Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloudy with a chance of 0-day

Jon Rose
November 30, 2009

Cloudy with a chance of 0-day

This talk provides a brief overview of cloud computing, and reveals the security risks of moving into the clouds. The concept behind cloud computing is simple: use a hosting provider's IT resources to expand or shrink to meet your needs, and only for pay what you need when you need it. This architecture appeals to many IT managers as it reduces the initial startup costs, maintenance costs, and overhead required to run systems. Got slashdotted? Not a problem. Your cloud presence will seamlessly expand to push your business to the next level. However, as with all new technology, there are inherent risks. This talk will discuss the security risks related to cloud application code, architecture, runtime environment, and development environment, and will include demo applications to illustrate the security risks.

Jon Rose

November 30, 2009
Tweet

More Decks by Jon Rose

Other Decks in Technology

Transcript

  1. OWASP $ whoami - Jon  Trustwave’s SpiderLabs  Net & App

    Pentesting  Arch & Code Review  Training & Security R&D  Started OWASP Phoenix Chapter  Previously worked as Security Architect  Implemented Secure SDLC at few major companies  Deblaze-tool.appspot.com  Codesearch0day.appspot.com
  2. OWASP $ whoami - Tom  Trustwave’s SpiderLabs  Net & App

    Pentesting  Arch & Code Review  Training & Security R&D
  3. OWASP Agenda  Cloud Fluff  Google App Engine  Security risks of

    moving into the clouds..  Architecture  Runtime Environment  Cloud application Code Risks
  4. OWASP “… dynamically scalable and often virtualized resources are provided

    as a service over the internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure” 7 Source: Wikipedia
  5. OWASP Cloud Computing Types  Software as a Service (SaaS)  Platform

    as a Service (PaaS)  Infrastructure as a Service (IaaS) 15
  6. OWASP Why move to the Clouds?  No infrastructure investment  Expand

    or shrink based on demand  Pay as you go  Automatic scaling and load balancing
  7. OWASP New Opportunities  Nasdaq “Market Replay”  Amazon S3 & AIR

    frontend  New York Times: 1851 – 1989  TIFF uploaded and PDF’d on Amazon S3  Too expensive for traditional app development process
  8. OWASP Potential Problems  Data processed by third parties  Regulatory compliance

    complications  Shared environment  Forensics  Vendor lock-in  Loss of IT flexibility & control  Evolving IT experiment vs. enterprise- ready environments
  9. OWASP Laws & Taxes  Migrate to find the best location

     MS Azure moved Data Centers prior to launch for more favorable tax locations  Where is the your app running in the “Cloud”?
  10. OWASP Compliance  How do you demonstrate compliance?  Most Clouds do

    not allow onsite auditing  Do not take liability for security or compliance
  11. OWASP Amazon PCI Status  Can achieve PCI level 2 compliance

    including scanning by third party  Cannot achieve level 1 compliance due to onsite audit requirements  % level 1, level 2, compromised changes you to level 1 http://developer.amazonwebservices.com/connect/message.jspa? messageID=139547#139662
  12. OWASP Google App Engine (GAE)  Released April 2008  Full application

    stack for developers  Python/Java API into Google's infrastructure  Currently free – Preview Release  500MB/storage & 5M views/month  SDK provides local development environment
  13. OWASP GAE Overview  Java or Python runtime  Sandbox  Persistent storage

     Automatic scaling and load balancing  Google provided APIs  Local development environment  Task queues & Scheduled tasks  Quotas
  14. OWASP Runtimes  Java  Java Servlets or JSP’s  Java 6  Python

     Simple framework “webapp” or Django  Python version 2.5.2  C Extensions are not allowed
  15. OWASP Sandbox  Limited access to OS  No write access  Only

    read files uploaded  Only access Internet through API’s  Response to request, queued task, or a scheduled task  Must response within 30 seconds
  16. OWASP Datastore  Google DB: Bigtable  Single, large table  Not a

    relational database  Data objects AKA ”Entities”  Kind and properties  Schemaless  Query with entity-based SQL-like (GQL)  Java JDO/JPA or Python interface  1000 entity limit per query  Concurrency control with optimistic locking  Supports Transactions
  17. OWASP Datastore Transactions  transactions work across its distributed network using

    "entity groups.”  A transaction manipulates entities within a single group.  Entities of the same group are stored together for efficient execution of transactions.  Your application can assign entities to groups when the entities are created.
  18. OWASP Cron and Queues  Schedule Tasks  Handled by the Cron

    service  Invoke a URL at a given time  Task Queues  Background task created while handling a request  Experimental Feature  “Web Hook”  Only for Python  Same Limits/Quotas as HTTP request
  19. OWASP GAE Account Signup  Google insists on linking your App

    Engine account to both your cell phone and your Gmail account  Receive an SMS message to activate account
  20. OWASP Terms of Service  Only access Admin interface through API

     Cannot link multiple Apps into single App  Pre-screen, review, flag, filter, modify, refuse or remove any or all Content from the Service  Google has no responsibility or liability for the deletion or failure to store any Content and other communications maintained or transmitted
  21. OWASP Porting and New Dev  Porting  Move DB to bigtable

     Hopefully just DAL changes  Authentication/Authorization !  Move to Google?  Legacy Apps  Soon to be retired… soon….  New Dev  30 second limits  Dev environment doesn’t match prod  Major shift in dev processes !  Debugging and Logging !  Deployment 57
  22. OWASP Authentication  Acegi plugin I've read that it doesn't work

    with Google App Engine  Google Accounts Java API  app can access the user's email address, administrator status  Allthough you can build your own, how many of the standard auth libraries are available 70
  23. OWASP NSW Response Time Study  7 month study of Amazon

    EC2, Google AppEngine and Microsoft Azure  Scaled well to meet demand  Inconsistent performance results !  Response times varied by a factor of 20 !  Effected by time of day  No hard data  Emailed Anna Liu…
  24. OWASP Architecture Risks  30 second response time pushes dev’s to

    richer client-side apps  Business Logic  Data Validation
  25. OWASP Architecture Risks  Most licenses are still tied to one

    physical box  Difficult for legacy apps that require commercial licenses to move into cloud architecture 76
  26. OWASP JRE Class WhiteList 81 The JRE Class White ListA

    Java App Engine application's access to the classes in the Java standard library (the Java Runtime Environment, or JRE) is limited to the following classes:
  27. OWASP Infrastructure URL Mapping  Dist:  /base/python_dist/  Files are mapped to:

     /base/data/home/apps/[APPNAME]/[VERSION]/ [FILENAME]  Libs  /base/python_lib 85
  28. OWASP Control Issues  You don’t manage it  Updates  Bug fixes

     Forensics  Backups  Legal issues  Compliance
  29. OWASP URLFetch Abuse  Proxy attacks through Google Servers  Slow down

    investigation by requiring logs  Urlfetch timeout 10 seconds 87
  30. OWASP App Denial of Service  The cloud expands based on

    demand  Pricing is based on utilization  Is this malicious? How can you tell? GET http://myapp.appspot.com X 10 GET http://myapp.appspot.com X 1000000000000
  31. OWASP App Denial of Service == $$$  Leverage application functionality

    to exceed quotas  Repeated URL fetch for large data  Forcing application to make multiple URL fetch requests  Invoking process intensive functions repeatedly  DOS is way cooler when it costs people money
  32. OWASP Sandbox Restrictions  Network comms restricted to:  Outgoing !  URL

    fetch !  Email services and APIs  Incoming !  HTTP(S)  Filesystem  Cannot write to the file system  Can only read files uploaded with the app code  Must use datastore for all persistent data
  33. OWASP Todo  Seems like each request is handled by a

    thread running a custom version of python  Can we invoke multiple threads within this one thread to max out CPU?  Need to figure out how to access filesystem, check out how dev environment uploads it, can we hijack/csrf that process?  We cant use python c libs, but the thread handling our req is prob using C somewhere – cloud fuzzer? 99
  34. OWASP  What about crazy HTTP requests  Hundreds of HTTP headers

     Extra long  SPIKE closedsource web browser 10 0
  35. OWASP One Vuln to Own the All  A single vulnerability

    in the Runtime would affect all apps  HyperVM exploit (LXLabs)  100,000 websites destroyed  Cheaper, non-backed up sites completely gone..  HyperVM boss commits suicide
  36. OWASP Debug Info – Dev Environment  You can also view

    a debug log by attaching a ? debug to the end of a URL path.  http://localhost:8083/?debug
  37. OWASP It’s just a web app…  XSS  Access Controls  Response

    Splitting  GQL injection  Information Leakage  Input validation  Error handling
  38. OWASP XSS impact on the cloud  Code running in appspot.com

    domain  Standard XSS exploits  Steal cookies  Deface pages  Serve exploits to vuln browsers  Portscan internal network  No GoogValidateRequest?!?
  39. OWASP XSS Filters  IE 8 XSS Filter  Detects JavaScript in

    URL and HTTP POST requests.  Sanitizes the original request 11 2
  40. OWASP Access Controls - Internal URL’s  Task Queues & Scheduled

    Tasks  Use app URL’s to invoke action  Opens the door for abuse by an attacker 11 4
  41. OWASP Access Controls - Datastore  Data access controls still need

    to be enforced  Id=2  Id=4  Id=283  Query Datastore through remote API (REST)  Potential access to privileged info  CSRF
  42. OWASP GQL Injection  Google Example:  Greeting.gql("WHERE author = :author ORDER

    BY date DESC”, author=users.get_current_user())  greetings = db.GqlQuery("SELECT * FROM Greeting WHERE content = '" + self.request.get('searchstr') + "'")
  43. OWASP Recap  Cloud Technologies  Business’s starting to experiment  Varied definition,

    services, and providers  Hottest buzzword of ’09  Legal and compliance issues  GAE  Provides infrastructure & platform  Currently Preview release  30 second response limit  Doesn’t seem ready for Enterprise usage
  44. OWASP GAE Conclusions  Its still a web app  Same old

    vulns  Slightly different paradigm  You now have less control  Less to worry about or get wrong  Limited by google
  45. OWASP Research projects: TODO  Runtime Environment  Memory Segregation  CPU Calls

     Disk Segregation  GQL Injection  Dev Environment  Admin Components  And many more…
  46. OWASP Questions  In case you need some sample questions:  Where

    is the so-called “Cloud Drinking Contest”  Google’s “the network is the computer” reality?  What about the secure data connector?  Where should we drink beers after your talk?  How can I secure my Google App Engine Code?