Clouds in BlackHat's conference

Being the other side of the pond I wasn’t able to attend Black Hat, but I have been keeping a keen eye on the posted conference materials and talk recordings being released after the conference’ close. As I’ve recently been researching the latest buzz of Cloud Computing, naturally I was initially drawn to the talks with Cloud computing as a topic.

First up is Kostya Kortchinsky’s Cloudburst: Hacking 3D (and Breaking Out of VMware. This presentation details an exploit vector for breaking out of the guest environment and allowing arbitrary code execution on the underlying host. Kortchinsky clearly knows his stuff, but I’ll admit most of his talk goes well above my head. For reasons touched on below I think this is a virtualisation issue not a Cloud issue, which was likely added to title to cash in on the current buzz, but either way the bottom line is guest escape is rapidly moving from theoretical threat to practical attack vector and something that should be considered when designing any system, network or architecture.

Secondly, the Sensepost team do a great job of explaining security issues new or prevelant to Cloud architecture with Clobbering the Cloud! and include some great (read humorous) images to help illustrate they points. I especially like the idea of building and sharing trojaned/backdoored machine images and waiting for the unsuspecting to take advantage of your generousity 🙂 The videos used within the actual presentation are available direct from the Sensepost site, here.

Taking away the award for longest talk title related to Cloud Computing is: Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade. This talk discusses the three components of the cloud ‘stack’; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas).

I love the definition used for cloud computing or more accurately the statement that Cloud Computing is NOT:

  • Virtualisation
  • Remote Backup
  • Most of the stuff called cloud computing
  • And: ‘If you’re not re-writing your software, it’s not Cloud Computing’

From my previous research into Cloud Computing I feel that a lot of the security concerns often raised are not new or unique to the Cloud, and that well established and basic best practice will defend against the issues. The speakers of this presentation seem to be of a similar mind, but suggest that the early big players in this market are not necessarily doing all in their power, the example is that something as basic as logging and audit trails aren’t fully available within the current on market solutions.

Likewise depending on Cloud providers contracts and EULA clients of cloud services may not be able to fully control the security testing of ‘their’ environment as some providers forbid ‘malicious’ traffic being targetted at their architecture and platforms, which could limit and/or remove the ability to perform fully comprehensive penetration testing, which depending on location, market and data may be a legal or regulatory requirement.

Whilst not related to the Black Hat conference I read an article from datacentreknowledge.com from RackSpace, claiming that the Cloud is going spell the end of shared hosting as we know it. In my view this can only be a PR fluff piece, as anyone that understands hosted services, even those selling Cloud services themselves, agree that regardless of how you rate the benefits of Cloud architecture it is not, and cannot be, a silver bullet to solve all the world’s IT problems, leaving a market for traditional architectures.

If the Cloud is here to stay, so is everything else. Regardless of an individual IT professional’s personal opinion of Cloud computing it must be fully understood and measured on technical merits alongside existing solutions to be able to provide best value and ROI, implementing any solution based on ‘religious’ arguements is not in the best interests of any business.

Andrew Waite

Join the conversation

2 Comments

  1. Andrew
    Great post!
    I agree that the cloud isn’t a silver bullet. I do wonder if some uses of the cloud can be done without re-writing (eg using EmailCloud) – but if we define the cloud to be IaaS / PaaS, then even well-put together applications are going to need some changes.
    I’m interested in your observations on ‘not everything in their power’ – eg logging, audit trails. What sort of things do you think could be done better? I know some are definitely taking on the SOX line – eg http://www.symetriq.com. What sort of control would be useful?

    1. Raph,
      the re-writing statement comes down to your personal definition of Cloud computing. I’ll agree with the presenters, if you’re not having to re-write your application then you’re not doing cloud, just providing a resilient and/or geographical diverse service (which may or may not fit some people’s definition of Cloud Computing)
      The ‘not everything in their power’ comment came from a list of tables comparing what aspects of connections various providers actually include in their logs. The talk is the best place for the actual analysis, but data reads were one area that was lacking, generally it could be difficult with the logging available to probably recover from or investigate following a potential incident.
      I hadn’t come across symetriq so thanks for the link. Whilst certification/compliance is always a good goal to strive for and can be a big help to improving a businesses security posture, simply achieving the certification on your reception wall doesn’t guarantee security (I believe TJX/Hartland were PCI compliant at time of breaches). My blogs tag-line (‘compliance != security’) sums up my opinion on the subject: Bits of paper mean as much to businesses as they do to individuals, you could find some brilliant techies with no certifications and you can (will?) encounter some bootcamp paper tigers with ability that doesn’t match their certs, business compliance can follow the same pattern.

Leave a comment

Leave a Reply to Raph Cancel reply

Your email address will not be published. Required fields are marked *