Cloudifornication
Cloudifornication
Cloudifornication
::Agenda
Cloud Dened :: Talking Heads & Shark Jumping Heart Of Darkness :: Corrosive (t)Rust Cloudifornication :: Stacked Turtles & Pwnage
:: Context
The Internet assumes a ctional trusted core but is in fact an untrusted, unreliable & hostile platform. So then, is Cloud.
What are we going to differently about who we trust, how and why?
Providers/Technicians View
VisualModelOfNISTWorkingDeniEonOfCloudCompuEng h7p://www.csrc.nist.gov/groups/SNS/cloudcompu2ng/index.html
Broad NetworkAccess RapidElasEcity MeasuredService OnDemand SelfService
ResourcePooling
Essen2al Characteris2cs
So5wareasa Service(SaaS)
Pla:ormasa Service(PaaS)
Infrastructureasa Service(IaaS)
Delivery Models
Public
Private
Hybrid
Community
Deployment Models
Everything Is Cloud...
CloudWoW!
Public Cloud
Intercloud
Hybrid Clouds
APIs
Abstraction
Hardware
Facilities
APIs
Abstraction
Hardware
Facilities
APIs
Applications
Data
Metadata
Content
APIs
Abstraction
Hardware
Facilities
APIs
Mgmt
Salesforce.com
Applications
Native
Web
Emulated
Google Apps
Oracle OnDemand
ur e
ct
St
ns
Data
Metadata
Content
ru
tru
ct ur
ed
Google AppEngine
Database
Messaging
Queuing
IAM/Auth.
Force.com
Coghead
APIs
Mgmt
IPAM/ DNS
LB & Transport
Security
IAM/Auth.
Abstraction
VMM
Hardware
Facilities
Power
HVAC
Space
Presentation Modality
Presentation Platform
Features
APIs
SaaS
i ns e lit bi y
Applications
Data
Metadata
Content
t Ex
Sec
APIs Core Connectivity & Delivery
u r it y
Abstraction
Hardware
Facilities
Features Features
SaaS
l itt bi ii ns ns
y y
PaaS
APIs
e e xtt EEx
Abstraction
Hardware
Facilities
Features Features
APIs
t Ex
i ns e
ilit b
SaaS PaaS
IaaS
Abstraction
Hardware
Facilities
End Users
Developers SysAdmins
Consumer Provider
Infrastructure as a Service (IaaS)
Provider secures their infrastructure to maximize availability & multi-tenancy Remainder of the stack (and condentiality, integrity) is your problem General focus is on VMs & Guest-Based
APIs
Abstraction
Hardware
Facilities
IaaS
Consumer Provider
APIs
Abstraction
Hardware
Facilities
PaaS
Oh, Passwords?
2.1. You must provide accurate and complete registration information any time you register to use the Service. You are responsible for the security of your passwords and for any use of your account. If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately.
Applications
The provider owns the entire stack Security (C, I and A) becomes a contract negotiation Traditional security and compliance functions are more administrative & policy-focused
Data
Metadata
Content
Provider
APIs
Infrastructure as a Service (IaaS) Software as a Service (SaaS) Platform as a Service (PaaS)
Abstraction
Hardware
Facilities
SaaS
Data
Data
Consumer It In
Consumer
Presentation Modality
Presentation Platform
APIs
Applications
Data
Applications
Metadata
APIs
RFP/Contract It In
Content
Infrastructure as a Service (IaaS) Software as a Service (SaaS) Platform as a Service (PaaS)
APIs
APIs
Provider
Core Connectivity & Delivery Abstraction
Provider
Abstraction
Abstraction
Hardware
Hardware
Hardware
Facilities
Facilities
Facilities
IaaS
PaaS
SaaS
Cloud Computing
What Have Cloud & Virtualization Providers Done To Earn Our Trust?
Hypervisor vulnerabilities Lack of TCB implementations Lack of Standards Introduction of monocultures Information Leakage Substantial Downtime Security By Obscurity
Mainframes
Das Cloud
Centralized
Web2.0
Reliable/Fast
Unreliable/Slow
More Reliable/Faster
Client/Server
ri y Dist Mostl
buted
Mostly Reliable/Fast
iz entral stly C Mo
ed
Distributed
Web1.0
User Centricity
Information Centricity
Application Centricity
Host Centricity
Time
User Centricity
Information Centricity
Application Centricity
Host Centricity
Deployment Is Here
Time
Cloud
As we converge compute, network and storage our speeds and feed issues dont subside, they intensify Integrating virtualized security capabilities at network scale becomes even more challenging: 10GbE/40GbE/100GbE... virtualized DCs are pushing to terabit fabrics As well see, this is a squeezing the balloon problem
Presentation Modality
Presentation Platform
APIs
Applications
Data
Metadata
Content
Whats true with VirtSec is true with Cloud, only more so. Viva Le 4 Horsemen!
Integration & Middleware
Depending upon the type of Cloud, you may not get feature parity for security. Your visibility and ability to deploy or have a compensating control deployed may not be possible or reasonable. As it stands now, the abstraction of Infrastructure is really driving the cyclic shift from physical network controls to logical/virtual & back into the host/guest
APIs
Abstraction
Hardware
Facilities
::Cloudanatomy
Infostructure Metastructure Infrastructure
Content & Context Apps, Data, Metadata, Services Glue & Guts IPAM, IAM, BGP, DNS, SSL, PKI Sprockets & Moving Parts Compute, Network, Storage
::Information Intercourse?
Infostructure Metastructure Infrastructure
Clouds on Clouds on Clouds... Amorphous perimeters and the migration to multi-tenancy Socialist security & co-mingled data in multi-tenant elastic environments Really crusty protocols and even more stale approaches to integration Security becomes a question of SCALE...
Unstacking Turtles...
::Caveats
The following is constructed to make you think Were going to discuss a lot of interesting things Some are academic, some are practical Some things are specic to cloud, others not The names have not been changed to protect anyone, nor so they seek to impugn anyone Think about the big picture, not the little illustrations
An Example Is In Order...
Imagine a ctional Public IaaS Cloud Provider... Lets call them Da Nile Web Services* Virtualization, multi-tenancy & Isolation based on a VMM: Elastic Compute, Network & Storage Services... Lets take a journey & imagine how what were going to discuss might affect this ctional provider of service
*It aint just a river in Egypt (or South America...)
Infrastructure
Physical FAIL
365 Main - Cascading Power Distribution/Generation Failures Rackspace - Truck drives into transformer. Things go boom. CI Hosts - Robbery. Four Times Core IP Networks - FBI Seizure
Infrastructure
Doh!
As large Cloud providers consolidate to mega datacenters, bandwidth, peering & transit trafc patterns will shift based on the physical location Mobility of NextGen Infrastructure & virtualization/ Cloud tech. will exacerbate this Shared infrastructure increases the failure impact radius
Infrastructure
:: Shared Wavelengths
Infrastructure
:: Shared Wavelengths
The beauty of Cloud is that with innite scale comes innite FAIL!
Infrastructure
Infrastructure
:: VMM Monoculture
Infrastructure
:: Shared VM/VA/AMIs
Infrastructure
:: Shared VM/VA/AMIs
Do yo u have AN Y i came dea w from, here t who b hese i uilt th mage is con em, a s tained nd wh within at them?
, g s from in li . Thus y again . ise s ar rustful ars ecurit idence k ye l ris y dist ls es e a r enta uall chin . le tion ing coNS t fundamn mut rough maervice id is. avo SIO e tha etwee ed th ute s ext CLU e argu cture b isolat comp ious n din CONaper, w frastru ns are y cloud he obv y to 9. t p rt n k. tio this ysical i heir ac hird-pa is risk s ris i In t g th struc ph a t ted th en g tin real arin ven wh s within nstra tiga ternal cate . i a sh o one? s for m he in , e tion a ud * Ristenpart, mpli si-Shacham, Savage Tromer, ers iza clo dem ld be d ache a us g h t y to co phy in ot o u al in e irtu er, hav hat sho of appr scate b polic s, p s v e sam ight do e v r obfu cement on the rs m owe cach is w umbe H ay o cks.
Cloud Cartography* y ciall e Mapping Cloud Infrastructure , esp recent r orde d in itall rve ond c f & Brute Forcing aCo-Residentt to itsel els obse , for un or s led chann he art st r e ab e t EC2and deisof sid state of cks one mu AMIs w/ Side-Channel ed ipat delug rrent atta tic he M an Attacks cu een t of t at the cross-V b h t
10.249.0.0
10.250.0.0
10.251.0.0
10.252.0.0
10.253.0.0
10.254.0.0
10.255.0.0
(Top) A plot of the internal IP addresses assigned to instances launched during the initial mapping exper iment using Account A. (Bottom) A plot of the internal IP addresses of instances launched in Zone 3 by Account A and, 39 hours later, by Account B. Fifty-ve of the Account B IPs were repeats of those assigned to instances fo
Infrastructure
*http://www.jackofallclouds.com/2009/09/anatomy-of-an-amazon-ec2-resource-id/
Infrastructure
John Oberheides* vMotion subversion (with extensions re: long distance VMotion over said Carrier Ethernet/ MPLS)
VM Inst anc e Hos t VM MA H mig ost A rate to H s VM ost B
une
ncry
pted
Virtu RO Hos ple o UND t VM fam num al mach an-in MB ines erou -thes tec the u and midd v h s le at tack curit e of virt nical an irtualiza agai y ch ualiz tion d co nst a allen cern ation st ad tech live s as ges nolo VM vant also soci migr curin tirel ated [8]. In p introd ages [4 gy prov ation g lar y sa uces . ide ]. H artic with vers ge n fe as beco owe a no ular, e ran virtu umb sum ver, vel s mes there ge o virtu ers o al en pt likel et mor f a y e co ion anym that l image operatin f virtual vironme are nov of seple c that th e m ore. s g n m e m mmon omm work ay mov , and s system achine ts such l conAs in ig ta o
2 B AC
KG
Figu
re 1 :
An e xam
two Can rk mod ify a OS/ app r lica bitrary tion V stat M Man e -in-t h Mal e-midd lory le
Ne
VM
71
anc e
Inst
Infrastructure
:: Cloudburst VM Escapes
Cloudburst VM Escapes* - Abusing emulated device drivers to provide host to guest escape in virtualized environments
*Kostya Kortchinsky Immunity,Inc.
,
Metastructure
Kaminskys DNS attacks ERNWs | Kapela & Pilosovs BGP attacks, YouTube (Prex Hijacking, MITM) Moxie Marlinspikes SSL/TLS - Chained Certs, Null Certicate
Prex Bug, MITM, General Browser sux0r Sotirov et. al. Rogue CA & MD5 (...and so on, and so on...)
Metastructure
Each cloud is a system unto itself. There is no way to express the idea of exchanging information between distinct computing clouds because there is no way to express the idea of another cloud. ...there is no way to express how that protection is provided and how information about it should be propagated to another cloud when the data is transferred.
http://blogoscoped.com/archive/2008-01-22-n10.html
Metastructure
Developers want to point-click-deploy to Cloud from an IDE To them, Cloud is a platform with APIs & Interfaces, not infrastructure Metastructure *should* be transparent, but isnt Infrastructure breaks infostructure, metastructure breaks infrastructure Rock, paper, scissors
Infostructure
Bitbuc ket ru ns on Amaz ons A Their WS (E site w C2/EB as do S) wn for almos t 20 h ours.
Infostructure
UDP th to d of oo dwid ssive y all ban f a ma awa ad or t o ork. We h ly eating ith any s netw time. asical Big ad w over the ked. IP, b nt re one ould attac n to our t is d e. ere i we c a ew ing ic why ly, is as t h W n s com explains at s frank ll. EBS, t h our S. T h acke is p whic h we m, from ale DDO . Th box eed c roble cover? O p t he sive-s t h e p t o di s ble s s epta lly a ma c or ted ac long rep a r we it take so basic e So, s af t y di d hour . Wh 6-17 g 1 enin is is t Th h ea r i t di s ab
Infostructure
If you single-source your infrastructure provider, one day youre going to get your butt handed to you on a platter. The Marketing is not a root cause appearance of innite scale does - Benjamin Black not mean youll automagically realize innite resilience or availability - Me
Infostructure
:: Misunderestimation
Cloud: WebAppSec v AppSec? Information Exltration CloudFlux & FastFlux CloudBots DDoS & EDoS - Economic Denial of Sustainability
Infostructure
This Sting(k)s...
OWASP Top 10
Injection Flaws Cross Site Scripting Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage & Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL access
Infostructure
::Layer 8
Systemic process changes that affect how users interact with services that can change at a moments notice The Oops factor (esp. in SaaS) is going to be an issue...
MisInfostructure
:: Infocalypse*
*Barrett Lyon
*Web2.x application architecture, disguised/ confused as Cloud but running on traditional non-elastic infrastructure that is poorly congured
All this abstraction... Sits atop more abstraction... In the form of AWS...
PostgreSQL
Erlang
AWS
Debian Memcached
Heroku...
Perception IS Reality
:: Cloudifornication Redux
Infostructure Metastructure Infrastructure
Application/WebApp Insecurity, SQL Injection, Information Exltration BGP, SSL & DNS Hijacking MPLS, Routing & Switching, Chipset & Virtualization Compromise
Wrapping Up...
Attacks on and using large-scale Public Cloud providers are coming & Cloud services are already being used for $evil Hybrid security solutions (and more of them) are needed Service Transparency, Assurance & Auditability is key (A6 API) Providers have the chance to make security better. Be transparent.
Whatever the provider exposes in the SaaS/PaaS/IaaS Stack Virtualization-Assist APIs (If Virtualized) Virtual Security Appliances (VM-based) Software in the Guest (If Virtualized) Integrating Appliances & Unied Computing Platforms (Network-based solutions) Leveraging Trusted Computing Elements
::Cloud...
We made the mess, now its time we started thinking about how to clean it up...
More Resources...
Cloud Computing http://groups.google.com/group/cloud-computing Cloud Computing Interoperability Forum http://groups.google.com/group/cloudforum Cloud Storage http://groups.google.com/group/cloudstorage Attend a local Read Craig Baldings Blog http://www.cloudsecurity.org Read My Blog: http://www.rationalsurvivability.com
What are we going to differently about who we trust, how and why?
Thanks
Name: Christofer HOFF Twitter: @Beaker Email: [email protected] [email protected] [work] Blog: www.rationalsurvivability.com Phone: +1.978.631.0302