Upload File

trusted computing and openstack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf ·...

  • Home
  • Documents
  • Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!
15
Trusted Computing & OpenStack Steve Weis PrivateCore OpenStack Security Meetup July 2014

Upload: others

Post on 29-Jun-2020

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Trusted Computing & OpenStack

Steve Weis! PrivateCore!

!

OpenStack Security Meetup!July 2014

Page 2: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

How safe are bare-metal clouds?

Page 3: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Attacks in the wild

Page 4: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Exploit all the things!• Operating Systems

• BIOS / EFI

• Device firmware / Option ROMs

• Master boot records

• Keyboard controllers

• Management engines and controllers

Page 5: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

“Provide for the recovery of an !information system to a known state”

Source: NIST 800-53

Page 6: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Trusted Execution Technology

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

MeasureRemote Attest

CPUTPM

Firmware and software needed to boot

Page 7: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Example Measurements

OS

Credentials

MLE☚Config☚

ACM☚

BIOS☚

Page 8: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Gaps in Trusted Execution

Spoof CPU

PastHypotheticalCurrent

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

CPUTPM

Overflow

ForgeProvenance

Extract Keys

Hashcollision

Paperclip

Spoof Bus

Page 9: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Attestation in OpenStack

Page 10: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Trusted Compute PoolsNova

Scheduler

Attestation Server

UserNova

Compute ANova

Compute B

1. Run my payload on a trusted compute node

2. Which nodes are trusted?

3. TPM Quote

4. Node A is good

5. Run payload on compute node A

Nova Compute A

Nova Compute B

Page 11: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Implementations

• Open Attestation (OAT): https://01.org/openattestation

• Open source Java attestation server. Mostly developed by Intel.

• Intel Trust Attestation Solution (Mt. Wilson): Enterprise OAT

• PrivateCore vCage: Python / Django / Horizon attestation server

https://01.org/openattestation
Page 12: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Gaps in Trusted Pool Model

Nova

Attestation Server

Nova ComputeGlanceSwiftCinder

Bad Compute

Compute PoolSeparate Trusted Environment?

Bad nodes already have control plane access?

Nova Compute

Page 13: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

OpenStack Components

Compute Node

Toward a Better Model

Attestation Server

1. AttestOpenStack

Components

Credential Storage 3. Provision

1. Attest

Compute Node🔑

4. Enroll2. Authorize

Trust Perimeter

Page 14: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Suggested Improvements

1. Attest all servers in OpenStack: Not just compute nodes

2. Cloud providers should provide TPMs and compatible firmware

3. Vendors need to provide authoritative lists of measurement values

4. CPU vendors should ultimately remove dependency on TPMs

Page 15: Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

Thank you!Questions?!

!

[email protected]!@sweis


Bernd X. Weis: Innovation: Requirements and Opportunities

Weis Markets Closes The Loop On Sustainability

Weis-Sonata La Infiel

Personalized Medicine James Weis and Lily Chan

BARBICAN NOVA CHEF OPENSTACK OPENSTACK CHARMS CINDER OPENSTACK-ANSIBLE · 2019-02-26 · openstack charms openstack-ansible oslo packaging-deb packaging-rpm puppet openstack quality

Securing OpenStack with Intel Trusted Computing

Dennis B. Weis - 3 Sleeve Splitting Routines

Welcome to Weis Library...Located in Building 2, Weis Library is the main library on the campus of Washington Adventist University. The library is named after Theofield G. Weis (1901-1971),

VMware + OpenStack · VMware’s OpenStack Initiative Contribute to OpenStack •Integrate VMware compute, network, storage SW with OpenStack. •Make OpenStack better, helping customers

Trusted Computing 2004 - eine unendliche Geschichte · Trusted Computing 2004 - eine unendliche Geschichte Ruediger Weis & Andreas Bogk cryptolabs Amsterdam & CCC Berlin Weis/Bogk,

Red Hat OpenStack Platform 16 · scripts also perform additional OpenStack resource tests for OpenStack Compute (nova), OpenStack Block Storage (cinder), OpenStack Image (glance),

Robert collins openstack on openstack 201304162

OpenStack & Ubuntu (india openstack day)

Discussion on Weis et al. 2011

OpenStack Deployment Manualsupport.brightcomputing.com/.../8.1/openstack-deployment-manual.pdf · 3.1.3 OpenStack Software Image Selection ... •The OpenStack Deployment Manual describes

Sanjay Sarma, Steve Weis, Dan Engels MIT

GDL OpenStack Community - Openstack Introduction

OpenStack Foundation - Certified OpenStack Administrator

Weis Sustainability Report 2015

2003 New England Offense - Charlie Weis

Section 1: Getting to Know Weis - Web viewSection 1: Getting to Know Weis. Founded in 1912 by Harry and Sigmund Weis, Weis Markets started out as a small neighborhood store called

OpenStack Training - OpenStack Summit Atlanta

RD Weis Companies earth day 2010

OpenStack Deployment Manual - Bright Computingsupport.brightcomputing.com/.../7.3/openstack-deployment-manual.pdf3.1.8 OpenStack Nodes Selection ... •The OpenStack Deployment Manual

[Weis Margaret] Margaret Weis Tracy Hickman

Weis - Hung Out

Trusted Docker Containers and Trusted VMs in OpenStack · Trusted Docker Containers and Trusted VMs in OpenStack ... o Reference Architecture with OpenStack ... Docker Engine –Runtime

2005 ND Offense -Part 2 - Charlie Weis

HRM Weis Orginal(MBA[1].Teheran).ppt

OpenStack on OpenStack

Who is Katie Weis?

DRBD + OpenStack (Openstack Live Prague 2016)

EVOLVE'13 | Enhance | Migration | David Weis

Austin OpenStack Meetup: Chef and OpenStack

ANUPDATEONOSM TOTHENFVRG · PDF file•Environmentbased"on"Mininet/Containernet ... OpenStack*Newton OpenStack*Newton OpenStack*Kilo OpenVIM OpenStack+ODL OpenStack+ODL OpenStack*Mitaka