Security Issues in OpenStack


Published on

Presentation of a Master thesis project that analyzed security issues in OpenStack Object Storage - open source cloud storage software.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Issues in OpenStack

  1. 1. Security Issues in OpenStack Master's thesis Rostyslav Slipetskyy Supervisors: Prof. Danilo Gligoroski (NTNU, Norway) Associate Prof. Christian W. Probst (DTU, Denmark)
  2. 2. What is OpenStack? Open source software to build private and public clouds. The mission of OpenStack is "to produce the ubiquitous open source cloud computing platform that will meet the needs of public and private clouds regardless of size, by being simple to implement and massively scalable"
  3. 3. What is OpenStack? (2) + Nova : Cloud Controller Swift : Cloud Storage =
  4. 4. What is OpenStack? (3)
  5. 5. Why Do We Concentrate on Security? <ul><li>The most important concern of the cloud model according to the survey of IT executives and their line-of-business colleagues conducted by International Data Corporation. </li></ul><ul><li>From a NIST report on cloud computing prepared for use by U.S. Government, “security challenges [that] cloud computing presents are formidable” </li></ul><ul><li>Researchers from Massachusetts Institute of Technology (MIT), &quot;securing cloud computing is the information technology’s next grand challenge” </li></ul>
  6. 6. Main Objective <ul><li>Analyze how various security issues are handled in OpenStack. </li></ul>
  7. 7. Methodology <ul><li>1. Examine evolving standards and recommendations to identify a set of problems pertinent to cloud computing security </li></ul><ul><li>2. Install OpenStack in a virtualized environment that emulates a cloud datacenter </li></ul><ul><li>3. Evaluate whether identified issues are taken care of in OpenStack </li></ul><ul><li>4. If a given area of security concern was handled in OpenStack: </li></ul><ul><ul><li>- Analyze implementation for weaknesses using black-box and white-box testing approaches </li></ul></ul><ul><li>5. If a given area of security concern was not handled in OpenStack: </li></ul><ul><ul><li>- Raise the issue among the developers using mailing list, IRC channel, etc. </li></ul></ul><ul><ul><li>- Suggest possible implementation to handle the identified security issue in OpenStack </li></ul></ul>
  8. 8. Identifying Security Issues Relevant to Cloud Computing <ul><li>1. Cloud Security Alliance (international organization consisting of industry representatives) </li></ul><ul><ul><li>“ Security Guidance for Critical Areas of Focus in Cloud Computing” </li></ul></ul><ul><li>2. European Network and Information Security Agency (government-funded institution from EU) </li></ul><ul><ul><li>“ Cloud Computing Security Risk Assessment” </li></ul></ul><ul><li>3. National Institute of Standards and Technology (government-funded institution from the USA) </li></ul><ul><ul><li>“ Guidelines on Security and Privacy in Public Cloud Computing” </li></ul></ul>
  9. 9. Tackling Project Size and Requirements <ul><li>1. We selected one project from OpenStack family: </li></ul><ul><ul><li>- OpenStack Object Storage, Bexar release (February 2011) </li></ul></ul><ul><ul><ul><li>Open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data </li></ul></ul></ul><ul><li>2. We concentrated on the following groups of security issues: </li></ul><ul><ul><li>- Identity and Access Management </li></ul></ul><ul><ul><li>- Data Management </li></ul></ul>
  10. 10. OpenStack Installation
  11. 11. Identity and Access Management Security Issues <ul><li>1. Identity Provisioning/Deprovisioning </li></ul><ul><li>2. Identity Federation </li></ul><ul><li>3. Authentication </li></ul><ul><li>4. Authorization and Access Control </li></ul>
  12. 12. Authentication: Workflow
  13. 13. Authentication Systems: Devauth <ul><li>User data (passwords, groups) are stored in SQLite database </li></ul>
  14. 14. Authentication Systems: SWAuth <ul><li>User data (passwords, groups) are stored as files in Object Storage </li></ul>
  15. 15. Authentication: Security Token Generation <ul><li>1. Security tokens in OpenStack play the same role as session identifiers for web applications </li></ul><ul><li>2. OWASP WebScarab tool was modified to support analyzing OpenStack tokens in the same way as session identifiers </li></ul><ul><li>3. UUID version 4 was found to be used to generate tokens, which used /dev/urandom on Ubuntu as a source of randomness </li></ul>
  16. 16. Authentication: Portability of stored data <ul><li>Administrators can the possibility to retrieve authentication data of users belonging to the accounts that they manage </li></ul><ul><li>Step 1. Enumerate all registered users. </li></ul>
  17. 17. Authentication: Portability of stored data (2) <ul><li>Administrators can the possibility to retrieve authentication data of users belonging to the accounts that they manage </li></ul><ul><li>Step 2. Query authentication data for each of the users </li></ul>
  18. 18. Authentication: Portability of stored data (3) <ul><li>Reseller Admin — special type of administrators with permission to create new accounts (register new customers in the system) </li></ul><ul><li>While studying portability of authentication data in swauth, we found a security vulnerability that allowed mallicious Admin to obtain credentials of Reseller Admin. OpenStack Object Storage allowed Admin to retrieve user data for all the users that belonged to the owned account. If it happens that Reseller Admin is registered in the given account, malicious Admin can issue a HTTP GET call and obtain his password. </li></ul>
  19. 19. Authentication: Portability of stored data (4)
  20. 20. Authentication: Portability of stored data (5)
  21. 21. Authorization: Inadequate Permissions of Reseller Admins <ul><li>1. Different type of administrators exist in OpenStack: </li></ul><ul><ul><li>- Super Admin </li></ul></ul><ul><ul><li>- Reseller Admin </li></ul></ul><ul><ul><li>- Admin </li></ul></ul><ul><li>2. Documentation did not clearly state permissions of Reseller Admins </li></ul><ul><li>3. Experiment was conducted to authenticate Reseller Admin and use obtained authentication token to access accounts to which the given Reseller Admin did not belong </li></ul><ul><li>4. We show that knowing an URL to a storage account, a Reseller Admin can download or even delete files belonging to any user on any of the accounts </li></ul><ul><li>5. We also show how Reseller Admins can obtain URLs to existing storage accounts </li></ul>
  22. 22. Authorization: Inadequate Permissions of Reseller Admins (2) <ul><li>1. Developers were notified about a found issue </li></ul><ul><li>2. Developer response can be summarized as following: </li></ul><ul><ul><li>- It is not a bug, but a feature (e.g. Reseller Admin might need to perform data migration on behalf of a user) </li></ul></ul><ul><ul><li>- Other authorization systems can be used with OpenStack (however, they are not provided out-of-the-box) </li></ul></ul><ul><li>3. We suggest users to encrypt sensitive information before uploading to OpenStack Object Storage </li></ul>
  23. 23. Authorization: Inadequate Permissions of Reseller Admins (3) <ul><li>Richard Stallman: </li></ul><ul><ul><li>“ Let any Tom, Dick and Harry hold your data, let any Tom, Dick and Harry do your computing for you (and control it). Perhaps the term 'careless computing' would suit [cloud computing] better.” </li></ul></ul>
  24. 24. Data Management Security Issues <ul><li>1. Data Location </li></ul><ul><li>2. Isolation </li></ul><ul><li>3. Backup and Recovery </li></ul><ul><li>4. Deletion </li></ul><ul><li>5. Encryption and Key Management </li></ul><ul><li>6. Integrity Verification </li></ul>
  25. 25. Isolation of files in OpenStack <ul><li>Account + container + object + salt </li></ul>MD5 hash function Path to the file on the storage node
  26. 26. Isolation of files in OpenStack (2) <ul><li>1. Experiment was conducted to verify whether isolation depends only on the output of MD5 hash function: </li></ul><ul><ul><li>- Created a dummy implementation of hash function that returned the same hash value whenever called </li></ul></ul><ul><ul><li>- Changed OpenStack code to use dummy implementation of hash function when calculating path for files </li></ul></ul><ul><ul><li>- Uploaded fileA to containerA on accountA using credentials of userA </li></ul></ul><ul><ul><li>- Uploaded fileB to containerB on accountB using credentials of userB </li></ul></ul><ul><ul><li>- The file uploaded by userB overwrites the file uploaded by userA </li></ul></ul>
  27. 27. Isolation of files in OpenStack (3) <ul><li>1. MD5 seems to be resistant to pre-image attacks according to the current level of knowledge in the public domain </li></ul><ul><li>2. MD5 is not resistant to collision attacks </li></ul><ul><li>3. How can we abuse OpenStack isolation by using collision attack: </li></ul><ul><ul><li>- Negotiate contractual agreement with the Provider according to which the latter is responsible to prevent loss of data belonging to the former </li></ul></ul><ul><ul><li>- Generate two file names that will hash to the same value (insider knowledge of the used hash is required) </li></ul></ul><ul><ul><li>- Upload two files to OpenStack (second file will overwrite first one) </li></ul></ul><ul><ul><li>- Sue Provider for data loss </li></ul></ul>
  28. 28. Summary <ul><li>Main outcomes of the Master's project: </li></ul><ul><li>- A list of security issues to be used when evaluating security of cloud solutions was compiled </li></ul><ul><li>- Security vulnerability that allowed administrators with lower permissions to obtain credentials of administrators with higher permissions was reported </li></ul><ul><li>- Inadequately high permissions of one type of administrators, which allowed to read/delete all the files of all the users, were reported </li></ul><ul><li>- Poor password management procedures in the provided authentication systems were shown </li></ul><ul><li>- A possibility to compromise isolation of files with subsequent overwrite of one file by another was found </li></ul>
  29. 29. Questions ?