1. Security Issues in OpenStack Rostyslav Slipetskyy’s Maste’s thesis Submission date: June 2011 Presenter: 陳傑威

2. Agenda 陳傑威 2 Introduction to OpenStack Definition History Projects Security Issues in OpenStack (thesis) Objective Contribution Conclusion

3. OpenStack is open source cloud operating system. NIST (National Institute of Standards and Technology, 美國國家技術標準局 ): Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction Definition 3 (e.g. Salesforce) (e.g. Hadoop) (e.g. OpenStack)

4. What is OpenStack 4 (Eucalyptus) EC2 S3 + Projects:

5. What is OpenStack(2) 5 研究機構 政府機構 金融機構 製藥公司 電子商務公司 媒體 …

6. Security Issues in OpenStack (thesis) Main Objective: Analyze how various security issues are handled in OpenStack 6

7. Security Issues Identified 7 CSA (Cloud Security Alliance 雲端安全聯盟 ) ENISA (European Network and Information Security Agency 歐洲網路資訊安全局 ) NIST (National Institute of Standards and Technology 國家標準技術研究所 )

8. Security Issues Identified (2) 1. OpenStack Object Storage 2. Security issues: – Identity and Access Management – Data Management 8

9. OpenStack Installation 9 安裝在虛擬環境中的 OpenStack Object Storage

10. Security Isseus: Identity and Access Management Security Issues – Identity Provisioning/Deprovisioning – Identity Federation – Authentication – Authorization and Access Control Data Management Security Issues – Data Location – Isolation – Backup and Recovery – Deletion – Encryption and Key Management – Integrity Verification 10

11. Identity Provision/Deprovisioning Overview – 2 back-end system: Devauth: user data are stored in SQLite database. Swauth: user data are stored as files in Object Storage. – 4 roles: User: has no permissions relative to user management. Admin: can add users to an account where he is an administrator. In swauth can delete users from administered accounts. Reseller Admin: has Admin permissions on all the accounts. Cannot add other Reseller Admins. Super Admin: the most powerful user, who can perform all user management procedures, including adding Reseller Admins. 11

12. Authentication 12 OpenStack Object Storage 的認證方式

13. Authentication Systems: Devauth User data (passwords, groups) are stored in SQLite database 13

14. Authentication Systems: Swauth User data (passwords, groups) are stored as JSON-encoded data in text files in Object Storage 14

15. Authentication: Security Token Generation Session ID Analysis: 15 1. Set token expiration time to 0 seconds. 2. Obtain 10000 tokens generated for the same user. 3. Analyze tokens with WebScarab to check patterns. 4. Analyze generated tokens with Burp Sequencer tool.

16. Authentication: Security Token Generation(2) 16

17. Authentication: Portability of stored data Devauth 不適用 Swauth 17

18. Data Management 18 在 OpenStack Object Storage 中的數據檢索

19. Data Management (2) 19

20. END! 20