for their as-sistance in maintaining our test cluster. References
[1]Secure hash standard.Federal Information Pro-
cessing Standards Publication180-2,Aug.2002.
https://www.doczj.com/doc/e711358019.html,/publications/fips/
fips180-2/fips180-2.pdf .
[2]AIDE—advanced intrusion detection environment.
Web Page,Jun.2005. https://www.doczj.com/doc/e711358019.html,/ projects/aide .
[3]R.Anderson and E.Biham.Tiger:A fast new hash
function.Technical report,Cambridge University, 1995.
[4] E.L.Cashin.integrit?le veri?cation system.Web
Page,Jun.2005. http://integrit.sourceforge.
net .
[5]Clustermatic:A complete cluster solution.Web Page,
Aug.2004. https://www.doczj.com/doc/e711358019.html, .
[6]Data sentinel.Web Page,Jun.2005.
https://www.doczj.com/doc/e711358019.html,/html/products/
data sentinel/index.php .
[7]H.Dobbertin, A.Bosselaers,and B.Preneel.
RIPEMD-160,a strengthened version of RIPEMD.
In Fast Software Encryption,number1039in Lecture Notes in Computer Science,pages71–82,1996.
[8] D.Farmer and E.H.Spa?ord.The COPS security
checker system.In USENIX Summer,pages165–170, 1990.
[9]J.Fullop.Clumon.Web Page,Jun.2005. http:
//https://www.doczj.com/doc/e711358019.html,/ .
[10]GFiLANguard system integrity monitor.Web Page,
Jun.2005. https://www.doczj.com/doc/e711358019.html,/lansim/index.
html .
[11]Grid attacks raise concerns among security ex-
perts.Grid Today,3(17),Apr.2004. http://www.
https://www.doczj.com/doc/e711358019.html,/04/0426/103080.html .
[12]G.H.Kim and E.H.Spa?ord.The design and
implementation of tripwire:a?le system integrity checker.In Proceedings of the2nd ACM Conference on Computer and communications security,pages18–29.
ACM Press,1994.
[13]G.A.Koenig,A.J.Lee,M.Treaster,N.Kiyanclar,
and W.Yurcik.Cluster security with NVisionCC:Pro-cess monitoring by leveraging emergent properties.In 5th IEEE International Symposium on Cluster Com-puting and the Grid(CCGrid),May2005.
[14] A.J.Lee,G.A.Koenig,X.Meng,and W.Yurcik.
Searching for open windows and unlocked doors:Port scanning in large-scale commodity clusters.In5th IEEE International Symposium on Cluster Comput-ing and the Grid(CCGrid),May2005.
[15]N.Murilo and K.Steding-Jessen.chkrootkit—locally
checks for signs of a rootkit.Web Page,Jun.2005.
https://www.doczj.com/doc/e711358019.html, .
[16]N.L.Petroni,J.Molina,T.Fraser,and W.A.Ar-
baugh.Copilot:A coprocessor based runtime integrity monitor.In13th USENIX Security Symposium,Aug.
2004.
[17]R.Rivest.The MD5message-digest algorithm.IETF
Request for Comments1321,Apr.1992.
[18]The SAMHAIN?le integrity/intrusion detection sys-
tem.Web Page,Jun.2005. http://la-samhna.de/ samhain/ .
[19]Scyld software.Web Page,Aug.2004. http://www.
https://www.doczj.com/doc/e711358019.html,/ .
[20]M.Treaster,G.A.Koenig,X.Meng,and W.Yurcik.
Detection of privilege escalation for linux cluster se-curity.In6th LCI International Conference on Linux Clusters,Apr.2005.
[21]X.Wang,Y.L.Yin,and H.Yu.Finding collisions in
the full SHA-1.In Crypto2005,Aug.2005.[22]X.Wang,H.Yu,and Y.L.Yin.E?cient collision
search attacks on SHA-0.In Crypto2005,Aug.2005.
[23]R.Wichman.A comparison of several host/?le
integrity checkers(scanners).Web Page,Oct.2004.
https://www.doczj.com/doc/e711358019.html,-samhna.de/library/scanners.
html .
[24] B.Wotring.Osiris—host integrity monitoring.Web
Page,Jun.2005. https://www.doczj.com/doc/e711358019.html,/ osiris/ .
[25]W.Yurcik,G.A.Koenig,X.Meng,and J.Greenseid.
Cluster security as a unique problem with emergent properties:Issues and techniques.In The5th LCI In-ternational Conference on Linux Clusters:The HPC Revolution2004,May2004.
[26]W.Yurcik,X.Meng,and N.Kiyanclar.NVisionCC:A
visualization framework for high performance cluster security.In CCS Workshop on Visualization and Data Mining for Computer Security(VizSEC/DMSEC), Oct.2004.
1、人称代词顺口溜:人称代词有两类,一类主格一类宾;主格代词本领大,一切动作由它发;宾格代词不动脑,介动之后跟着跑。 2、物主代词顺口溜:物主代词不示弱,带着‘白勺’来捣乱;形容词性物主代,抓住名词不放松; 1、人称代词的主格在句子中作主语或主语补语。一般在句首,动词前。 例如:John waited a while but eventually he went home. 约翰等了一会儿,最后他回家了。 John hoped the passenger would be Mary and indeed it was she. 约翰希望那位乘客是玛丽,还真是她。 说明:在复合句中,如果主句和从句主语相同,代词主语要用在从句中,名词主语用在主句中。在电话用语中常用主格。 例如:When he arrived, John went straight to the bank. 约翰一到就直接去银行了。 I wish to speak to Mary. This is she. 我想和玛丽通话,我就是玛丽。 2、人称代词的宾格在句中作宾语或表语,在动词或介词后。 例如:Do you know him?(作宾语) 你认识他吗? Who is knocking at the door?It’s me. (作表语) 是谁在敲门?是我。 说明:单独使用的人称代词通常用宾格,即使它代表主语时也是如此。 例如:I like English. Me too. 我喜欢英语。我也喜欢。 3、注意:在动词be 或to be 后的人称代词视其前面的名词或代词而定。 例如:I thought it was she.我以为是她。(主格----主格) I thought it to be her.(宾格----宾格) I was taken to be she.我被当成了她。(主格----主格) They took me to be her.他们把我当成了她。(宾格----宾格) 4、人称代词并列时的排列顺序 1)单数人称代词并列作主语时,其顺序为: 第二人称→第三人称→第一人称 即you and I he/she/it and I you, he/she/it and I 顺口溜:第一人称最谦虚,但若错误责任担,第一人称学当先。 例如:It was I and John that made her angry. 2)复数人称代词作主语时,其顺序为: 第一人称→第二人称→第三人称 即we and you you and they we, you and they
With的用法全解 with结构是许多英语复合结构中最常用的一种。学好它对学好复合宾语结构、不定式复合结构、动名词复合结构和独立主格结构均能起很重要的作用。本文就此的构成、特点及用法等作一较全面阐述,以帮助同学们掌握这一重要的语法知识。 一、 with结构的构成 它是由介词with或without+复合结构构成,复合结构作介词with或without的复合宾语,复合宾语中第一部分宾语由名词或代词充当,第二部分补足语由形容词、副词、介词短语、动词不定式或分词充当,分词可以是现在分词,也可以是过去分词。With结构构成方式如下: 1. with或without-名词/代词+形容词; 2. with或without-名词/代词+副词; 3. with或without-名词/代词+介词短语; 4. with或without-名词/代词 +动词不定式; 5. with或without-名词/代词 +分词。 下面分别举例: 1、 She came into the room,with her nose red because of cold.(with+名词+形容词,作伴随状语)
2、 With the meal over , we all went home.(with+名词+副词,作时间状语) 3、The master was walking up and down with the ruler under his arm。(with+名词+介词短语,作伴随状语。) The teacher entered the classroom with a book in his hand. 4、He lay in the dark empty house,with not a man ,woman or child to say he was kind to me.(with+名词+不定式,作伴随状语)He could not finish it without me to help him.(without+代词 +不定式,作条件状语) 5、She fell asleep with the light burning.(with+名词+现在分词,作伴随状语) Without anything left in the with结构是许多英 语复合结构中最常用的一种。学好它对学好复合宾语结构、不定式复合结构、动名词复合结构和独立主格结构均能起很重要的作用。本文就此的构成、特点及用法等作一较全面阐述,以帮助同学们掌握这一重要的语法知识。 二、with结构的用法 with是介词,其意义颇多,一时难掌握。为帮助大家理清头绪,以教材中的句子为例,进行分类,并配以简单的解释。在句子中with结构多数充当状语,表示行为方式,伴随情况、时间、原因或条件(详见上述例句)。 1.带着,牵着…… (表动作特征)。如: Run with the kite like this.
1. with+宾语+形容词。比如:. The boy wore a shirt with the neck open, showing his bare chest. 那男孩儿穿着一件衬衫,颈部敞开,露出光光的胸膛。Don’t talk with your mouth full. 嘴里有食物时不要讲话。 2. with+宾语+副词。比如:She followed the guide with her head down. 她低着头,跟在导游之后。 What a lonely world it will be with you away. 你不在,多没劲儿呀! 3. with+宾语+过去分词。比如:He was listening to the music with his eyes half closed. 他眼睛半闭着听音乐。She sat with her head bent. 她低着头坐着。 4. with+宾语+现在分词。比如:With winter coming, it’s time to buy warm clothes. 冬天到了,该买些保暖的衣服了。 He soon fell asleep with the light still burning. 他很快就睡着了,(可)灯还亮着。 5. with+宾语+介词短语。比如:He was asleep with his head on his arms. 他的头枕在臂膀上睡着了。 The young lady came in, with her two- year-old son in her arms. 那位年轻的女士进来了,怀里抱着两岁的孩子。 6. with+宾语+动词不定式。比如: With nothing to do in the afternoon, I went to see a film. 下午无事可做,我就去看了场电影。Sorry, I can’t go out with all these dishes to wash. 很抱歉,有这么多盘子要洗,我不能出去。 7. with+宾语+名词。比如: He died with his daughter yet a school-girl.他去逝时,女儿还是个小学生。 He lived a luxurious life, with his old father a beggar . 他过着奢侈的生活,而他的老父亲却沿街乞讨。(8)With so much work to do ,I can't go swimming with you. (9)She stood at the door,with her back towards us. (10)He entered the room,with his nose red with cold. with复合结构与分词做状语有啥区别 [ 标签:with, 复合结构, 分词状语] Ciro Ferrara 2009-10-18 16:17 主要是分词形式与主语的关系 满意答案好评率:100%
with的用法大全----四级专项训练with结构是许多英语复合结构中最常用的一种。学好它对学好复合宾语结构、不定式复合结构、动名词复合结构和独立主格结构均能起很重要的作用。本文就此的构成、特点及用法等作一较全面阐述,以帮助同学们掌握这一重要的语法知识。 一、 with结构的构成 它是由介词with或without+复合结构构成,复合结构作介词with或without的复合宾语,复合宾语中第一部分宾语由名词或代词充当,第二部分补足语由形容词、副词、介词短语、动词不定式或分词充当,分词可以是现在分词,也可以是过去分词。With结构构成方式如下: 1. with或without-名词/代词+形容词; 2. with或without-名词/代词+副词; 3. with或without-名词/代词+介词短语; 4. with或without-名词/代词+动词不定式; 5. with或without-名词/代词+分词。 下面分别举例:
1、 She came into the room,with her nose red because of cold.(with+名词+形容词,作伴随状语) 2、 With the meal over , we all went home.(with+名词+副词,作时间状语) 3、The master was walking up and down with the ruler under his arm。(with+名词+介词短语,作伴随状语。) The teacher entered the classroom with a book in his hand. 4、He lay in the dark empty house,with not a man ,woman or child to say he was kind to me.(with+名词+不定式,作伴随状语) He could not finish it without me to help him.(without+代词 +不定式,作条件状语) 5、She fell asleep with the light burning.(with+名词+现在分词,作伴随状语) 6、Without anything left in the cupboard, she went out to get something to eat.(without+代词+过去分词,作为原因状语) 二、with结构的用法 在句子中with结构多数充当状语,表示行为方式,伴随情况、时间、原因或条件(详见上述例句)。
一、选择题 1、With time ____ by , they got to know each other better. A. passes B. passing C. passed D. to be passed 2、 the economic crisis getting more and more serious, the government is searching for ways to improve people’s life. A. As B. With C. When D. If 3John received an invitation to dinner, and with his work ____, he gladly accepted it. A. finished B. finishing C. having finished D. was finished 4、With all flights___, they had to come by bus. A. had canceled B.canceled C.have been canceled D. having canceled 5、With a large number of people _______ camping, it has now become one of the most popular activities in the UK. A. take part in B. took part in C. taking part in D. to be taking part in 6、None of us had expected that the middle﹣aged engineer died with his design _________() A..to uncomplete B..uncompleted C.uncompleting.D..uncomplete 7、______,we managed to get out of the forest.() A.The guide led the way B.The guide leading the way C.With the guide to lead the way D.Having led the way 8、Will all his work ,he could have a good rest. A.to do B.doing C.did D.done 9、 ______, her suggestion is of greater value than yours. A. All things considering B. All things considered C. All things were considered D. With all things were considered 10、With the kind boy ________ the way, we found the park soon. A. leads B. to lead C. led D. leading 11、 She stood there, ______ from her cheeks. A. tears' rolling down B. tears rolled down C. with tears rolled down D. tears rolling down 12、 While watching television, __________. A. the doorbell rang B. the doorbell rings C. we heard the doorbell ring D. we heard the doorbell rings 13、The murderer was brought in, with his hands______ behind his back. A. be tied B. having tied C. to be tied D. tied 14、 With a lot of difficult problem _____, the newly-elected president is having a hard time.
英语中的五种基本句型结构 一、句型1:Subject (主语) +Verb (谓语) 这种句型中的动词大多是不及物动词,所谓不及物动词,就是这种动词后不可以直接接宾语。常见的动词如:work, sing, swim, fish, jump, arrive, come, die, disappear, cry, happen等。如: 1) Li Ming works very hard.李明学习很努力。 2) The accident happened yesterday afternoon.事故是昨天下午发生的。 3)Spring is coming. 4) We have lived in the city for ten years. 二、句型2:Subject (主语) +Link. V(系动词) +Predicate(表语) 这种句型主要用来表示主语的特点、身份等。其系动词一般可分为下列两类: (1)表示状态。这样的词有:be, look, seem, smell, taste, sound, keep等。如: 1) This kind of food tastes delicious.这种食物吃起来很可口。 2) He looked worried just now.刚才他看上去有些焦急。 (2)表示变化。这类系动词有:become, turn, get, grow, go等。如: 1) Spring comes. It is getting warmer and warmer.春天到了,天气变得越来越暖和。 2) The tree has grown much taller than before.这棵树比以前长得高多了。 三、句型3:Subject(主语) +V erb (谓语) +Object (宾语) 这种句型中的动词一般为及物动词, 所谓及物动词,就是这种动词后可以直接接宾语,其宾语通常由名词、代词、动词不定式、动名词或从句等来充当。例: 1) He took his bag and left.(名词)他拿着书包离开了。 2) Li Lei always helps me when I have difficulties. (代词)当我遇到困难时,李雷总能给我帮助。 3) She plans to travel in the coming May Day.(不定式)她打算在即将到来的“五一”外出旅游。 4) I don’t know what I should do next. (从句)我不知道下一步该干什么。 注意:英语中的许多动词既是及物动词,又是不及物动词。 四、句型4:Subject(主语)+Verb(谓语)+Indirect object(间接宾语)+Direct object (直接宾语) 这种句型中,直接宾语为主要宾语,表示动作是对谁做的或为谁做的,在句中不可或缺,常常由表示“物”的名词来充当;间接宾语也被称之为第二宾语,去掉之后,对整个句子的影响不大,多由指“人”的名词或代词承担。引导这类双宾语的常见动词有:buy, pass, lend, give, tell, teach, show, bring, send等。如: 1) Her father bought her a dictionary as a birthday present.她爸爸给她买了一本词典作为生日礼物。 2)The old man always tells the children stories about the heroes in the Long March. 老人经常给孩子们讲述长征途中那些英雄的故事。上述句子还可以表达为: 1)Her father bought a dictionary for her as a birthday present. 2)The old man always tells stories about the heroes to the children in the Long March. 五、句型5:Subject(主语)+Verb (动词)+Object (宾语)+Complement(补语) 这种句型中的“宾语+补语”统称为“复合宾语”。宾语补足语的主要作用或者是补充、说明宾语的特点、身份等;或者表示让宾语去完成的动作等。担任补语的常常是名词、形容词、副词、介词短语、分词、动词不定式等。如: 1)You should keep the room clean and tidy. 你应该让屋子保持干净整洁。(形容词) 2) We made him our monitor.(名词)我们选他当班长。 3) His father told him not to play in the street.(不定式)他父亲告诉他不要在街上玩。
with用法归纳 (1)“用……”表示使用工具,手段等。例如: ①We can walk with our legs and feet. 我们用腿脚行走。 ②He writes with a pencil. 他用铅笔写。 (2)“和……在一起”,表示伴随。例如: ①Can you go to a movie with me? 你能和我一起去看电影'>电影吗? ②He often goes to the library with Jenny. 他常和詹妮一起去图书馆。 (3)“与……”。例如: I’d like to have a talk with you. 我很想和你说句话。 (4)“关于,对于”,表示一种关系或适应范围。例如: What’s wrong with your watch? 你的手表怎么了? (5)“带有,具有”。例如: ①He’s a tall kid with short hair. 他是个长着一头短发的高个子小孩。 ②They have no money with them. 他们没带钱。 (6)“在……方面”。例如: Kate helps me with my English. 凯特帮我学英语。 (7)“随着,与……同时”。例如: With these words, he left the room. 说完这些话,他离开了房间。 [解题过程] with结构也称为with复合结构。是由with+复合宾语组成。常在句中做状语,表示谓语动作发生的伴随情况、时间、原因、方式等。其构成有下列几种情形: 1.with+名词(或代词)+现在分词 此时,现在分词和前面的名词或代词是逻辑上的主谓关系。 例如:1)With prices going up so fast, we can't afford luxuries. 由于物价上涨很快,我们买不起高档商品。(原因状语) 2)With the crowds cheering, they drove to the palace. 在人群的欢呼声中,他们驱车来到皇宫。(伴随情况) 2.with+名词(或代词)+过去分词 此时,过去分词和前面的名词或代词是逻辑上的动宾关系。
with独立主格结构(即with复合结构) with独立主格结构是英语中一种重要的句法现象,在句子结构方面具有相对独立的特点。多年来也一直是命题的热点、重点,因此应该引起我们的高度重视。众所周知,with引导的独立主格结构非常活跃,虽然它在句子中只作状语,但是可以表示伴随、方式、原因、结果等各种复杂的情况。 现将with引导的独立主格结构总结如下。 一、句法结构 【结构一】 with +名词(代词)+介词短语 例1 He sat there thinking, with his chin on his hand. 他手托下巴,坐在那儿沉思。 【结构二】 with +名词(代词)+形容词 例2 He stared at his friend with his mouth wide open. 他张大嘴巴凝视着他的朋友。 【结构三】with +名词(代词)+副词 例3 With production up by 60%, the company has had another excellent year. 产量上升了60%, 公司又是一个好年景。 【结构四】 with +名词(代词)+名词 例4 She used to sit reading in the evening with her pet dog her only companion. 她从前总爱在晚上坐着看书,她的宠物狗便是她唯一的伙伴。 【结构五】with +名词(代词)+现在分词 例5 She stood there chatting with her friend, with her child playing beside her. 她站在那儿跟朋友闲聊,孩子在旁边玩。 【结构六】with +名词(代词)+过去分词
独立主格结构练习题及解析 1. I have a lot of books, half of ___ novels. A. which B. that C. whom D. them 2. __ more and more forests destroyed, many animals are facing thedanger of dying out. A. because B. as C. With D. Since 3. The bus was crowded with passengers going home from market, most of __ carrying heavy bags and baskets full of fruit and vegetables they hadbought there. A. them B. who C. whom D. which 4. The largest collection ever found in England was one of about 200,000 silverpennies, all of ___ over 600 years old. A. which B. that C. them
D. it 5. The cave __ very dark, he lit some candles ___ light. A. was; given B. was; to give C. being; given D. being; to give 6. The soldier rushed into the cave, his right hand __ a gun and his face ____ with sweat.A held; covered B. holding; covering C. holding; covered D. held; covering 7. The girl in the snapshot was smiling sweetly, her long hair ___ . A. flowed in the breeze B. was flowing in the breeze C. were flowing in the breeze D. flowing in the breeze 8. The children went home from the grammar school, their lessons ____ for the day. A. finishing B. finished C. had finished D. were finished 9. On Sundays there were a lot of children playing in the park, ___ parents seated together joking.
with用法小结 一、with表拥有某物 Mary married a man with a lot of money . 马莉嫁给了一个有着很多钱的男人。 I often dream of a big house with a nice garden . 我经常梦想有一个带花园的大房子。 The old man lived with a little dog on the lonely island . 这个老人和一条小狗住在荒岛上。 二、with表用某种工具或手段 I cut the apple with a sharp knife . 我用一把锋利的刀削平果。 Tom drew the picture with a pencil . 汤母用铅笔画画。 三、with表人与人之间的协同关系 make friends with sb talk with sb quarrel with sb struggle with sb fight with sb play with sb work with sb cooperate with sb I have been friends with Tom for ten years since we worked with each other, and I have never quarreled with him . 自从我们一起工作以来,我和汤姆已经是十年的朋友了,我们从没有吵过架。 四、with 表原因或理由 John was in bed with high fever . 约翰因发烧卧床。 He jumped up with joy . 他因高兴跳起来。 Father is often excited with wine . 父亲常因白酒变的兴奋。 五、with 表“带来”,或“带有,具有”,在…身上,在…身边之意
独立主格篇 独立主格,首先它是一个“格”,而不是一个“句子”。在英语中任何一个句子都要有主谓结构,而在这个结构中,没有真正的主语和谓语动词,但又在逻辑上构成主谓或主表关系。独立主格结构主要用于描绘性文字中,其作用相当于一个状语从句,常用来表示时间、原因、条件、行为方式或伴随情况等。除名词/代词+名词、形容词、副词、非谓语动词及介词短语外,另有with或without短语可做独立主格,其中with可省略而without不可以。*注:独立主格结构一般放在句首,表示原因时还可放在句末;表伴随状况或补充说明时,相当于一个并列句,通常放于句末。 一、独立主格结构: 1. 名词/代词+形容词 He sat in the front row, his mouth half open. Close to the bank I saw deep pools, the water blue like the sky. 靠近岸时,我看见几汪深池塘,池水碧似蓝天。 2. 名词/代词+现在分词 Winter coming, it gets colder and colder. The rain having stopped, he went out for a walk.
The question having been settled, we wound up the meeting. 也可以The question settled, we wound up the meeting. 但含义稍有差异。前者强调了动作的先后。 We redoubled our efforts, each man working like two. 我们加倍努力,一个人干两个人的活。 3. 名词/代词+过去分词 The job finished, we went home. More time given, we should have done the job much better. *当表人体部位的词做逻辑主语时,不及物动词用现在分词,及物动词用过去分词。 He lay there, his teeth set, his hands clenched, his eyes looking straight up. 他躺在那儿,牙关紧闭,双拳紧握,两眼直视上方。 4. 名词/代词+不定式 We shall assemble at ten forty-five, the procession to start moving at precisely eleven. We divided the work, he to clean the windows and I to sweep the floor.
独立主格结构 一、概念 “独立主格结构”就是由一个相当于主语的名词或代词加上非谓语动词、形容词(副)词或介词短语构成的一种独立成分。该结构不是句子,也不是从句,所以它内部的动词不能考虑其时态、人称和数的变化,它与主句之间不能通过并列连词连接,也不能由从句阴道词引导,通常用逗号与主句隔开。独立主格结构在很多情况下可以转化为相应的状语从句或者其他状语形式,但很多时候不能转化为分词形式,因为它内部动词的逻辑主语与主句主语不一致。 二、独立主格的特点
1.当独立主格结构中的being done表示“正在被做时”,being不可以被省略。 2.当独立主格结构的逻辑主语是it, there时,being不可以省略。 三、独立主格结构的用法。 一般放在句首,表示原因时还可放在句末;表伴随状况或补充说明时,相当于一个并列句,通常放于句末。
四、非谓语动词独立主格结构。 “名词或代词+非谓语动词”结构构成的独立主格结构称为非谓语动词的独立主格结构。名词或代词和非谓语动词具有逻辑上的主谓关系。 1.不定式构成的独立主格结构 不定式构成的独立主格结构往往表示还未发生的行为或状态,在句中常 作原因状语,有时做条件状语。 Lots of homework to do, I have to stay home all day. 由于很多作业要做,我只好待在家里。 So many children to look after, the mother has to quit her job. 如此多的孩子要照顾,这个妈妈不得不辞掉她的工作。 2.动词+ing形式的独立主格结构 动词-ing形式的句中作状语时,其逻辑主语必须是主句的主语,否则就 是不正确的。动词-ing形式的逻辑主语与主句的主语不一致时,就应在 动词的-ing形式前加上逻辑主语,构成动词-ing 形式的独立主格结构,逻辑主语与动词间为主谓关系,是分词的动作执行者,分词表示的动作 时逻辑主语发出的动作。 We redoubled our efforts, each man working like two. 我们加倍努力,每个人就像在干两个人的活。 The governor considering the matter, more strikers gathered across his path. 总督思考这个问题时,更多的罢工工人聚集到他要通过的路上。 The guide leading the way, we had no trouble getting out of the forest. 在向导的带领下,我们轻松地走出了森林。 3.过去分词形式的独立主格 过去分词形式的独立主格结构是由“逻辑主语+过去分词”构成。逻辑主 语与动词之间为动宾关系,它是分词的动作承受者,这一结构在句中作 时间状语,原因状语、伴随状语、条件状语等。 This done, we went home.做完这个,我们就回家了。 All our savings gone, we started looking for jobs. 积蓄用完后,我们都开始找工作。 More time and money given, we can finish the work in advance. 如果给予更多的时间和金钱,我们能提前完成这个工作。 五、其他形式的独立主格结构
comparison的用法解析大全 comparison的意思是比较,比喻,下面我把它的相关知识点整理给大家,希望你们会喜欢! 释义 comparison n. 比较;对照;比喻;比较关系 [ 复数 comparisons ] 词组短语 comparison with 与…相比 in comparison adj. 相比之下;与……比较 in comparison with 与…比较,同…比较起来 by comparison 相比之下,比较起来 comparison method 比较法 make a comparison 进行比较 comparison test 比较检验 comparison theorem 比较定理 beyond comparison adv. 无以伦比 comparison table 对照表 comparison shopping 比较购物;采购条件的比较调查 paired comp arison 成对比较 同根词 词根: comparing adj. comparative 比较的;相当的 comparable 可比较的;比得上的 adv. comparatively 比较地;相当地 comparably 同等地;可比较地 n.
comparative 比较级;对手 comparing 比较 comparability 相似性;可比较性 v. comparing 比较;对照(compare的ing形式) 双语例句 He liked the comparison. 他喜欢这个比喻。 There is no comparison between the two. 二者不能相比。 Your conclusion is wrong in comparison with their conclusion. 你们的结论与他们的相比是错误的。 comparison的用法解析大全相关文章: 1.by的用法总结大全
教学参考:With引导的独立主格结构 https://www.doczj.com/doc/e711358019.html, 2005/03/14 09:41 英语辅导报 with独立主格结构是英语的一种重要的句法现象,在句子结构方面具有相对独立的特点。多年 来也一直是命题的热点、重点,因此应该引起我们的高度重视。众所周知,with引导的独立主格结 构非常活跃,虽然它在句子中只作状语,但是可以表示伴随、方式、原因、结果等各种复杂的情况。现将with引导的独立主格结构加以小结。 一、句法结构 【结构一】with+名词(代词)+介词短语 【例句】He sat there thinking, with his chin on his hand. 他手托下巴,坐在那儿沉思。 The old man stood there, with his back against the wall. 那位老人背倚着墙站在那里。 Mary was sitting near the fire, with her back towards the door. 玛丽靠近火炉坐着,背对着门。 【结构二】with+名词(代词)+形容词 【例句】He stared at his friend with his mouth wide open. 他张大嘴巴凝视着他的朋友。 The man raised his head with eyes full of wonder and mystery. 这人抬起头来,眼里充满了好奇。 He stood there trembling, with his face red with cold. 他站在那儿瑟瑟发抖,脸都冻红了。 【结构三】with+名词(代词)+副词 【例句】With production up by 60%, the company has had another excellent year. 产量上升了60%, 公司又是一个好年景。 The stupid Emperor walked in the procession with nothing on. 这位愚蠢的皇帝一丝不挂地行进在 游行队伍中。 The naughty boy stood before his teacher with his head down. 这个淘气的男孩低着头站在老师面前。 He put on his socks with the wrong side out. 他把袜子穿反了。 【结构四】with+名词(代词)+名词 【例句】She used to sit reading in the evening with her pet dog her only companion. 她从前总爱在 晚上坐着看书,她的宠物狗便是她惟一的伙伴。
介词With 复合结构讲解及练习 with复合结构的作用:with复合结构在句子中作状语,表示原因、时间、条件、伴随、方式等. 1)We sat on the dry grass with our backs to the wall.(作伴随状语) 2)She could not leave with her painful duty unfulfilled.(作原因状语) 3)He lay in bed with his head covered.(作方式状语) 4)Jack soon fell asleep with the light still burning.(作伴随状语) 5)I won't be able to go on holiday with my mother being ill.(作原因状语) 6)He sat with his arms clasped around his knees.(作方式状语) 注:with复合结构在句子中还可以作定语,阅读下面的句子。 1)There was a letter for Lanny with a Swiss stamp on it.(作定语修饰letter) 2)It was a vast stretch of country with cities in the distance.(作定语修饰a stretch of country)1) with +宾语+ 现在(短分词语) When mother went into the house, she found her baby was sleeping in bed, with his lips moving. 当妈妈走进房子的时候,她发现自己的孩子正睡在床上,嘴唇一直在动。 My aunt lives in the room with the windows facing south. 我姑妈住在那间窗户朝南开的房间。 With winter coming on,it's time to buy warm clothes 2)with +宾语+ 过去分词(短语) With more and more forests damaged ,some animals and plants are facing the danger of dying out. 由于越来越多的森林遭到破坏,一些动植物正面临着灭绝的危险。 With his legs broken, he had to lie in bed for a long time. 他双腿都断了,只得长时间躺在床上。 3) with +宾语+ 不定式(短语) * With so many children to look after, the nurse is busy all the time. 有这么多的孩子需要照顾,保育员一直都很忙。 *With a lot of papers to correct, M r. Li didn’t attend the party. 李老师有许多试卷需要批改,所以没有参加聚会。 4) with +宾语+ 副词 * You should read with the radio off. 在看书的时候应该把收音机关掉。 * With the temperature up, we had to open all the windows. 气温上升,我们不得不打开所有的窗户。 5) with +宾语+形容词 *With the window open, I felt a bit cold. 窗户开着,我感到有点冷。 * It was cold outside , the boy ran into the room with his nose red. 外面天气很冷,那个男孩跑进了屋子时,鼻子红红的。 6) with +宾语+ 介词短语 * The woman with a baby in her arms is getting on the bus. 怀里抱着婴儿的那位妇女正在上车。 * John starts to work very clearly in the morning and goes on working until late in the afternoon with a break at midday . 约翰早上开始工作,中午稍作休息后又接着工作到下午稍晚些时候。