It was the “Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era” title that got me out of bed in the morning for the cold commute to the conference in Crystal City. In the best BlackHat form, Bryan Sullivan’s presentation uncorked a lot of information about attacks on the Web layers – and still deeper – into the cloud:
• Repetitive AJAX client calls on discretely callable web services in the midst of state transition to induce deadlocks (e.g. “hold seat” in reservation process)
• String to floating point conversion attack that puts old versions of PHP into infinite loops
• ZIP nested file bombs to fill cloud storage
• Billion laughs attack, exploiting nested variable resolution on XML parser and hang the compute process
• Regular expression (regex) strings that tie the regex evaluation process in knots and hang the compute process
To net it out, if you’re a user or service provider of a multi-tenant cloud – especially an IaaS or PaaS one with all kinds of different programs running in it – the “beast” is the volume of cybercrime and cyberbugs. Threat meets opportunity. Think botnet doing Google searches to find all the vulnerable web exposed services in a cloud, or just traversing its address range, and launching these (and more) attacks from thousands of bots. This is bad.
Which leads me to reflect on some larger issues raised in other conference presentations. Keynote speaker and former government security executive Franklin Kramer argued for a strategic emphasis on resilience that starts with the assumption that some attacks are going to get through. Which blindingly obvious fact was empirically reinforced by Apple sandbox disassembler Dionysus Blazakis in his recount of software fuzzing work that first found bugs in Adobe and then that “most software breaks a lot” and at least some of those bugs can be exploited. Kramer’s architectural prescription for resilience is:
• Distribution, isolation, and segmentation
• Integrity and least privilege
• Moving defenses
• Deception, and
• Adaptive management
Sullivan provided practical examples of ways that cloud services, or any web-based services, can become more resilient in his defense proposals for each of the cloud DOS attacks. The “number of the beast” attack uses an evil valid number to infinite loop the PHP string-to-floating-point conversion function. Bryan said one can mitigate this by upgrading to PHP 5.2.17 or 5.3.5 versions, setting a compiler flag to change the default way conversion is done, or (worst) writing a blacklist signature for a WAF to filter the number. For the others: don’t expose transactions in the midst of state transitions as web services, disable external entity resolution in XML if you don’t need it, do anti-virus scans on all uploaded files (e.g. .ZIP), and so on. Both Sullivan and Blazakis also mentioned that platform defenses (ASLR, NX, stack canaries) are working to make exploitation harder, so one needs to be sure they’re enabled for specific applications.
So many attackers, so many bugs, so little time. That’s the “beast,” and if we’re going to get its “number” we’re going to have to become more resilient.
So ask questions. Is the cloud OS enabling platform defenses and assessing DOS vulnerabilities? How can the provider and customers harden, whitelist, throttle, rate limit, isolate, monitor, etc., etc.? I’m currently working on a paper about “Determining Cloud Security Assessment Criteria.” I know where I have to tweak it after going to this conference!