Cloud Computing This term means absolutely nothing. $variable + ...

scacchicgardenSoftware and s/w Development

Dec 13, 2013 (3 years and 5 months ago)

54 views

Cloud Computing


This term means absolutely nothing.


$variable + vague generic term


"We used to leak kilobytes,

then megs, then even gigs.

Now, we leak EC2 instances.

Someday, we'll leak

entire datacenters."


-

@Dymaxion

OpenStack

Security Brief

ShmooCon 2013

http://www.secstack.org/shmoocon2013.ppt

Yes, this is me.

This is also me.

Part I


OpenStack Structure

Cloud Computing is a terrible term.

Investopedia defines it as...

... this is why it was referred to as

'Clown Computing' for a very long time.

A Better Term :

Elastic Design

Scale horizontally rather than vertically



Distributed services


Standard Orchestration APIs


All States are Ephemeral

So.. it's an Open Stack?


Elastic Cloud


Open Source ( Apache License )


Open Standards ( Foundation )


Written in Python


REST APIs


Shared Nothing, Message Oriented

Gaming the Foundation

A fun tangent

Gaming the Foundation

https://www.music
-
piracy.com/?p=750

OpenStack Membership 2011

Top Companies by Commits

Votes by Source

Components of OpenStack

( Folsom


2012.2 )


Nova


Swift


Keystone


Glance


Quantum


Cinder


Horizon


python
-
novaclient


python
-
swiftclient


python
-
keystoneclient


python
-
glanceclient


python
-
quantumclient


python
-
cinderclient


Oslo


Ceilometer


python
-
ceilometerclient


HEAT API


python
-
heatclient


python
-
openstackclient

Core

Clients

Incubated

Good Reading



Ken Pepple's Folsom Architecture Post

http://ken.pepple.info/openstack/2012/09/25/openstack
-
folsom
-
architecture/

http://ken.pepple.info/openstack/2012/09/25/openstack
-
folsom
-
architecture/

Not getting into hypervisor security.

OpenStack supports many hypervisors.


KVM


Xen / XCP


HyperV


VMWare


Physical Provisioning ( in Grizzly )


etc, etc, etc. sky's the limit, bob's your uncle.

Some supported hypervisors:

Keystone


Identity Manager


REST API, Admin API


Service Catalog


Backend to sqlite by default


Supports MySQL, LDAP, Active Directory (
with patches ).


Token generation and shared
authentication endpoint in OpenStack
software.

Nova


Elastic Compute ( EC2 )


REST API, Metadata API, EC2 API


Integrates with many hypervisors


Defaults to libvirt


Integrated volume and network
orchestration in Folsom ( deprecated )


Security Groups, Quotas, Zones, Flavors..


Config Drive


Ugliest, oldest, most complex code in
project.

Glance


Image Store


REST API


Backed my MySQL


Stores to local volumes


Optionally stores to object storage

Quantum


SDN


Replaces nova
-
network


REST API


Can interact directly with hardware


Pluggable networking extensions


MySQL backend

Cinder


Volumes


Replaces nova
-
volume


REST API


MySQL backend


LVM management on nova
-
volume nodes


Direct hardware interaction with NAS


Direct interaction with soft block stores

Swift


Object Storage ( S3 )


REST API


HA
-
Proxy Load balancer


Block Manipulation on Nodes


Soft Replication between Nodes

Horizon


Web GUI ( Django )


Integrates with REST APIs


Integrates with Client APIs


Uses standard Keystone token
authentication


Django based


Does not use EC2 APIs, solely OpenStack

Message Buses


RabbitMQ


ZeroMQ

Development Workflows


Continuous Integration


Gerrit


Jenkins


Launchpad


GitHub


Packaging

Packaging


Core packages are built from release
tarballs


Client packages are built from pypi tarballs


Git releases are PGP signed


Efforts are being made to ensure all
dependencies are PGP signed properly


Ubuntu / RedHat / SuSE among many
vendors with signed releases

Good Reading

China GitHub and Man in the Middle

https://en.greatfire.org/blog/2013/jan/china
-
github
-
and
-
man
-
middle

Part II


Targetting OpenStack

Layer 3 Model

Layer 2 Model

Nested Model

The ZeroMQ Message Bus


Fuzzing attacks in 2.1


“ØMQ does not deal with security by
design but concentrates on getting your
bytes over the network as fast as possible.”


The question of encrypting 0mq
communications is difficult in cloud
environments.


Message Signing

Good Reading



Status of Secure Messaging

http://lists.openstack.org/pipermail/openstack
-
dev/2013
-
February/005614.html

The RabbitMQ Message Bus


Supports SSL


Supports Authentication ( SASL )


Public / Private Queues


No encryption at rest ( who cares? )



Not as horizontally scalable


The REST APIs and other HTTP Targets


Backend ( wsgi )


Admin ( wsgi )


Client ( requests )


SDKs ( there are many )


Horizon ( django )

Config Drive


CVE
-
2012
-
3447


https://blueprints.launchpad.net/nova/+spec/config
-
drive
-
v2


Compromise of Compute Hosts WITHOUT hypervisor escape
possible


Volumes, Block Storage, and Memory


Volume zeroing is a recurring vulnerability


Volume encryption coming


Shared Memory space presents the
possibility for attackers to sniff memory
allocated to other virtual hosts


DMA access is a continual source of
hypervisor escape attacks

Authentication


Auth Tokens


UUID v4 / dev urandom


PKI Certs


Grizzly*


Multifactor Auth


Grizzly*


Token Sizes... Enormous 40bytes to 3k.
Potential for DDOS and Failure in Horizon


Authn/z


Grizzly*

Analysis of Past Vulnerabilities

Lines of Code per Project

Vulnerability Reports by
Company

Part III


Defense against the
Dark Arts

Intrusion Detection

Intrusion Detection


Security APIs ( ceilometer, marconi? )
-

event logging


Precursor Indicators


Homogeneity makes
anomalies easy to spot. Standard methods
as well.


External Reporting


Security Services ( SaaS )


Infrastructure Knowledge ( This Preso )

Intrusion Response

You guys know this better than I


Have a plan.


Consumers must have a workflow that is
known and supported for response.


Disclosure of breach and other issues
should be planned for ahead of time.


Don't Panic.

Forensics ( Chain of Custody )


Ephemeral Design means interruption is
usually expected as part of SLA


OpenStack has no mechanism for
migrating instances between tenants.


You may want to provide SOC teams
tenant access to monitor compromised
instances.


Instances can be snapshotted and
exported for controlled testing in sandbox.


Logs should be isolated in one way DMZ

Reporting to OpenStack


Open a bug in Launchpad and mark it as a
'security bug'. This will make the bug
Private and only accessible to the
Vulnerability Management Team.


If the issue is extremely sensitive, please
send an encrypted email to one of the
Team’s members. Their GPG keys can be
found below, and are also available from
popular public GPG key servers.

http://www.openstack.org/projects/openstack
-
security/

Good Reads on Inc Response

Handling Compromised Components in an IaaS Cloud Installation

Aryan TaheriMonfared (aryan@uninett.no)

Martin G Jaatun (Martin.G.Jaatun@sintef.no)


http://www.journalofcloudcomputing.com/content/1/1/16/abstract

Object Storage Pain Points


Overwriting Data is Difficult, no stock
methods.


In event of aggressive evidence collection,
difficulty in identifying physical resources.


Potential loss of data in evidence
collection.

TPM + OpenStack = Trusted Pools

Zoned by Exposed Surface Area


SaaS is most secure


PaaS less so


IaaS least secure


Duh

Good Reading

Trusted Computing Pools

http://wiki.openstack.org/TrustedComputingPools


Putting Trust in OpenStack

http://www.openstack.org/summit/san
-
diego
-
2012/openstack
-
summit
-
sessions/presentation/putting
-
trust
-
in
-
openstack

Parting thought

Consider public cloud vendors as you would
a Chinese fabrication supply chain.



They are cheap.


They are untrusted.


They are probably going to be around for
the foreseeable future.

Good Reading



A multi
-
level security model for partitioning
workflows over federated clouds

http://www.journalofcloudcomputing.com/content/1/1/15