By Ralph LaBarge and Thomas McGuire.
ABSTRACT
This paper presents the results of a series of penetration tests performed on the OpenStack Essex Cloud Management Software. Several different types of penetration tests were performed including network protocol and command line fuzzing, session hijacking and credential theft. Using these techniques exploitable vulnerabilities were discovered that could enable an attacker to gain access to restricted information contained on the OpenStack server, or to gain full administrative privileges on the server.
Key recommendations to address these vulnerabilities are to use a secure protocol, such as HTTPS, for communications between a cloud user and the OpenStack Horizon Dashboard, to encrypt all files that store user or administrative login credentials, and to correct a software bug found in the OpenStack Cinder typedelete command.
KEYWORDS
Cloud, Fuzzing, OpenStack, Penetration Testing, Vulnerability Detection
1. INTRODUCTION
This paper discusses penetration testing of the OpenStack Essex Cloud Management Software package. The paper is organized into nine sections including (I) Introduction, (II) OpenStack Cloud Management Software, (III) Selection of Penetration Testing Software, (IV) Design & Implementation of the Test Cloud, (V) Design & Implementation of the Penetration Test Environment, (VI) Description of the Penetration Tests Performed (VII) Test Results, (VII) Summary and Conclusions, and (IX) References.
2. OPENSTACK CLOUD MANAGEMENT SOFTWARE
OpenStack includes four core services, and a set of ancillary services, which provide an integrated cloud management environment. Core services include “Compute”, “Storage”, “Networking” and “Dashboard”. Shared services include “Identity” and “Image”.
2.1. OpenStack Compute (Nova)
OpenStack Compute is used to provision and manage large networks of virtual machines.
Common use cases for OpenStack Compute include public cloud service providers offering
Infrastructure as a Service (IaaS) cloud services, IT departments offering private cloud services
within their organizations, Big Data applications using tools like Hadoop, and High-performance
computing (HPC) applications. A partial list of OpenStack Compute features includes:
• Manage virtualized commodity server resources including CPU, memory, disk, and network interfaces
• Manage local area networks including Flat, Flat DHCP, VLAN DHCP, IPv4 and IPv6 networks
• Virtual Machine image management services to store, import, share, and query virtual
images
• Ability to assign (and re-assign) floating IP addresses to VMs
• Role Based Access Control (RBAC) provides security by user, role and project
• VM Image Caching on compute nodes provides faster provisioning of VMs
2.2. OpenStack Storage (Swift & Cinder)
OpenStack Storage provides both object and block storage for use with servers and applications. Object storage is a distributed storage system for static data such as virtual machine images, backups and archives. Objects and files are written to multiple disk drives spread throughout the OpenStack cloud, providing scalability and redundancy. OpenStack also provides persistent
block level storage devices for use with compute instances that require high performance storage for databases, expandable file systems, or a server that requires access to raw block level storage. A partial list of OpenStack Storage features includes:
• Use of commodity hard drives to reduce the cost per storage byte
• Self-healing: Data is copied to several different places across the cloud making the storage system highly redundant and reliable
• Unlimited storage with both horizontal and vertical scaling
• Very large scale: multiple Petabytes with billions of individual objects
• Amazon S3 (Elastic Block Storage) API support
• Built in management utilities provide account management, container management and storage monitoring functions
2.3. OpenStack Networking (Quantum)
OpenStack Networking is an API-driven system for managing cloud networks and IP addresses. A partial list of OpenStack Networking features includes:
• Manages IP addresses, allowing for static, DHCP or floating IP addresses
• Several networking models including flat networks or VLANs
• Allows users to create and manage their own networks
• Support for software-defined networking technology (i.e. OpenFlow)
• Network framework allows for a variety of devices to be integrated into the cloud including intrusion detection systems, load balancers, firewalls, etc.
2.4. OpenStack Dashboard (Horizon)
OpenStack Dashboard allows cloud administrators and users to provision, manage and control cloud compute, storage and networking resources. Cloud administrators use the dashboard to create users and projects, assign users to projects, and set limits on the resources for those projects. Cloud users can also use the dashboard to provision and control the resources that have been allocated to their projects. The OpenStack Dashboard is implemented as an extensible web based application.
2.5. OpenStack Identity (Keystone)
OpenStack Identity maintains a database of users and maps these users to the OpenStack servicesthey are allowed to access. It provides a common authentication system across the cloud and canbe integrated with third party backend directory services (i.e. LDAP). Multiple forms ofauthentication are supported including standard username and password credentials, token-basedsystems and Amazon Web Services style logins. OpenStack Identity allows cloud administrators to set common policies across users and systems, to create users and tenants, and to define permissions for compute, storage and networking resources.
2.6. OpenStack Image (Glance)
The OpenStack Image Service provides discovery, registration and delivery services for disk and server images. Cloud administrators can create base image templates from which cloud users can create new instances. Users and administrators can also create and store snapshots of images.Images can be stored in a variety of common formats including Raw, VHD (Hyper-V), VDI (VirtualBox), qcow2 (Qemu/KVM), VMDK (VMware), and OVF (VMware, others).
3. SELECTION OF PENETRATION TESTING SOFTWARE
Penetration testing software is used to evaluate the security of a computer system or network by simulating an attack. The simulated attack can come from an outsider (e.g. a hacker) or an insider (e.g. a disgruntled employee). Several penetration testing techniques will be used in this research effort, including fuzzing, session hijacking, and credential theft.
3.1. Fuzzing
Fuzzing is used in computer security to describe a number of tools and techniques used to discover vulnerabilities by subjecting a program to a wide variety of inputs. Computer programmers, and testers have used fuzzing techniques since the early 1970’s. [1] The term International Journal on Cloud Computing: Services and Architecture (IJCCSA),Vol.2, No.6, December 2012 46 “fuzzer” was first used in 1988 by Barton Miller, a professor at the University of Wisconsin Madison (UW-M). Miller, his associates, and students from his Computer Science classes at UW-M developed a series of fuzzers to test the reliability of UNIX system routines and application programs. [2] Another milestone in the history of fuzzing was the initial release of SPIKE in 2001, and its
subsequent presentation at Black Hat 2002 by Dave Aitel of Immunity, Inc.
[3] SPIKE is a fuzzing framework that allows a tester to define the structure of a program’s input as a series of layered blocks. Understanding the structure of the input stream allows fuzzing to be more efficient than simply generating random input data and providing it to a program under test. For example if a program’s input includes a check sum, generating completely random input data to fuzz the program would be extremely inefficient since the random input data would likely not include a valid check sum, and would thus be rejected by the program.
Grammar based fuzzing is a combination of random fuzzing techniques with block-based fuzzing techniques. A minimal definition of the protocol to be fuzzed is created to automatically generate inputs to the program under test that partially complies with the protocol specification. Critical protocol parameters, such as checksums, can be completely specified, while less important
parameters can be randomized. An example of a grammar-based fuzzer is the PROTOS project developed at the University of Oulu in Finland. [4]
Since 2002 the popularity of fuzzing has grown, as has the sophistication and number of opensource and commercial fuzzing tools. Today, fuzzing is widely recognized as a valid computer security test method, and is being used by many commercial software development companies.
Microsoft uses “white-box” fuzzing as part of their quality assurance process. Dr. Patrice Godefroid of Microsoft defines white-box fuzzing as “a new approach to fuzzing pioneered at Microsoft in the SAGE tool and based on symbolic execution and constraint solving techniques.” [5] According to Godefroid a Windows 7 test team found 50% more bugs using a white-box
fuzzer (SAGE) than all other traditional fuzzers combined.
For more on this fantastic article: http://cryptome.org/2013/07/cloud-pentest.pdf
