![Join Us
#openstack-security on Freenode
#openstack-meeting-alt @ 1700 UTC Thur
openstack-dev ML with [Security] tag](https://image.slidesharecdn.com/wqo7gxk0slgpjygxbdn9-signature-8ee7ec101d474b6493d7d1fb3465c563d35eb19b52cfdc3c934152e5dd78b105-poli-160122155714/85/OpenStack-Security-Project-34-320.jpg)
OpenStack Security Project
- 1. OpenStack Security Project Securing the world’s largest, fastest moving open-source project
- 2. Agenda - Intro to OpenStack - State of OpenStack Security - Security Group Projects - About the Security Group
- 3. Intro to OpenStack Open source cloud platform Started in 2010 by NASA and Rackspace Today: > 2.5 million LoC + 1800 contributors ~77% Python
- 5. OpenStack - How Product People See It: Nova Swift Neutron Glance Keystone Horizon Cinder
- 6. OpenStack - How Security People See It: Nova Swift Neutron Glance Keystone Horizon Cinder DNS Metering Automation LoadBalancing Monitoring Billing Databases Orchestration Alarming Messaging AccountMaintenance Certificate Authorities
- 7. State of OpenStack Security 2010 Nasa and Rackspace Launch OpenStack Bexar 02/11 Cactus 04/11 Diablo 09/11 Essex 04/12 Folsom 09/12 Grizzly 04/13 Havana 10/13 Icehouse 04/14 Juno 10/14 Kilo 04/15
- 8. Examples Directory traversal → Arbitrary File Creation (2012) Improper sanitization in instance name → XSS (2013) Missing SSL certificate check (2014) Glance store DoS through disk space exhaustion (2014) Unauthorized delete of versioned Swift object (2015)
- 9. Security Issues XSS (web interface) Directory traversal Missing auth check Information leakage DoS ...
- 11. Security Notes ● Written and managed by OpenStack Security Project ● Compliment advisories (OSSA) ● Can be found on the Security Note Wiki ○ https://wiki.openstack.org/wiki/Security_Notes
- 12. Security Notes One-stop-shop for cloud deployers Issues without a patch Insecure defaults Common insecure configurations Over 60 listed notes as of December 2015
- 13. Security Notes - Examples OSSN-0056 - Cached keystone tokens may be accepted after revocation OSSN-0049 - Nova Ironic driver logs sensitive information in DEBUG mode and python-swiftclient Pecan (for some services)
- 14. Security Notes - Process ● Writing ○ Number Assignment ○ Template Use ● Testing ○ Researching - Reproducing Issue ● Review Process ○ Peer Review Process Using Gerrit/Git Review ● Get Published
- 15. Security Guide Created in June 2013 + living document Provides best practices and conceptual information about securing an OpenStack cloud ● Reflects the current state of security within the OpenStack community ● Maintained by OpenStack Security project
- 16. Security Guide - Process ● Bugs in Launchpad ○ Tracks bugs against the guide, and their severity ○ Can assign yourself a sec-guide bug just like code ● Get the doc source ○ Clone the security guide git repo ● Update ○ In RST format it’s security-guide/source/<chaptername>/ ● Review
- 17. Security Guide Example topics: ● Hypervisor selection ● Instance security management ● Tenant data privacy Available in HTML (current) and print (v1.0) form http://docs.openstack.org/security-guide
- 18. Bandit - a Python security linter Finds common security issues in Python code: Command injection Insecure temp file usage Promiscuous file permissions Usage of unsafe functions/libraries Binding to all interfaces
- 19. Bandit Example
- 20. Bandit Open source Easy to write new plugins Low resource requirements Runs quickly
- 21. Vulnerability Management ● Ensure that vulnerabilities are dealt with quickly and responsibly. ● When situation requires it, produce OpenStack Security Advisories (OSSAs) - similar to CVEs.
- 23. Example: OSSA-2013-036 11-03-2013: XSS in instance name reported by Cisco employee 11-14-2013: Fix publicly disclosed, bug marked public 11-28-2013: Backports completed 12-04-2013: CVE-2013-6858 Assigned 12-11-2013: Advisory published
- 24. Secure Coding Guidelines ● Examples of common tasks that are often done insecurely ● Written for developers in conversational tone ● With examples on how to perform the tasks securely ● Designed to eventually be linked to by Bandit findings
- 25. Anchor - Ephemeral PKI System Existing PKI is broken outside of the browser ● Revocation does not work in most crypto libraries ○ CRLs are hard to distribute deterministically ○ OCSP doesn’t work in many client TLS libraries ● Provisioning certificates at scale is non-trivial
- 26. Anchor - Ephemeral PKI System Automatically Verifies and Issues Short-Life Certificates ● Authenticates the requestor (TLS) ● Validates the Certificate Signing Request ● Issues a Certificate ● Then uses Passive Revocation ○ Revoke by denying future requests ○ Certificate life shorter than typical OCSP caches, so there is a
- 27. Anchor - Ephemeral PKI System Ephemeral CA ReST Interface Decision Engine Certificate Authority Pluggable Authentication Shared Secret LDAP Lookup Keystone Service Reverse DNS Verification CMDB System Role Reversed IP in Valid Range Name(s) match scheme Role matches FQDN prefix Extendable Rule Set Dogtag/FreeIPA Killick (WIP) etc...
- 28. Syntribos - API Security Testing Tool Finds security issues in restful API Fuzz payload, HTTP headers, URL, query string Log all requests and responses Support keystone authentication Detect common security defects Help identify unknown security defects
- 30. Syntribos Summary Output 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,466: INFO: root: Test Case......: test_case 2015-08-18 14:44:12,466: INFO: root: Result.........: Passed 2015-08-18 14:44:12,466: INFO: root: Start Time.....: 2015-08-18 14:44:12.464843 2015-08-18 14:44:12,466: INFO: root: Elapsed Time...: 0:00:00.001203 2015-08-18 14:44:12,466: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: ======================================================== 2015-08-18 14:44:12,467: INFO: root: Fixture........: syntribos.tests.fuzz.all_attacks.(agent_patch.txt)_(ALL_ATTACKS_BODY)_(all-attacks.txt)_str1_model1 2015-08-18 14:44:12,467: INFO: root: Result.........: Passed 2015-08-18 14:44:12,467: INFO: root: Start Time.....: 2015-08-18 14:44:11.139070 2015-08-18 14:44:12,467: INFO: root: Elapsed Time...: 0:00:01.328030 2015-08-18 14:44:12,468: INFO: root: Total Tests....: 1 2015-08-18 14:44:12,468: INFO: root: Total Passed...: 1 2015-08-18 14:44:12,468: INFO: root: Total Failed...: 0 2015-08-18 14:44:12,468: INFO: root: Total Errored..: 0 2015-08-18 14:44:12,468: INFO: root: ========================================================
- 31. Syntribos Open source Easy to extend Support in-depth fuzzing Automatic logging http://git.openstack.org/cgit/openstack/syntribos
- 33. OpenStack Security Project 250 listed members ~ 20 active at any time + you? Lots of ways to participate: - Write notes/documentation (gets you a technical contributor credit) - Hack on existing tools: Bandit, Anchor, Syntribos - Write your own tool (Ansible-security / Tempest checks) - Pentesting / code review / deployment bugs - Threat Analysis
- 34. Join Us #openstack-security on Freenode #openstack-meeting-alt @ 1700 UTC Thur openstack-dev ML with [Security] tag
- 35. Or Jump Right In... Security Project Page: https://security.openstack.org/ Security Advisories: https://security.openstack.org/ossalist.html Security Notes: https://wiki.openstack.org/wiki/Security_Notes Bandit: https://wiki.openstack.org/wiki/Security/Projects/Bandit Developer Guidelines: https://security.openstack.org/#secure-development-guidelines Anchor: https://wiki.openstack.org/wiki/Security/Projects/Anchor Syntribos: http://git.openstack.org/cgit/openstack/syntribos Security Guide: http://docs.openstack.org/sec/ OpenStack Ansible Security: https://github.com/openstack/openstack-ansible-security
- 36. Thank you! Eric Brown - VMware - browne on Freenode Travis McPeak - HPE - tmcpeak on Freenode
Editor's Notes
- #4: Pulled June 2015
- #8: 726359 - earliest vuln could find (https://www.youtube.com/watch?v=YYPawaekKys) Cactus timeframe - proposal for a Security group from Rackspace VMT was introduced around the early Diablo timeframe (again, per https://www.youtube.com/watch?v=YYPawaekKys) Security group started around the Folsom timeframe (HP/Nebula) and was incorporated into the Juno timeframe (group -> project)
- #9: lp bug#’s: Arbitrary file creation - 1015531 Improper sanitization - 1247975 Missing SSL certificate check - 1199783 Glance DoS - 1315321 Swift object delete - 1430645
- #10: Tallies of vulns per year, and topics they cover (2015 actually coming in just below so far) actual 2015 advisories was 21
- #13: There are 63 total, but 5 are Work-In-Progress (atm)
- #18: Lulu book version is still 1.0 (migration to RST broke Sphinx which was producing PDF which was to be submitted to Lulu); HTML is current
- #19: - openstack/barbican - openstack/keystone (VOTING) - openstack/keystonemiddleware (VOTING) - openstack/magnum - openstack/oslo.vmware - openstack/python-keystoneclient (VOTING) - openstack/python-magnumclient - openstack/sahara
- #20: Each solution should be evaluated for your environment
- #23: VMT needs to update this image to include OSSN/ OSSP
- #24: How to get notifications? Better example required.
- #31: Summary output shows pass/fail - other output is much more detailed - full request/response data in named log files
- #32: Restfuzz was new as of Oct/Nov 2015; developed by Tristan from VMT
- #34: Killick, Leeson WIP