• No results found

Protecting the Cloud from Inside

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Protecting the Cloud from Inside"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Protecting the Cloud from Inside

Alexandra Shulman-Peleg, PhD Cloud Security Researcher,

IBM Cyber Security Center of Excellence

Intra-cloud security intelligence

Protection of Linux containers

(2)

© 2015 IBM Corporation

2

Securely Moving Corporate Applications to a Cloud

Customer’s view:

My infrastructure moved to a 3rd party cloud service – Help me to protect my assets.

Detection and remediation of cloud

vulnerabilities.

Public cloud

(3)

Cloud Infrastructure Layer (IaaS) Cloud Application Layer (PaaS)

Container security NoSQL security

Use cloud insights to raise the security

(4)

© 2015 IBM Corporation

4

The cloud’s code:

• Controls distributed and complex environments • Executes automatically with admin privileges • Has modules in scripting languages

• Is open source with well known weaknesses

• May share the same kernel and host OS between applications of different users (e.g. Linux containers)

Cloud Trends

Cloud software is more vulnerable

(5)

Cloud Trends

Automation brings order! Each module knows its role!

(6)

© 2015 IBM Corporation

6

Automating Code Distribution and Deployment with Containers

• Container cloud (IaaS)

• Deployment packages (PaaS)

• 70% of organizations are evaluating Docker

• 49% are concerned with Docker security

Survey of Vmblog.com (745 participants)

(7)

Containers - Emerging Building Blocks of Clouds

Lightweight OS-level virtualization via grouping resources like processes, files, and devices into isolated spaces.

Benefits:

• Portability and easy deployment

• Application isolation

• Near native performance

Server Host OS Bins /Libs Bins/Libs Bins /Libs App A App B App C App D Server Hypervisor Host OS Bins/ Libs

App A App B App C

Guest OS Bins/ Libs Guest OS Guest OS Bins/ Libs Containers VMs

(8)

© 2015 IBM Corporation 8 Private/Public cloud

Containers’ Threats

Threats • Kernel exploits • Container Engine • Shared resources • Shared Bins/Libs • Mis-configurations Attack flow: • “Escape to host” via kernel exploits

• Propagating to additional servers

(9)

How to make my containers secure?

“Securing the Infrastructure and the Workloads of Linux Containers”, Workshop on Security and Privacy in the Cloud, Sept. 2015.

(10)

© 2015 IBM Corporation

10

Open Source Linux Tools to the Rescue!

Linux Security Modules (LSMs, e.g. AppArmor, SElinux) are lightweight, loadable kernel modules enforcing access control.

Advantages of LSM:

• Part of Linux distributions

• Provide mandatory access control (MAC)

Disadvantages of LSMs:

• Complicated configuration and tuning

Profile to restrict the Docker daemon (none exists) Profiles to restrict the containers (limited docker-default profile)

(11)

Tracing Execution and Profile Generation

1. Invoke Docker API (build/run etc.).

2. Use SystemTap to monitor the kernel operations. 3. Generate LSM profiles

splitting between the host and the containers.

https://github.com/LinuxContainerSecurity/ LiCShield.git

(12)

© 2015 IBM Corporation

12

Profile Distribution and Enforcement

• Construct the security policy once for each image - apply to all the instances. Server Server Host OS Docker Daemon Docker Daemon My image Deploy

(13)

1. Linux host + container engine – high protection! Protecting server’s runtime with HIDS

2. Containers’ – “protection as a service”

Per image training and creation of AppArmor, Selinux policies

Overview of Host’s Runtime Protection

Server Host OS Bins/ Libs Bins/ Libs

App A App B App C App D

Container Engine Container Engine

Bins/Libs

Host Based Intrusion Detection (HIDS)

“As a service” workload protection

Per Image profiles

Secure, yet, Usable – Protecting Servers and Containers

(14)

© 2015 IBM Corporation

14

No SQL, No Injection?

Workshop on Web 2.0 Security and Privacy (W2SP) 2015 A. Ron, A. Shulman-Peleg, E. Bronshtein, A. Puzanov

(15)

The Popularity of NoSQL Continues to Rise

(16)

© 2015 IBM Corporation

16

NoSQL Attack Vectors

Attackers web browser Attackers web browser Attacked web server Attacked web server Client/Protocol wrapper Client/Protocol wrapper NoSQL data store Injection added Data Injection processed Data

• The new data models of NoSQL make old attacks, like SQL injections irrelevant.

• Attackers get new opportunities for injecting their

(17)

• Tautologies - bypassing access control by injecting code in conditional statements that are always true.

• Union queries – changing the data set returned for a given query.

NoSQL Injection Techniques

db.logins.find({ username: { $ne: 1 }, password: { $ne: 1 } }) username[$ne]=1&password[$ne]=1

{ username: ‘tolkien’, $or: [ {}, { ‘a’: ‘a’, password: ‘’ } ],

$comment: ‘successful MongoDB injection’ }

username=tolkien’, $or: [ {}, { ‘a’:’a&password=’ } ], $comment:’successful MongoDB injection’

(18)

© 2015 IBM Corporation

18

• JavaScript injections - Passing un-sanitized user input to queries may allow injecting arbitrary JavaScript code.

• Origin violation - a legitimate user and its web browser are exploited to perform some unwanted action on behalf of the attacker.

(19)

Piggy-backed queries - where an attacker exploits some

assumptions in the interpretation of escape sequences special characters (e.g. termination characters like CRLF) to insert

additional queries to be executed by the database.

NoSQL Injection Techniques – Caches

Attackers web browser Attackers web browser Attacked web front end Attacked web front end Protocol wrapper Protocol wrapper Injection added Data Data In -m e m o ry d a ta sto re In -m e m o ry d a ta sto re Injection

Cloud or BigData Framework

Data Data Data

(20)

© 2015 IBM Corporation

20

Mitigation of Attacks and Injections

Continuous Mitigation Development and testing Development and testing Secure Deployment Secure Deployment Monitoring and Protection Monitoring and Protection Insider’s view https://developer.ibm.com/bluemix/2015/07/02/vulnerability-advisor/

(21)

Cloud Operation Layer

Cloud Infrastructure Layer (IaaS)

Admin monitoring: logs, accounting etc. Admin disruptive:

Chef, TripleO, DevOps

Network, VMs, Containers, Storage, Users Heat, Mistral, ...

IDaaS, NoSQL data stores, Spark cloud Foundry

Cloud Application Layer (PaaS)

Details of the workload to be executed Security tools and policies Security and Policy Dashboard

Protecting the Cloud from the Inside

Security Intelligence for Cloud Management Infrastructures

S. Berger, S. Garion, Y. Moatti, D. Naor, D. Pendarakis, A. Shulman-Peleg JR Rao, E. Valdez, Y. Weinsberg, to appear.

(22)

© 2015 IBM Corporation

22

IBM Cyber Security Center of Excellence

References

Download now ( PDF - 22 Page - 2.01 MB )

Related documents

Master of Engineering in Engineering Management (MEngM) and. Graduate Diploma in Engineering Management

The Faculty of Engineering and Applied Science (FEAS) and the Faculty of Energy Systems and Nuclear Science (FESNS) at the University of Ontario Institute of Technology (UOIT)

Introduction to Web Technologies

The Web service-client interaction Server Web Service Client/ Server CGI Result Query Client Browser HTML Result Server Web Service Query Query.. Example

Veterans Health Administration: Health IT Leaders

Lead, Health IT VA Clinical Assessment, Reporting, and Tracking (CART) Program National Manager, VHA Web Solutions | Office of Informatics and Analytics September 12,

Consumo de álcool entre estudantes de enfermagem Alcohol consumption among nursing students

Possible explanation would be that second year student are more socialized and therefore attending many party where drinking more at same time second year student need further

A single-center analysis of the survival benefits of adjuvant gemcitabine chemotherapy for biliary tract cancer.

Title A single-center analysis of the survival benefits of adjuvant gemcitabine chemotherapy for biliary tract

Acceptability of road pricing and revenue use in the Netherlands

Six different possibilities were evaluated on acceptance by the respondents (general budget, new roads, improve public transport, abandon existing car taxation, lower fuel taxes,

Help us know technology became available to order in the exterior configuration of the face of keys. Intended use the

Item you the yale key blanks suppliers offering painted key blanks are in enough variety to change without an event, for customers looking to be used.. Astral cisa key blank

Font Rasterization, the State of Art

As already mentioned, many shapes incorporate straight line segments for vertical and horizontal bars, but slightly curved arc segments for diagonal lines.. At small sizes,