How Private is Your Private Cloud? Security Analysis of Cloud Control Interfaces Dennis Felsch Mario Heiderich Frederic Schulz Horst Görtz Institute for Horst Görtz Institute for Horst Görtz Institute for IT-Security IT-Security IT-Security Bochum, Germany Bochum, Germany Bochum, Germany [email protected] [email protected] [email protected] Jörg Schwenk Horst Görtz Institute for IT-Security Bochum, Germany [email protected] ABSTRACT Keywords The security gateway between an attacker and a user's pri- Cloud Security; Cloud Interface; Infrastructure as a Service; vate data is the Cloud Control Interface (CCI): If an at- XSS; CSRF tacker manages to get access to this interface, he controls the data. Several high-level data breaches originate here, the latest being the business failure of the British company 1. INTRODUCTION Code Spaces. According to NIST Special Publication 800-145 [24], cloud In such situations, using a private cloud is often claimed computing can be categorized into three service models: to be more secure than using a public cloud. In this paper, Software as a Service (SaaS), Platform as a Service (PaaS), we show that this security assumption may not be justi- and Infrastructure as a Service (IaaS). In this paper, we fied: We attack private clouds through their rich, HTML5- concentrate on IaaS cloud systems. An IaaS cloud provides based control interfaces, using well-known attacks on web the consumer with full control over the (virtualized) infras- interfaces (XSS, CSRF, and Clickjacking) combined with tructure to use. A consumer has the choice between differ- novel exploitation techniques for Infrastructure as a Service ent (virtual) hardware configurations and operating systems clouds. (bundled into a Virtual Machine, VM), and may select net- We analyzed four open-source projects for private IaaS work configurations and storage systems. cloud deployment (Eucalyptus, OpenNebula, OpenStack, and openQRM) in default configuration. We were able to com- The Cloud Control Interface (CCI). promise the security of three cloud installations (Eucalyptus, Even if all other components of a cloud system (VMs, vir- OpenNebula, and openQRM) One of our attacks (OpenNeb- tual networks, persistent storage) are protected by perime- ula) allowed us to gain root access to VMs even if full perime- ter security systems (network separation, firewalls, IDS), the ter security is enabled, i.e. if the cloud control interface is Cloud Control Interface (CCI, interface 4 in Figure 1) nec- only reachable from a certain segment of the company's net- essarily must be exposed to the outside world, since it must work, and if all network traffic is filtered through a firewall. allow for \on-demand self-service" [24]. Therefore, CCIs are We informed all projects about the attack vectors and pro- implemented as public web APIs, mostly as a web applica- posed mitigations. As a general recommendation, we pro- tion, but also in form of REST or SOAP-based APIs. pose to make web management interfaces for private clouds This gives an attacker the same type of access as the le- inaccessible from the Internet, and to include this technical gitimate user, thus a user's data is only secure if the CCI is requirement in the definition of a private cloud. secure. Just to mention one serious attack from 2014, the British company Code Spaces went out-of-business because an attacker seized control over their Amazon AWS CCI and, after the company had been blackmailed and refused to pay, deleted all company data including backups in the Cloud.1 Permission to make digital or hard copies of all or part of this work for personal or Because of this impact of a possible security breach of a classroom use is granted without fee provided that copies are not made or distributed CCI, we believe that CCIs should employ any know security for profit or commercial advantage and that copies bear this notice and the full citation measure to protect themselves. Unfortunately, this is not the on the first page. Copyrights for components of this work owned by others than the case: Especially web application CCIs suffer from the com- author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or plexity of the interface, which not only supports the growing republish, to post on servers or to redistribute to lists, requires prior specific permission range of HTML5 standards (Scriptless Attacks), but also im- and/or a fee. Request permissions from [email protected]. CCSW’15, October 16, 2015, Denver, Colorado, USA. plements legacy features going back to DOM Level 0 (DOM Copyright is held by the owner/author(s). Publication rights licensed to ACM. 1 ACM 978-1-4503-3825-7/15/10 ...$15.00. http://www.infoworld.com/article/2608076/ DOI: http://dx.doi.org/10.1145/2808425.2808432. data-center/murder-in-the-amazon-cloud.html 5 hps://admin.cloud.tld nario 2, a firewall is used to block direct access to the CCI from the Internet. The latter may be seen as a straightfor- Start new VM Store Data persistently ward \provisioning" of a cloud implementation for private Change SSH key use. Monitor all VMs Persistent Data Storage 2 Attacking Private Clouds. 4 Cloud Management Since private clouds are provisioned for use by a single en- Plaorm (CMP), e.g. OpenStack, tity only, attacks on the virtualization layer may only be Eucalyptus, DHCP 3 performed by insiders, i. e. employees of the entity using OpenNebula DNS the cloud. We therefore concentrate on attacks on the CCI 1 itself, which can be accessed through a variety of APIs. In this paper, we concentrate on the Web API, i. e. the API VM VM VM VM VM VM VM VM VM accessible through a standard web browser. On a high level, the success of some of our attacks even Hypervisor Hypervisor Hypervisor in the presence of perimeter security mechanism like Fire- OS OS OS ... walls can be explained as follows: We use a web browser Compute Node 1 Compute Node 2 Compute Node 3 as our "malicious insider" within the company network. The browser receives instructions through port 80 (HTTP), which is open in any firewall, and may transfer stolen data through Figure 1: IaaS cloud building blocks the same port. The transformation of a "trusted browser" into a "mali- Clobbering), undocumented browser behaviour (mXSS) and cious insider" is done through standard web attacks: Either large 3rd party libraries (e.g. jQuery). we directly control browser actions (CSRF) invisible to the user, or we execute malicious script code in the web interface The Promises of Private Clouds. (XSS). Private Clouds are often advertised as being more secure than their Public Cloud counterparts, and thus as a solution Attacks on Web Interfaces. for securely protecting company data. [24] describes these Web browsers are often used as the user's interface to a different deployment models, which are mostly applied to cloud: They are available for any operating system, the the IaaS service model: Private Clouds, provisioned for the markup (HTML5, XHTML), data (XML, JSON), script- use of a single entity, Public Clouds which are accessible for ing (JavaScript, XSLT) and style (CSS) languages are plat- open use by the general public, and two intermediate models, form independent, their communication protocols (HTTP, Community and Hybrid Clouds. In this paper, we concen- HTTPS, WebSockets) should pass through any firewall, and trate on private cloud deployments. According to [24] this is they are free-of-charge. defined as follows: \Private cloud. The cloud infrastructure However, this wealth of features (which grows steadily) is provisioned for exclusive use by a single organization com- comes at the price of enhanced vulnerabilities: Scripting prising multiple consumers (e.g., business units). It may be functionality may be misused through inserting malicious owned, managed, and operated by the organization, a third JavaScript into a web page (XSS, Scriptless Attacks), auto- party, or some combination of them, and it may exist on or matic rendering features may be misused to remotely control off premises." the browser in a malicious way (CSRF), style languages may ISO/IEC 17788 [15] gives more or less the same descrip- be used to mask attacks (UI Redressing), and simple fire- tion of this deployment model: \A private cloud may be walls do not protect against these attacks. All these attacks owned, managed, and operated by the organization itself or are described in Section 4.2. a third party [...]. Private clouds seek to set a narrowly con- By using the same browser both for browsing the Web trolled boundary around the private cloud based on limiting and for accessing security critical applications, attack vec- the customers to a single organization" [15]. tors may be carried from the web through the firewall to the Both NIST and ISO definitions are organizational in their application, where they are executed. nature and do not define, how the deployment models differ from a technical point of view. For example, the bound- ary mentioned in the ISO definition could be realized using Results. firewalls and network separation techniques. However, if a Of the four systems investigated, we were able to break se- private cloud is operated by a third party, as mentioned in curity of the web interfaces of Eucalyptus, OpenNebula, and the standard, the security gain of a firewall protection is openQRM. In each of these systems, we found at least one questionable. attack that also worked if access to the web interface was In this paper, we investigate if private clouds really give restricted by a firewall blocking all direct access. All three better security, by investigating the technical features of four major systems were well designed, but the inclusion of a prominent cloud projects (Eucalyptus, OpenNebula, Open- direct data channel through the web browser to each VM Stack) which are also deployed as private clouds, and a small proved to be problematic.