Security Considerations in Cloud Deployments Matthew Garrett

Transcription

1 Security Considerations in Cloud Deployments Matthew Garrett (cloud) Computing for the Enterprise

2 Security concerns in traditional hosting Someone hacks your system Your hosting provider backdoors your system A powerful agency backdoors your system

3 Security concerns in cloud hosting Someone hacks your system Your hosting provider backdoors your system A powerful agency backdoors your system Someone hacks another system and breaks into the hypervisor

4 What's inside your cloud? Are your API calls audited? Are they encrypted? Do you verify endpoints are genuine?

5 What is the base of your trust? Where do your OS images come from? How do you prove they aren't tampered with? What damage can someone on the same network segment do?

6 Anatomy of a hypervisor attack Guest 1 Guest 2 Guest 3 Hypervisor

7 Anatomy of a hypervisor attack Guest 1 Guest 2 Guest 3 Hypervisor

8 Anatomy of a hypervisor attack Guest 1 Guest 2 Guest 3 Hypervisor

9 Anatomy of a hypervisor attack Guest 1 Guest 2 Guest 3 Hypervisor

10 Hypervisor security is hard Large attack surface Complicated code Can depend on subtle CPU behaviour External validation poorly explored

11 Best practices are poorly defined Little pressure to describe security policy Poor update process No intrusion detection

12 What happens if a machine is compromised? Can it fake out PXE boots? and if it can, can you detect that? (TPM attestation)

13 Worst case scenario Insecure hypervisor Your entire cloud is as vulnerable as the weakest guest

14 Worst case scenario Insecure hypervisor Your entire cloud is as vulnerable as the weakest guest (Not actually the worst case scenario)

15 The actual worst case scenario Persistent system infection Elevate from kernel to firmware or BMC What's the appropriate level of concern?

16 So, what can we do? Mitigation in depth Audit code Limit access to essentials Don't assume that any single layer is perfect

17 Pay attention to APIs What can access your APIs? Firewall off anything that doesn't need to Do you have multiple privilege levels? And how far does privilege get you? What have you done to audit these APIs?

18 Confine your guest instances svirt policy limits breakout damage Strong SELinux policy on computenodes Ensure that audit messages go somewhere useful

19 Do not underestimate potential damage from IPMI IPMI devices must be physically segregated Compute nodes must not be on the same net Keep up to date with IPMI firmware updates Assume all IPMI firmware updates are security related Know how to manage a worst-case scenario

20 Define risk levels appropriately Containers are insecure Do not use for untrusted or publicfacing code Bare-metal provisioning is dangerous Do not use for untrusted code, be wary of public-facing code

21 Verify machine state TPM-based boot measurement Remote attestation to controller Remeasure periodically Investigate hardware state introspection

22 Introspection is interesting If you know you can trust your hypervisor... Your hypervisor can examine your guests State of introspection is not well advanced Verifying the state of software is hard

23 Clouds aren't great for random numbers Use rdrand() on Ivy Bridge TPMs can supply ~4K/second Icehouse supports virtualised RNGs for guests

24 Cloud gives different threat models Traditional hosting ties servers to companies Accurate threat assessment Cloud no longer provides that assurance