Security Issues in Open Stack
description
Transcript of Security Issues in Open Stack
![Page 1: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/1.jpg)
Security Issues in OpenStack
Rostyslav Slipetskyy’s Maste’s thesisSubmission date: June 2011
Presenter: 陳傑威
![Page 2: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/2.jpg)
Agenda
陳傑威 2
Introduction to OpenStack• Definition• History• Projects
Security Issues in OpenStack (thesis)• Objective• Contribution• Conclusion
![Page 3: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/3.jpg)
3
OpenStack is open source cloud operating system.
NIST(National Institute of Standards and Technology, 美國國家技術標準局 ):
Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
DefinitionuserSaaS
PaaS
IaaS
Physical layer
(e.g. Salesforce)
(e.g. Hadoop)
(e.g. OpenStack)
![Page 4: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/4.jpg)
4
What is OpenStack
(Eucalyptus)EC2 S3
+
Projects:
![Page 5: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/5.jpg)
5
What is OpenStack(2)
研究機構政府機構金融機構製藥公司電子商務公司媒體…
![Page 6: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/6.jpg)
6
Security Issues in OpenStack (thesis)
• Main Objective: Analyze how various security issues are handled in OpenStack
![Page 7: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/7.jpg)
7
Security Issues IdentifiedCSA (Cloud Security Alliance 雲端安全聯盟 )
ENISA (European Network and Information Security Agency 歐洲網路資訊安全局 )
NIST (National Institute of Standards and Technology 國家標準技術研究所 )
![Page 8: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/8.jpg)
8
Security Issues Identified (2)
• 1. OpenStack Object Storage• 2. Security issues:– Identity and Access Management– Data Management
![Page 9: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/9.jpg)
9
OpenStack Installation安裝在虛擬環境中的 OpenStack Object Storage
![Page 10: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/10.jpg)
10
Security Isseus:
• Identity and Access Management Security Issues– Identity
Provisioning/Deprovisioning– Identity Federation– Authentication– Authorization and Access
Control
• Data Management Security Issues– Data Location– Isolation– Backup and Recovery– Deletion– Encryption and Key
Management– Integrity Verification
![Page 11: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/11.jpg)
11
Identity Provision/Deprovisioning
• Overview– 2 back-end system:
• Devauth: user data are stored in SQLite database.
• Swauth: user data are stored as files in Object Storage.
– 4 roles: • User: has no permissions relative to user management.
• Admin: can add users to an account where he is an administrator. In swauth can delete users from administered accounts.
• Reseller Admin: has Admin permissions on all the accounts. Cannot add other Reseller Admins.
• Super Admin: the most powerful user, who can perform all user management procedures, including adding Reseller Admins.
![Page 12: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/12.jpg)
12
Authentication
OpenStack Object Storage 的認證方式
![Page 13: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/13.jpg)
13
Authentication Systems: Devauth• User data (passwords, groups) are stored in SQLite database
![Page 14: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/14.jpg)
14
Authentication Systems: Swauth• User data (passwords, groups) are stored as JSON-encoded
data in text files in Object Storage
![Page 15: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/15.jpg)
15
Authentication: Security Token Generation
• Session ID Analysis:1. Set token expiration time to 0 seconds .
2. Obtain 10000 tokens generated for the same user.
3. Analyze tokens with WebScarab to check patterns.
4. Analyze generated tokens with Burp Sequencer tool.
![Page 16: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/16.jpg)
16
Authentication: Security Token Generation(2)
![Page 17: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/17.jpg)
17
Authentication: Portability of stored data
• Devauth 不適用• Swauth
![Page 18: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/18.jpg)
18
Data Management
在 OpenStack Object Storage中的數據檢索
![Page 19: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/19.jpg)
19
Data Management (2)
![Page 20: Security Issues in Open Stack](https://reader036.fdocuments.net/reader036/viewer/2022062323/56816178550346895dd10636/html5/thumbnails/20.jpg)
20
• END!