Presenting the results of Master thesis project concluded my 2-year study program at NordSecMob Master's Programme in Security and Mobile Computing. During my thesis project I analyzed security issues in OpenStack Object Storage - an open source cloud storage software. Even though I worked on the project in Norway, the presentation itself was given in Denmark.
Some of the findings were quite interesting. For example, isolation of files belonging to different users is implemented using hashing algorithm. Your account name, file name, and directory where the file is stored are combined with secret hash and passed to MD5 hash function. The output determines the location of file on the server. When we changed MD5 to a dummy hash function that returned the same value for every input, users could read and even overwrite files belonging to other users. Even though MD5 is resistant to pre-image attacks (we can't find input that will hash to a known output), MD5 is not resistant to collision attacks (we can find two inputs that will hash to the same value.)
The isolation approach allows an interesting attack to be executed against a cloud provider that uses OpenStack. First, attacker negotiates contractual agreement with the provider according to which the latter is responsible to prevent loss of data of the former. Second, attacker generates two file names that will hash to the same value. Then, attacker uploads these two files to OpenStack and second file will overwrite the first one. Now, attacker can sue provider for data loss. OpenStack has a mitigation against such an attack, which is a secret hash value that is stored on the server and used as a salt to hash function. But with an insider knowledge of this hash the aforementioned attack is possible.
Another issue we found is scary. In the default authorization system that ships with OpenStack Object Storage, there is one type of administrators that can download or even delete files belonging to any user on any of the accounts. This admin is called Reseller Admin, and of course his broad permissions are mentioned nowhere in the documentation. So, if you your company has divisions in US and Europe, and you are a Reseller Admin in, say, Germany, you can view files belonging to users in US. Quite cool, isn't it?
Full text of the thesis is available at this link. The presentation slides are here.
http://www.linkedin.com/in/oldbam
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment