Cloud Computing

This term means absolutely nothing. $variable + vague generic term

"We used to leak kilobytes, then megs, then even gigs. Now, we leak EC2 instances. Someday, we'll leak entire datacenters." - @Dymaxion

OpenStackSecurity Brief

ShmooCon 2013http://www.secstack.org/shmoocon2013.ppt

Yes, this is me.

This is also me.

Part I – OpenStack Structure

Cloud Computing is a terrible term.Investopedia defines it as...

... this is why it was referred to as 'Clown Computing' for a very long time.

A Better Term :Elastic Design

Scale horizontally rather than vertically

Distributed services Standard Orchestration APIs All States are Ephemeral

So.. it's an Open Stack?

Elastic Cloud Open Source ( Apache License ) Open Standards ( Foundation ) Written in Python REST APIs Shared Nothing, Message Oriented

Gaming the FoundationA fun tangent

Gaming the Foundation

https://www.music-piracy.com/?p=750

OpenStack Membership 2011

Top Companies by Commits

Votes by Source

Components of OpenStack( Folsom – 2012.2 )

Nova

Swift

Keystone

Glance

Quantum

Cinder

Horizon

python-novaclient

python-swiftclient

python-keystoneclient

python-glanceclient

python-quantumclient

python-cinderclient

Oslo

Ceilometer

python-ceilometerclient

HEAT API

python-heatclient

python-openstackclient

Core Clients Incubated

Good Reading

Ken Pepple's Folsom Architecture Post http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/

http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/

Not getting into hypervisor security.OpenStack supports many hypervisors.

KVM Xen / XCP HyperV VMWare Physical Provisioning ( in Grizzly ) etc, etc, etc. sky's the limit, bob's your uncle.

Some supported hypervisors:

Keystone – Identity Manager

REST API, Admin API Service Catalog Backend to sqlite by default Supports MySQL, LDAP, Active Directory

( with patches ). Token generation and shared

authentication endpoint in OpenStack software.

Nova – Elastic Compute ( EC2 ) REST API, Metadata API, EC2 API Integrates with many hypervisors Defaults to libvirt Integrated volume and network

orchestration in Folsom ( deprecated ) Security Groups, Quotas, Zones, Flavors.. Config Drive Ugliest, oldest, most complex code in

project.

Glance – Image Store

REST API Backed my MySQL Stores to local volumes Optionally stores to object storage

Quantum – SDN

Replaces nova-network REST API Can interact directly with hardware Pluggable networking extensions MySQL backend

Cinder – Volumes

Replaces nova-volume REST API MySQL backend LVM management on nova-volume nodes Direct hardware interaction with NAS Direct interaction with soft block stores

Swift – Object Storage ( S3 )

REST API HA-Proxy Load balancer Block Manipulation on Nodes Soft Replication between Nodes

Horizon – Web GUI ( Django )

Integrates with REST APIs Integrates with Client APIs Uses standard Keystone token

authentication Django based Does not use EC2 APIs, solely OpenStack

Message Buses

RabbitMQ ZeroMQ

Development Workflows

Continuous Integration Gerrit Jenkins Launchpad GitHub Packaging

Packaging

Core packages are built from release tarballs

Client packages are built from pypi tarballs Git releases are PGP signed Efforts are being made to ensure all

dependencies are PGP signed properly Ubuntu / RedHat / SuSE among many

vendors with signed releases

Good Reading

China GitHub and Man in the Middlehttps://en.greatfire.org/blog/2013/jan/china-github-and-man-middle

Part II – Targetting OpenStack

Layer 3 Model

Layer 2 Model

Nested Model

The ZeroMQ Message Bus

Fuzzing attacks in 2.1 “ØMQ does not deal with security by

design but concentrates on getting your bytes over the network as fast as possible.”

The question of encrypting 0mq communications is difficult in cloud environments.

Message Signing

Good Reading

Status of Secure Messaginghttp://lists.openstack.org/pipermail/openstack-dev/2013-February/

005614.html

The RabbitMQ Message Bus

Supports SSL Supports Authentication ( SASL ) Public / Private Queues No encryption at rest ( who cares? )

Not as horizontally scalable

The REST APIs and other HTTP Targets

Backend ( wsgi ) Admin ( wsgi ) Client ( requests ) SDKs ( there are many ) Horizon ( django )

Config Drive CVE-2012-3447

https://blueprints.launchpad.net/nova/+spec/config-drive-v2

Compromise of Compute Hosts WITHOUT hypervisor escape possible

Volumes, Block Storage, and Memory

Volume zeroing is a recurring vulnerability Volume encryption coming Shared Memory space presents the

possibility for attackers to sniff memory allocated to other virtual hosts

DMA access is a continual source of hypervisor escape attacks

Authentication

Auth Tokens – UUID v4 / dev urandom PKI Certs – Grizzly* Multifactor Auth – Grizzly* Token Sizes... Enormous 40bytes to 3k.

Potential for DDOS and Failure in Horizon Authn/z – Grizzly*

Analysis of Past Vulnerabilities

Lines of Code per Project

Vulnerability Reports by Company

Part III – Defense against the Dark Arts

Intrusion Detection

Intrusion Detection

Security APIs ( ceilometer, marconi? ) - event logging

Precursor Indicators – Homogeneity makes anomalies easy to spot. Standard methods as well.

External Reporting Security Services ( SaaS ) Infrastructure Knowledge ( This Preso )

Intrusion Response

You guys know this better than I Have a plan. Consumers must have a workflow that is

known and supported for response. Disclosure of breach and other issues

should be planned for ahead of time. Don't Panic.

Forensics ( Chain of Custody )

Ephemeral Design means interruption is usually expected as part of SLA

OpenStack has no mechanism for migrating instances between tenants.

You may want to provide SOC teams tenant access to monitor compromised instances.

Instances can be snapshotted and exported for controlled testing in sandbox.

Logs should be isolated in one way DMZ

Reporting to OpenStack

Open a bug in Launchpad and mark it as a 'security bug'. This will make the bug Private and only accessible to the Vulnerability Management Team.

If the issue is extremely sensitive, please send an encrypted email to one of the Team’s members. Their GPG keys can be found below, and are also available from popular public GPG key servers.

http://www.openstack.org/projects/openstack-security/

Good Reads on Inc Response

Handling Compromised Components in an IaaS Cloud Installation

Aryan TaheriMonfared (aryan@uninett.no)

Martin G Jaatun (Martin.G.Jaatun@sintef.no)

http://www.journalofcloudcomputing.com/content/1/1/16/abstract

Object Storage Pain Points

Overwriting Data is Difficult, no stock methods.

In event of aggressive evidence collection, difficulty in identifying physical resources.

Potential loss of data in evidence collection.

TPM + OpenStack = Trusted Pools

Zoned by Exposed Surface Area

SaaS is most secure PaaS less so IaaS least secure

Duh

Good Reading

Trusted Computing Poolshttp://wiki.openstack.org/TrustedComputingPools

Putting Trust in OpenStackhttp://www.openstack.org/summit/san-diego-2012/openstack-summit-

sessions/presentation/putting-trust-in-openstack

Parting thought

Consider public cloud vendors as you would a Chinese fabrication supply chain.

They are cheap. They are untrusted. They are probably going to be around for

the foreseeable future.

Good Reading

A multi-level security model for partitioning workflows over federated clouds

http://www.journalofcloudcomputing.com/content/1/1/15