Domain Name Service Trust Delegation in Cloud Computing: Exploitation, Risks, and Defense by Craig Laprade B.S. in Computer Science, May 2010, Worcester Polytechnic Institute A Thesis submitted to The Faculty of The School of Engineering and Applied Science of The George Washington University in partial satisfaction of the requirements for the degree of Master of Science January 8, 2021 Thesis directed by H. Howie Huang Professor of Electrical and Computer Engineering © Copyright 2021 by Craig Laprade All rights reserved ii Acknowledgments I would like to acknowledge my wife, Andrea, who supported my research while pursuing lofty academic goals of her own and who tolerated my often lengthy lamentations about the state of internet security. I would also like to acknowledge Dr. H. Howie Huang who provided support and guidance that made this research possible. Lastly, I would like to acknowledge the security community, both personal acquaintances and others, who’s pointed, timely, and often irreverent reports of vulnerabilities help secure the modern internet. iii Abstract Domain Name Service Trust Delegation in Cloud Computing: Exploitation, Risks, and Defense The Domain Name Service (DNS) infrastructure is a global distributed database that links human readable domain names with the Internet Protocol (IP) addresses of the resources that power the internet. With the explosion of cloud computing over the past decade, increasing proportions of organizations’ computing services have moved from on-premise solutions to cloud providers. These services range from complete DNS management to singular services such as E-mail or a payroll application. Each of these outsourced services requires a trust delegation, that is, the owning organization needs to advertise to the world, often by DNS records, that another organization can act authoritatively on its behalf. What occurs when these trust delegations are misused? In this work, I explore the methods that can be used to exploit DNS trust delegation and then examine the top 1% of the most popular domains in the world for the presence of these exploitable vulnerabilities. Finally, I conclude with methods of defense against such attacks and the publishing of a novel tool to detect these vulnerabilities. iv Table of Contents Acknowledgments .................................. iii Abstract ........................................ iv List of Figures .................................... vii List of Tables ..................................... viii 1 Introduction .................................... 1 1.1 Trust in Cloud Architectures . .2 1.2 Trust Delegation & Exploitation . .2 1.3 Experiment Overview . .3 2 Literature Review ................................. 5 2.1 Academic Writings . .5 2.2 Reports from Industry . .8 2.3 Datasets . 10 2.3.1 Rapid7 OpenData . 11 2.3.2 SecurityTrails . 11 2.3.3 Majestic Million . 11 3 Trust Delegation ................................. 13 3.1 DNS Overview . 13 3.2 Trust Delegation . 15 3.3 Vulnerability Classification . 17 4 Exploitation .................................... 19 4.1 Types of Exploitation . 19 4.1.1 Canonical Name Record (CNAME) . 19 4.1.2 Name Server Record (NS) . 20 4.1.3 Mail Record (MX) . 22 4.1.4 Cloud Service . 23 4.2 Impacts of Exploitation . 25 4.2.1 Phishing . 25 4.2.2 Cross-Origin Resource Sharing (CORS) . 27 4.2.3 Cookie Based Single Sign On (SSO) . 28 4.2.4 Encryption . 29 4.2.5 Disinformation . 30 5 Methodology ................................... 32 5.1 Process Overview . 32 5.1.1 Algorithm . 35 5.2 Systems Overview . 36 v 5.2.1 Obstacles . 36 5.3 Execution . 37 5.3.1 Exceptions . 39 6 Results ....................................... 40 6.1 Overview . 40 6.2 Trends . 42 6.2.1 Education Domains . 42 6.2.2 News and Media . 44 6.2.3 Pantheon: The Emerging Attack Surface . 45 6.2.4 Microsoft Azure . 45 6.2.5 Artifacts of Development . 47 6.3 High Severity Findings . 47 6.3.1 alert.tsa.dhs.gov . 48 6.3.2 vaccinesuat.cdc.gov . 49 6.3.3 <subdomain>.<political party>.<tld> . 49 7 Defense ...................................... 52 7.1 Overview . 52 7.2 Existing Solutions . 52 7.2.1 DNSSEC . 52 7.2.2 NSEC . 53 7.2.3 Specific Value Record Verification . 56 7.2.4 Domain Attack Surface Monitoring . 56 7.3 Proposed Solutions . 57 7.3.1 Apex Domain Verification . 57 7.3.2 Assessment via TrustBreaker . 58 8 Conclusion ..................................... 60 8.1 Summary . 60 8.2 Emerging Attack Surface . 60 8.3 Future Work . 60 8.4 Conclusion . 62 Bibliography ..................................... 63 vi List of Figures 2.1 Patrik Hudák’s Results (CNAME Vulnerability in OpenData)[14] . .8 2.2 Hackerone Public Subdomain Takeover Reports[26] . 10 3.1 DNS Hierarchy . 14 3.2 DNS Lookup Process . 14 3.3 DNS Delegation Process . 16 4.1 CNAME Takeover . 20 4.2 NS Takeover . 21 4.3 MX Takeover . 23 4.4 Cloud Asset Takeover . 24 4.5 Common Phishing . 26 4.6 CORS Attack . 28 4.7 Cookie-based SSO Session Hijack . 29 4.8 Let’s Encrypt Certificate Granting Process . 30 5.1 Process Flow . 34 5.2 Redirector Architecture . 38 6.1 Severity Distribution . 41 6.2 Site TLD Breakdown . 41 6.3 Representation of TLDs . 42 6.4 Percent Vulnerable by TLD . 43 6.5 Site Category Distribution . 44 6.6 Vulnerability Type Distribution . 46 6.7 US Political Party Webpage on July 14, 2020 . 51 7.1 eda.doc.gov Effective DNSSEC Usage . 55 vii List of Tables 1.1 Top 10 Majestic Million Domains . .4 3.1 DNS record Types . 15 3.2 Vulnerability Classification . 18 7.1 DNSSEC Record Types . 54 viii Chapter 1: Introduction What is in a name? For most of us, the value of our name is based on the merit of our past deeds. For commercial entities, the value of their name and that of their brands are based on the quality of their products, which is linked to their financial survival. For Non-Governmental Organizations (NGOs), the value of their name, through past deeds, is linked to sustaining donations and grants. What about civil authorities? If their name was maligned would they be as effective as if it was not? Now imagine that any third party can conduct actions on behalf of any number of organizations with irreverence. This is a reality in today’s internet enabled by an overcomplicated web of trust exacerbated by the rapid adoption of cloud computing. Attackers can identify broken trust relationships between organizations, often the result of the ever increasing cyclic rate of DevOps, and assume the privileges of one of these organizations[14]. They then possess the ability to act authoritatively on behalf of that organization. This can be used for actions ranging from phishing, security policy bypass, to even brutally effective disinformation campaigns that can have real-world kinetic consequences. In this work I examine trust relationships in the modern internet through the Domain Name System (DNS). I start in Chapter 2 by reviewing the previously published literature, both within the research community as well as from industry. In Chapter 3 I conduct an overview of how these DNS trust relationships are formed, the trust delegation that is conducted via DNS, and intended state of these relationships. Then in Chapter 4, I examine the process for discovering and exploiting these broken trust relationships. From there, I examine how the breaking of this trust, through negligence or malice, can lead to devastating actions by arbitrary and malicious third parties. This work culminates in Chapter 6 with an examination of the top 1% most popular domains globally for trust vulnerabilities and proposed defense strategies against malicious exploitation in Chapter 7. 1 1.1 Trust in Cloud Architectures Trust is the paramount principle that makes cloud computation possible. Organizations, both private and public, trust their sensitive data and mission critical tasks to be executed by cloud service providers at countless data-centers around the world. The complexity of these systems is often lost on the layperson interacting with these very services. For example, how often does a user know that their mobile banking application is actually hosted in the Amazon Web Services (AWS) cloud or that a social media referral system is really a Heroku application? These services are indistinguishable by design from the organizations’ own integral services, just as the myriad of parts made by subcontractors in modern cars are largely indistinguishable from the car brand to the driver. The user of the mobile banking application and the driver of a car are both often none the wiser to.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages72 Page
-
File Size-