"We used to leak kilobytes,then megs, then even gigs.                        Cloud ComputingNow, we leak EC2 instances.Som...
OpenStack                   Security BriefShmooCon 2013http://www.secstack.org/shmoocon2013.ppt
Yes, this is me.
This is also me.
Part I – OpenStack Structure
Cloud Computing is a terrible term.Investopedia defines it as...     ... this is why it was referred to as  Clown Computin...
A Better Term :              Elastic DesignScale horizontally rather than vertically    Distributed services    Standard...
So.. its an Open Stack?    Elastic Cloud    Open Source ( Apache License )    Open Standards ( Foundation )    Written...
Gaming the Foundation   A fun tangenthttps://www.music-piracy.com/?p=750
OpenStack Membership 2011
Top Companies by Commits
Votes by Source
Components of OpenStack                      ( Folsom – 2012.2 )Core                 Clients                     Incubated...
Good ReadingKen Pepples Folsom Architecture Posthttp://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
Not getting into hypervisor security.OpenStack supports many hypervisors.Some supported hypervisors:      KVM      Xen /...
Keystone – Identity Manager    REST API, Admin API    Service Catalog    Backend to sqlite by default    Supports MySQ...
Nova – Elastic Compute ( EC2 )    REST API, Metadata API, EC2 API    Integrates with many hypervisors    Defaults to li...
Glance – Image Store    REST API    Backed my MySQL    Stores to local volumes    Optionally stores to object storage
Quantum – SDN    Replaces nova-network    REST API    Can interact directly with hardware    Pluggable networking exte...
Cinder – Volumes    Replaces nova-volume    REST API    MySQL backend    LVM management on nova-volume nodes    Direc...
Swift – Object Storage ( S3 )    REST API    HA-Proxy Load balancer    Block Manipulation on Nodes    Soft Replication...
Horizon – Web GUI ( Django )    Integrates with REST APIs    Integrates with Client APIs    Uses standard Keystone toke...
Message Buses    RabbitMQ    ZeroMQ
Development Workflows    Continuous Integration    Gerrit    Jenkins    Launchpad    GitHub    Packaging
Packaging    Core packages are built from release    tarballs    Client packages are built from pypi tarballs    Git re...
Good ReadingChina GitHub and Man in the Middlehttps://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
Part II – Targetting OpenStack
Layer 3 Model
Layer 2 Model
Nested Model
The ZeroMQ Message Bus    Fuzzing attacks in 2.1    “ØMQ does not deal with security by    design but concentrates on ge...
Good ReadingStatus of Secure Messaginghttp://lists.openstack.org/pipermail/openstack-dev/2013-   February/005614.html
The RabbitMQ Message Bus    Supports SSL    Supports Authentication ( SASL )    Public / Private Queues    No encrypti...
The REST APIs and other HTTP Targets    Backend ( wsgi )    Admin ( wsgi )    Client ( requests )    SDKs ( there are ...
Config Drive    CVE-2012-3447    https://blueprints.launchpad.net/nova/+spec/config-drive-v2    Compromise of Compute H...
Volumes, Block Storage, and Memory    Volume zeroing is a recurring vulnerability    Volume encryption coming    Shared...
Authentication    Auth Tokens – UUID v4 / dev urandom    PKI Certs – Grizzly*    Multifactor Auth – Grizzly*    Token ...
Analysis of Past Vulnerabilities
Lines of Code per Project
Vulnerability Reports by      Company
Part III – Defense against the            Dark Arts
Intrusion Detection
Intrusion Detection    Security APIs ( ceilometer, marconi? ) -    event logging    Precursor Indicators – Homogeneity m...
Intrusion ResponseYou guys know this better than I    Have a plan.    Consumers must have a workflow that is    known an...
Forensics ( Chain of Custody )      Ephemeral Design means interruption is     usually expected as part of SLA      Open...
Reporting to OpenStack            Open a bug in Launchpad and mark it as a        security bug. This will make the bug   ...
Good Reads on Inc ResponseHandling Compromised Components in an IaaS Cloud InstallationAryan TaheriMonfared (aryan@uninett...
Object Storage Pain Points    Overwriting Data is Difficult, no stock    methods.    In event of aggressive evidence col...
TPM + OpenStack = Trusted Pools
Zoned by Exposed Surface Area    SaaS is most secure    PaaS less so    IaaS least secureDuh
Good ReadingTrusted Computing Poolshttp://wiki.openstack.org/TrustedComputingPoolsPutting Trust in OpenStackhttp://www.ope...
Parting thoughtConsider public cloud vendors as you would a Chinese fabrication supply chain.    They are cheap.    They...
Good ReadingA multi-level security model for partitioning  workflows over federated cloudshttp://www.journalofcloudcomputi...
Shmoocon 2013 - OpenStack Security Brief
Upcoming SlideShare
Loading in …5
×

Shmoocon 2013 - OpenStack Security Brief

2,486 views

Published on

Slides from talk at Shmoocon 2013 given by Matt Joyce titled "OpenStack Security Brief".

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,486
On SlideShare
0
From Embeds
0
Number of Embeds
626
Actions
Shares
0
Downloads
105
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Shmoocon 2013 - OpenStack Security Brief

  1. 1. "We used to leak kilobytes,then megs, then even gigs. Cloud ComputingNow, we leak EC2 instances.Someday, well leakentire datacenters." - @Dymaxion  This term means absolutely nothing.  $variable + vague generic term
  2. 2. OpenStack Security BriefShmooCon 2013http://www.secstack.org/shmoocon2013.ppt
  3. 3. Yes, this is me.
  4. 4. This is also me.
  5. 5. Part I – OpenStack Structure
  6. 6. Cloud Computing is a terrible term.Investopedia defines it as... ... this is why it was referred to as Clown Computing for a very long time.
  7. 7. A Better Term : Elastic DesignScale horizontally rather than vertically Distributed services Standard Orchestration APIs All States are Ephemeral
  8. 8. So.. its an Open Stack? Elastic Cloud Open Source ( Apache License ) Open Standards ( Foundation ) Written in Python REST APIs Shared Nothing, Message Oriented
  9. 9. Gaming the Foundation A fun tangenthttps://www.music-piracy.com/?p=750
  10. 10. OpenStack Membership 2011
  11. 11. Top Companies by Commits
  12. 12. Votes by Source
  13. 13. Components of OpenStack ( Folsom – 2012.2 )Core Clients Incubated Nova  python-novaclient  Oslo Swift  python-swiftclient  Ceilometer Keystone  python-keystoneclient  python-ceilometerclient Glance  python-glanceclient  HEAT API Quantum  python-quantumclient  python-heatclient Cinder  python-cinderclient  python-openstackclient Horizon
  14. 14. Good ReadingKen Pepples Folsom Architecture Posthttp://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
  15. 15. http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/
  16. 16. Not getting into hypervisor security.OpenStack supports many hypervisors.Some supported hypervisors:  KVM  Xen / XCP  HyperV  VMWare  Physical Provisioning ( in Grizzly )  etc, etc, etc. skys the limit, bobs your uncle.
  17. 17. Keystone – Identity Manager REST API, Admin API Service Catalog Backend to sqlite by default Supports MySQL, LDAP, Active Directory ( with patches ). Token generation and shared authentication endpoint in OpenStack software.
  18. 18. Nova – Elastic Compute ( EC2 ) REST API, Metadata API, EC2 API Integrates with many hypervisors Defaults to libvirt Integrated volume and network orchestration in Folsom ( deprecated ) Security Groups, Quotas, Zones, Flavors.. Config Drive Ugliest, oldest, most complex code in project.
  19. 19. Glance – Image Store REST API Backed my MySQL Stores to local volumes Optionally stores to object storage
  20. 20. Quantum – SDN Replaces nova-network REST API Can interact directly with hardware Pluggable networking extensions MySQL backend
  21. 21. Cinder – Volumes Replaces nova-volume REST API MySQL backend LVM management on nova-volume nodes Direct hardware interaction with NAS Direct interaction with soft block stores
  22. 22. Swift – Object Storage ( S3 ) REST API HA-Proxy Load balancer Block Manipulation on Nodes Soft Replication between Nodes
  23. 23. Horizon – Web GUI ( Django ) Integrates with REST APIs Integrates with Client APIs Uses standard Keystone token authentication Django based Does not use EC2 APIs, solely OpenStack
  24. 24. Message Buses RabbitMQ ZeroMQ
  25. 25. Development Workflows Continuous Integration Gerrit Jenkins Launchpad GitHub Packaging
  26. 26. Packaging Core packages are built from release tarballs Client packages are built from pypi tarballs Git releases are PGP signed Efforts are being made to ensure all dependencies are PGP signed properly Ubuntu / RedHat / SuSE among many vendors with signed releases
  27. 27. Good ReadingChina GitHub and Man in the Middlehttps://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
  28. 28. Part II – Targetting OpenStack
  29. 29. Layer 3 Model
  30. 30. Layer 2 Model
  31. 31. Nested Model
  32. 32. The ZeroMQ Message Bus Fuzzing attacks in 2.1 “ØMQ does not deal with security by design but concentrates on getting your bytes over the network as fast as possible.” The question of encrypting 0mq communications is difficult in cloud environments. Message Signing
  33. 33. Good ReadingStatus of Secure Messaginghttp://lists.openstack.org/pipermail/openstack-dev/2013- February/005614.html
  34. 34. The RabbitMQ Message Bus Supports SSL Supports Authentication ( SASL ) Public / Private Queues No encryption at rest ( who cares? ) Not as horizontally scalable
  35. 35. The REST APIs and other HTTP Targets Backend ( wsgi ) Admin ( wsgi ) Client ( requests ) SDKs ( there are many ) Horizon ( django )
  36. 36. Config Drive CVE-2012-3447 https://blueprints.launchpad.net/nova/+spec/config-drive-v2 Compromise of Compute Hosts WITHOUT hypervisor escape possible
  37. 37. Volumes, Block Storage, and Memory Volume zeroing is a recurring vulnerability Volume encryption coming Shared Memory space presents the possibility for attackers to sniff memory allocated to other virtual hosts DMA access is a continual source of hypervisor escape attacks
  38. 38. Authentication Auth Tokens – UUID v4 / dev urandom PKI Certs – Grizzly* Multifactor Auth – Grizzly* Token Sizes... Enormous 40bytes to 3k. Potential for DDOS and Failure in Horizon Authn/z – Grizzly*
  39. 39. Analysis of Past Vulnerabilities
  40. 40. Lines of Code per Project
  41. 41. Vulnerability Reports by Company
  42. 42. Part III – Defense against the Dark Arts
  43. 43. Intrusion Detection
  44. 44. Intrusion Detection Security APIs ( ceilometer, marconi? ) - event logging Precursor Indicators – Homogeneity makes anomalies easy to spot. Standard methods as well. External Reporting Security Services ( SaaS ) Infrastructure Knowledge ( This Preso )
  45. 45. Intrusion ResponseYou guys know this better than I Have a plan. Consumers must have a workflow that is known and supported for response. Disclosure of breach and other issues should be planned for ahead of time. Dont Panic.
  46. 46. Forensics ( Chain of Custody )  Ephemeral Design means interruption is usually expected as part of SLA  OpenStack has no mechanism for migrating instances between tenants.  You may want to provide SOC teams tenant access to monitor compromised instances.  Instances can be snapshotted and exported for controlled testing in sandbox.  Logs should be isolated in one way DMZ
  47. 47. Reporting to OpenStack  Open a bug in Launchpad and mark it as a security bug. This will make the bug Private and only accessible to the Vulnerability Management Team.  If the issue is extremely sensitive, please send an encrypted email to one of the Team’s members. Their GPG keys can be found below, and are also available from popular public GPG key servers.http://www.openstack.org/projects/openstack-security/
  48. 48. Good Reads on Inc ResponseHandling Compromised Components in an IaaS Cloud InstallationAryan TaheriMonfared (aryan@uninett.no)Martin G Jaatun (Martin.G.Jaatun@sintef.no)http://www.journalofcloudcomputing.com/content/1/1/16/abstract
  49. 49. Object Storage Pain Points Overwriting Data is Difficult, no stock methods. In event of aggressive evidence collection, difficulty in identifying physical resources. Potential loss of data in evidence collection.
  50. 50. TPM + OpenStack = Trusted Pools
  51. 51. Zoned by Exposed Surface Area SaaS is most secure PaaS less so IaaS least secureDuh
  52. 52. Good ReadingTrusted Computing Poolshttp://wiki.openstack.org/TrustedComputingPoolsPutting Trust in OpenStackhttp://www.openstack.org/summit/san-diego-2012/openstack-summit- sessions/presentation/putting-trust-in-openstack
  53. 53. Parting thoughtConsider public cloud vendors as you would a Chinese fabrication supply chain. They are cheap. They are untrusted. They are probably going to be around for the foreseeable future.
  54. 54. Good ReadingA multi-level security model for partitioning workflows over federated cloudshttp://www.journalofcloudcomputing.com/content/1/1/15

×