Thoughts on Google App Engine Security

Surging clouds

Google has not published any security documents, and I have not thoroughly studied and tested GAE's defense against various attacks. I just want to give a brief introduction as a google user.

First, the underlying layer must be built on GFS, using distributed storage to store all the data, that is, google's cloud storage.

It may be the computing platform, including task scheduling, SQL engine, and Key-Value engine.

The App Engine is built on these basic services to provide external services.

Sandbox: GAE currently supports running java and python code, both of which have sandbox (java uses securitymanager ). Through sandbox protection, malicious code can be restricted to directly operating system files and executing commands.

Datastore: this is not a real database. It should only be based on the key-value pair of GFS, and the simulated GSQL also transmits variables in a similar way of "binding" without patchwork, therefore, injection is impossible. There will be no conventional shell obtaining methods like backup and export.

Account: by default, you can use the google Account system, from google sso to appspot. The advantage is that, even if XSS occurs, attackers cannot log on to the user's google account because of cross-domain access.

Access Control: do not know the details of google. The problem is whether data can be operated internally from app A to app B. Similar to the traditional side note. If you want to break through, you can only look at some logic vulnerabilities in internal storage. For example, if a file link is allocated to another application, the file is deleted, but the link is still there. At present, google does not seem to have provided cross-app business requirements, so each app may be independently opened in this regard.

DDOS: DDOS at the network layer and transport layer is guaranteed by google. In terms of application DDOS (CC), since the quotas limitation of GAE is used for billing, services will be stopped when the upper limit is easily reached. However, some technical means can be used to relieve the application DDOS pressure, similar to what apache mod_evasive does. However, the final solution may require google to provide the firewall-level block ip API to better solve this problem.

Get webshell? From the above analysis, it is very difficult. The only possibility is that the sandbox is bypassed. This may be caused by a java or python Library Vulnerability. If google has not been specially designed, it still has the opportunity to break through the system layer.

If you are blind, you have time to study google's security.