Cloudy with a chance of 0-day

Transcript

1. The OWASP Foundation OWASP http://www.owasp.org Cloudy with a chance of

   0-day Jon Rose Tom Leavey Trustwave [email protected] [email protected] November XX 2009

2. OWASP $ whoami - Jon  Trustwave’s SpiderLabs  Net & App

   Pentesting  Arch & Code Review  Training & Security R&D  Started OWASP Phoenix Chapter  Previously worked as Security Architect  Implemented Secure SDLC at few major companies  Deblaze-tool.appspot.com  Codesearch0day.appspot.com

3. OWASP $ whoami - Tom  Trustwave’s SpiderLabs  Net & App

   Pentesting  Arch & Code Review  Training & Security R&D

4. OWASP Jon Rose Trustwave SpiderLabs Phoenix OWASP DC AppSec 09!

   4

5. OWASP Tom Leavey Trustwave SpiderLabs NYC 5

6. OWASP Agenda  Cloud Fluff  Google App Engine  Security risks of

   moving into the clouds..  Architecture  Runtime Environment  Cloud application Code Risks

7. OWASP “… dynamically scalable and often virtualized resources are provided

   as a service over the internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure” 7 Source: Wikipedia

8. OWASP The Road Ahead 8

9. OWASP Cloud Computing  Marketing Hype  #1 Buzzword ‘09  Definition Debate

10. OWASP Marketing Hype #1 Buzzword ‘09 10

11. OWASP 11 Software

12. OWASP 12 Platform

13. OWASP 13 Infrastructure

14. OWASP 14 Infrastructure

15. OWASP Cloud Computing Types  Software as a Service (SaaS)  Platform

    as a Service (PaaS)  Infrastructure as a Service (IaaS) 15

16. OWASP Cloud Architecture 16

17. OWASP Why move to the Clouds?  No infrastructure investment  Expand

    or shrink based on demand  Pay as you go  Automatic scaling and load balancing

18. OWASP 18 Why the Cloud?

19. OWASP No infrastructure investment 19

20. OWASP Expand or shrink based on demand 20

21. OWASP Pay as you go 21

22. OWASP Scaling and load balancing 22

23. OWASP Next Big Thing 23

24. OWASP New Opportunities  Nasdaq “Market Replay”  Amazon S3 & AIR

    frontend  New York Times: 1851 – 1989  TIFF uploaded and PDF’d on Amazon S3  Too expensive for traditional app development process

25. OWASP Cloud Testing Services 25

26. OWASP Potential Problems

27. OWASP Vendor Lock-In 27

28. OWASP Multitenant Infrastructures 28

29. OWASP 29 Evolving IT experiment vs. Enterprise-ready environments

30. OWASP Forensics 30

31. OWASP Compliance 31

32. OWASP IT Flexibility & Control 32

33. OWASP Third Party Data Processing 33

34. OWASP Potential Problems  Data processed by third parties  Regulatory compliance

    complications  Shared environment  Forensics  Vendor lock-in  Loss of IT flexibility & control  Evolving IT experiment vs. enterprise- ready environments

35. OWASP Laws & Taxes  Migrate to find the best location

     MS Azure moved Data Centers prior to launch for more favorable tax locations  Where is the your app running in the “Cloud”?

36. OWASP Compliance  How do you demonstrate compliance?  Most Clouds do

    not allow onsite auditing  Do not take liability for security or compliance

37. OWASP Amazon PCI Status  Can achieve PCI level 2 compliance

    including scanning by third party  Cannot achieve level 1 compliance due to onsite audit requirements  % level 1, level 2, compromised changes you to level 1 http://developer.amazonwebservices.com/connect/message.jspa? messageID=139547#139662

38. OWASP Cloud Providers

39. OWASP 39

40. OWASP Cloud (Mis)use  Sensepost  Sifto  Malicious Amazon vms  BruteForcing Forgot

    Password links  Amazon PGP Zip password cracking 40

41. OWASP Google App Engine (GAE) 41

42. OWASP Google App Engine (GAE)  Released April 2008  Full application

    stack for developers  Python/Java API into Google's infrastructure  Currently free – Preview Release  500MB/storage & 5M views/month  SDK provides local development environment

43. OWASP GAE Overview  Java or Python runtime  Sandbox  Persistent storage

     Automatic scaling and load balancing  Google provided APIs  Local development environment  Task queues & Scheduled tasks  Quotas

44. OWASP Runtimes  Java  Java Servlets or JSP’s  Java 6  Python

     Simple framework “webapp” or Django  Python version 2.5.2  C Extensions are not allowed

45. OWASP 45

46. OWASP Sandbox  Limited access to OS  No write access  Only

    read files uploaded  Only access Internet through API’s  Response to request, queued task, or a scheduled task  Must response within 30 seconds

47. OWASP Datastore  Google DB: Bigtable  Single, large table  Not a

    relational database  Data objects AKA ”Entities”  Kind and properties  Schemaless  Query with entity-based SQL-like (GQL)  Java JDO/JPA or Python interface  1000 entity limit per query  Concurrency control with optimistic locking  Supports Transactions

48. OWASP Datastore Transactions  transactions work across its distributed network using

    "entity groups.”  A transaction manipulates entities within a single group.  Entities of the same group are stored together for efficient execution of transactions.  Your application can assign entities to groups when the entities are created.

49. OWASP API’s  Users API  Email  URL Fetch  Memcache  Image Manipulation

50. OWASP URLFetch  useragent:  "AppEngine-Google; (+http://code.google.com/ appengine)" 50

51. OWASP Dev Environment  Runs apps locally  Quick development cycle  One

    click deployment

52. OWASP Cron and Queues  Schedule Tasks  Handled by the Cron

    service  Invoke a URL at a given time  Task Queues  Background task created while handling a request  Experimental Feature  “Web Hook”  Only for Python  Same Limits/Quotas as HTTP request

53. OWASP Quotas

54. OWASP Billing Quotas

55. OWASP GAE Account Signup  Google insists on linking your App

    Engine account to both your cell phone and your Gmail account  Receive an SMS message to activate account

56. OWASP Terms of Service  Only access Admin interface through API

     Cannot link multiple Apps into single App  Pre-screen, review, flag, filter, modify, refuse or remove any or all Content from the Service  Google has no responsibility or liability for the deletion or failure to store any Content and other communications maintained or transmitted

57. OWASP Porting and New Dev  Porting  Move DB to bigtable

     Hopefully just DAL changes  Authentication/Authorization !  Move to Google?  Legacy Apps  Soon to be retired… soon….  New Dev  30 second limits  Dev environment doesn’t match prod  Major shift in dev processes !  Debugging and Logging !  Deployment 57

58. OWASP Security Through Obscurity 58

59. OWASP 59 App Engine Security Details

60. OWASP “The team identified and fixed the underlying problem and

    service has now been restored.” 60

61. OWASP Beta?  Gmail just left Beta after 5+ years

62. OWASP 62

63. OWASP 63

64. OWASP Why attack clouds? 64

65. OWASP 65 Cloud Risks

66. OWASP Cloud Risks

67. OWASP

68. OWASP 68

69. OWASP Architecture Security Controls  Fault tolerance  database  Responsiveness  Each request

    handled uniquely

70. OWASP Authentication  Acegi plugin I've read that it doesn't work

    with Google App Engine  Google Accounts Java API  app can access the user's email address, administrator status  Allthough you can build your own, how many of the standard auth libraries are available 70

71. OWASP 71

72. OWASP NSW Response Time Study  7 month study of Amazon

    EC2, Google AppEngine and Microsoft Azure  Scaled well to meet demand  Inconsistent performance results !  Response times varied by a factor of 20 !  Effected by time of day  No hard data  Emailed Anna Liu…

73. OWASP Architecture Risks  30 second response time pushes dev’s to

    richer client-side apps  Business Logic  Data Validation

74. OWASP Architecture Risks  Lack of enterprise level logging/monitoring tools 74

75. OWASP Architecture Risks  Backup/Restore requires special software/ processes, prob cant

    leverage existing tech 75

76. OWASP Architecture Risks  Most licenses are still tied to one

    physical box  Difficult for legacy apps that require commercial licenses to move into cloud architecture 76

77. OWASP Availability & Crashes 77

78. OWASP Cloud Status 78

79. OWASP GAE System Status 79

80. OWASP Unexpected Downtime 80

81. OWASP JRE Class WhiteList 81 The JRE Class White ListA

    Java App Engine application's access to the classes in the Java standard library (the Java Runtime Environment, or JRE) is limited to the following classes:

82. OWASP Cloud Security Testing Service 82

83. OWASP Fingerprinting GAE sites 83

84. OWASP Encrypted Channels  SSL only on appspot.com subdomains  Cannot use

    on your own domain

85. OWASP Infrastructure URL Mapping  Dist:  /base/python_dist/  Files are mapped to:

     /base/data/home/apps/[APPNAME]/[VERSION]/ [FILENAME]  Libs  /base/python_lib 85

86. OWASP Control Issues  You don’t manage it  Updates  Bug fixes

     Forensics  Backups  Legal issues  Compliance

87. OWASP URLFetch Abuse  Proxy attacks through Google Servers  Slow down

    investigation by requiring logs  Urlfetch timeout 10 seconds 87

88. OWASP App Denial of Service  The cloud expands based on

    demand  Pricing is based on utilization  Is this malicious? How can you tell? GET http://myapp.appspot.com X 10 GET http://myapp.appspot.com X 1000000000000

89. OWASP App Denial of Service == $$$  Leverage application functionality

    to exceed quotas  Repeated URL fetch for large data  Forcing application to make multiple URL fetch requests  Invoking process intensive functions repeatedly  DOS is way cooler when it costs people money

90. OWASP Breaking Quotas

91. OWASP Java App - GaeFlood

92. OWASP JS Malware - GaeDOS.js

93. OWASP Quota Denial of Service

94. OWASP Quota Denial of Service

95. OWASP Task Queues DOS  App is still up, Queue functionality

    can no longer be used

96. OWASP Runtime Environment 96

97. OWASP Insecure defaults/libs  Remote_API  ConfigureRemoteDatastore – secure parameter 97

98. OWASP Sandbox Restrictions  Network comms restricted to:  Outgoing !  URL

    fetch !  Email services and APIs  Incoming !  HTTP(S)  Filesystem  Cannot write to the file system  Can only read files uploaded with the app code  Must use datastore for all persistent data

99. OWASP Todo  Seems like each request is handled by a

    thread running a custom version of python  Can we invoke multiple threads within this one thread to max out CPU?  Need to figure out how to access filesystem, check out how dev environment uploads it, can we hijack/csrf that process?  We cant use python c libs, but the thread handling our req is prob using C somewhere – cloud fuzzer? 99

100. OWASP  What about crazy HTTP requests  Hundreds of HTTP headers

      Extra long  SPIKE closedsource web browser 10 0

101. OWASP App Versions  Apps with outdated versions exposed  1.latest.app-id.appspot.com  2.latest.app-id.appspot.com

102. OWASP One Vuln to Own the All  A single vulnerability

     in the Runtime would affect all apps  HyperVM exploit (LXLabs)  100,000 websites destroyed  Cheaper, non-backed up sites completely gone..  HyperVM boss commits suicide

103. OWASP Development Environment

104. OWASP  --no cookie – admin pass

105. OWASP Debug Info – Dev Environment  You can also view

     a debug log by attaching a ? debug to the end of a URL path.  http://localhost:8083/?debug

106. OWASP

107. OWASP

108. OWASP Code Security

109. OWASP It’s just a web app…  XSS  Access Controls  Response

     Splitting  GQL injection  Information Leakage  Input validation  Error handling

110. OWASP XSS is still XSS  cgi.escape() required 110

111. OWASP XSS impact on the cloud  Code running in appspot.com

     domain  Standard XSS exploits  Steal cookies  Deface pages  Serve exploits to vuln browsers  Portscan internal network  No GoogValidateRequest?!?

112. OWASP XSS Filters  IE 8 XSS Filter  Detects JavaScript in

     URL and HTTP POST requests.  Sanitizes the original request 11 2

113. OWASP Access Controls - Forceful Browsing 11 3 Mapped Not

     Mapped Handler Misses

114. OWASP Access Controls - Internal URL’s  Task Queues & Scheduled

     Tasks  Use app URL’s to invoke action  Opens the door for abuse by an attacker 11 4

115. OWASP Access Controls - Datastore  Data access controls still need

     to be enforced  Id=2  Id=4  Id=283  Query Datastore through remote API (REST)  Potential access to privileged info  CSRF

116. OWASP Access Controls - Flex RPC 11 6

117. OWASP Login Decorators 11 7

118. OWASP HTTP Response Splitting 118

119. OWASP HTTP Response Splitting 119

120. OWASP GQL Injection  Google Example:  Greeting.gql("WHERE author = :author ORDER

     BY date DESC”, author=users.get_current_user())  greetings = db.GqlQuery("SELECT * FROM Greeting WHERE content = '" + self.request.get('searchstr') + "'")

121. OWASP GQL Injection  Does not appear to be possible  Further

     research required

122. OWASP Attack Demos

123. OWASP Recap  Cloud Technologies  Business’s starting to experiment  Varied definition,

     services, and providers  Hottest buzzword of ’09  Legal and compliance issues  GAE  Provides infrastructure & platform  Currently Preview release  30 second response limit  Doesn’t seem ready for Enterprise usage

124. OWASP GAE Conclusions  Its still a web app  Same old

     vulns  Slightly different paradigm  You now have less control  Less to worry about or get wrong  Limited by google

125. OWASP  Its still a web app  Same old vulns  Slightly

     different paradigm 12 5

126. OWASP Research projects: TODO  Runtime Environment  Memory Segregation  CPU Calls

      Disk Segregation  GQL Injection  Dev Environment  Admin Components  And many more…

127. OWASP Questions

128. OWASP Questions  In case you need some sample questions:  Where

     is the so-called “Cloud Drinking Contest”  Google’s “the network is the computer” reality?  What about the secure data connector?  Where should we drink beers after your talk?  How can I secure my Google App Engine Code?

129. OWASP [email protected] [email protected] [email protected]