Shmoocon 2013 - OpenStack Security Brief
-
Upload
openfly -
Category
Technology
-
view
2.272 -
download
1
description
Transcript of Shmoocon 2013 - OpenStack Security Brief
Cloud Computing
This term means absolutely nothing. $variable + vague generic term
"We used to leak kilobytes, then megs, then even gigs. Now, we leak EC2 instances. Someday, we'll leak entire datacenters." - @Dymaxion
OpenStackSecurity Brief
ShmooCon 2013http://www.secstack.org/shmoocon2013.ppt
Yes, this is me.
This is also me.
Part I – OpenStack Structure
Cloud Computing is a terrible term.Investopedia defines it as...
... this is why it was referred to as 'Clown Computing' for a very long time.
A Better Term :Elastic Design
Scale horizontally rather than vertically
Distributed services Standard Orchestration APIs All States are Ephemeral
So.. it's an Open Stack?
Elastic Cloud Open Source ( Apache License ) Open Standards ( Foundation ) Written in Python REST APIs Shared Nothing, Message Oriented
Gaming the FoundationA fun tangent
Gaming the Foundation
https://www.music-piracy.com/?p=750
OpenStack Membership 2011
Top Companies by Commits
Votes by Source
Components of OpenStack( Folsom – 2012.2 )
Nova
Swift
Keystone
Glance
Quantum
Cinder
Horizon
python-novaclient
python-swiftclient
python-keystoneclient
python-glanceclient
python-quantumclient
python-cinderclient
Oslo
Ceilometer
python-ceilometerclient
HEAT API
python-heatclient
python-openstackclient
Core Clients Incubated
Good Reading
Ken Pepple's Folsom Architecture Post http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
Not getting into hypervisor security.OpenStack supports many hypervisors.
KVM Xen / XCP HyperV VMWare Physical Provisioning ( in Grizzly ) etc, etc, etc. sky's the limit, bob's your uncle.
Some supported hypervisors:
Keystone – Identity Manager
REST API, Admin API Service Catalog Backend to sqlite by default Supports MySQL, LDAP, Active Directory
( with patches ). Token generation and shared
authentication endpoint in OpenStack software.
Nova – Elastic Compute ( EC2 ) REST API, Metadata API, EC2 API Integrates with many hypervisors Defaults to libvirt Integrated volume and network
orchestration in Folsom ( deprecated ) Security Groups, Quotas, Zones, Flavors.. Config Drive Ugliest, oldest, most complex code in
project.
Glance – Image Store
REST API Backed my MySQL Stores to local volumes Optionally stores to object storage
Quantum – SDN
Replaces nova-network REST API Can interact directly with hardware Pluggable networking extensions MySQL backend
Cinder – Volumes
Replaces nova-volume REST API MySQL backend LVM management on nova-volume nodes Direct hardware interaction with NAS Direct interaction with soft block stores
Swift – Object Storage ( S3 )
REST API HA-Proxy Load balancer Block Manipulation on Nodes Soft Replication between Nodes
Horizon – Web GUI ( Django )
Integrates with REST APIs Integrates with Client APIs Uses standard Keystone token
authentication Django based Does not use EC2 APIs, solely OpenStack
Message Buses
RabbitMQ ZeroMQ
Development Workflows
Continuous Integration Gerrit Jenkins Launchpad GitHub Packaging
Packaging
Core packages are built from release tarballs
Client packages are built from pypi tarballs Git releases are PGP signed Efforts are being made to ensure all
dependencies are PGP signed properly Ubuntu / RedHat / SuSE among many
vendors with signed releases
Good Reading
China GitHub and Man in the Middlehttps://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
Part II – Targetting OpenStack
Layer 3 Model
Layer 2 Model
Nested Model
The ZeroMQ Message Bus
Fuzzing attacks in 2.1 “ØMQ does not deal with security by
design but concentrates on getting your bytes over the network as fast as possible.”
The question of encrypting 0mq communications is difficult in cloud environments.
Message Signing
Good Reading
Status of Secure Messaginghttp://lists.openstack.org/pipermail/openstack-dev/2013-February/
005614.html
The RabbitMQ Message Bus
Supports SSL Supports Authentication ( SASL ) Public / Private Queues No encryption at rest ( who cares? )
Not as horizontally scalable
The REST APIs and other HTTP Targets
Backend ( wsgi ) Admin ( wsgi ) Client ( requests ) SDKs ( there are many ) Horizon ( django )
Config Drive CVE-2012-3447
https://blueprints.launchpad.net/nova/+spec/config-drive-v2
Compromise of Compute Hosts WITHOUT hypervisor escape possible
Volumes, Block Storage, and Memory
Volume zeroing is a recurring vulnerability Volume encryption coming Shared Memory space presents the
possibility for attackers to sniff memory allocated to other virtual hosts
DMA access is a continual source of hypervisor escape attacks
Authentication
Auth Tokens – UUID v4 / dev urandom PKI Certs – Grizzly* Multifactor Auth – Grizzly* Token Sizes... Enormous 40bytes to 3k.
Potential for DDOS and Failure in Horizon Authn/z – Grizzly*
Analysis of Past Vulnerabilities
Lines of Code per Project
Vulnerability Reports by Company
Part III – Defense against the Dark Arts
Intrusion Detection
Intrusion Detection
Security APIs ( ceilometer, marconi? ) - event logging
Precursor Indicators – Homogeneity makes anomalies easy to spot. Standard methods as well.
External Reporting Security Services ( SaaS ) Infrastructure Knowledge ( This Preso )
Intrusion Response
You guys know this better than I Have a plan. Consumers must have a workflow that is
known and supported for response. Disclosure of breach and other issues
should be planned for ahead of time. Don't Panic.
Forensics ( Chain of Custody )
Ephemeral Design means interruption is usually expected as part of SLA
OpenStack has no mechanism for migrating instances between tenants.
You may want to provide SOC teams tenant access to monitor compromised instances.
Instances can be snapshotted and exported for controlled testing in sandbox.
Logs should be isolated in one way DMZ
Reporting to OpenStack
Open a bug in Launchpad and mark it as a 'security bug'. This will make the bug Private and only accessible to the Vulnerability Management Team.
If the issue is extremely sensitive, please send an encrypted email to one of the Team’s members. Their GPG keys can be found below, and are also available from popular public GPG key servers.
http://www.openstack.org/projects/openstack-security/
Good Reads on Inc Response
Handling Compromised Components in an IaaS Cloud Installation
Aryan TaheriMonfared ([email protected])
Martin G Jaatun ([email protected])
http://www.journalofcloudcomputing.com/content/1/1/16/abstract
Object Storage Pain Points
Overwriting Data is Difficult, no stock methods.
In event of aggressive evidence collection, difficulty in identifying physical resources.
Potential loss of data in evidence collection.
TPM + OpenStack = Trusted Pools
Zoned by Exposed Surface Area
SaaS is most secure PaaS less so IaaS least secure
Duh
Good Reading
Trusted Computing Poolshttp://wiki.openstack.org/TrustedComputingPools
Putting Trust in OpenStackhttp://www.openstack.org/summit/san-diego-2012/openstack-summit-
sessions/presentation/putting-trust-in-openstack
Parting thought
Consider public cloud vendors as you would a Chinese fabrication supply chain.
They are cheap. They are untrusted. They are probably going to be around for
the foreseeable future.
Good Reading
A multi-level security model for partitioning workflows over federated clouds
http://www.journalofcloudcomputing.com/content/1/1/15