Title Details

Davi Ottenheimer is president of flyingpenguin and a security/compliance consultant to VMware. He was previously responsible for security at Barclays Global Investors and at Yahoo! He also has helped secure Cisco, U.S. DoD, IBM, Intel, State Farm, and the University of California. Matthew Wallace is a solutions architect at VMware and was the founding engineer of Exodus Communications' Managed Security Services.

Chapter 1 Virtualized Environment Attacks 1

A Brief Introduction to the Cloud 1

Flavors of "Cloud" 3

Powering the Cloud 3

Why the Cloud Is Here to Stay 4

Managing Cloud Security 5

Principles of Information Security 6

Information Assets 7

Potential Threats 8

Potential Vulnerabilities 8

Potential Consequences 8

Incremental Risk Mitigation 9

Deny by Default 9

Never Trust Input; Assume the Worst 11

Confidentiality, Integrity, and Availability 12

The Human Factor 13

Managing Cloud Risks 14

Asset Management 20

Vulnerability Assessment 22

Communication 22

Authentication and Authorization 23

Software 25

Managing Cloud Compliance 31

Defining Compliance and Security 33

Making Use of Warnings 34

Cloud and the PKI 35

Summary 36

Chapter 2 Attacking from the Outside 41

Who Is an Outsider? 41

HR Policies and Procedures 42

Contracting and Outsourcing Talent 44

Friends and Family Discount 45

Configuring Cloud Audit Logs 46

Keeping Tabs on Accounts 50

Extending and Trusting Communication 50

Delegating and Spreading Roles in Order to Scale 62

Novice Users Empowered by Cloud Environments 62

Outsourced and Offshored Resources 62

SaaS Software Development at “Cloud Speed” 63

The Needs of Bespoke Solutions 63

Ensuring Continuity 64

Underspecialization 65

How to Piggyback on Fixes 66

Sudo and Shell Logging 70

Spoofi ng a Certifi cate 73

Summary 74

Chapter 3 Making the Complex Simple 77

Looking Around Without Getting Caught 78

Checking to See If Anyone Is Watching 78

Checking for Gaps in Awareness 79

Checking for Responsiveness 80

Complexity and the Cloud 81

Choosing a Spot with a View 83

The Hypervisor 83

The Director/Orchestrator/Manager 88

Assessing the Risk from Assessors 93

Slicing and Dicing Data 94

Detecting Layers of Virtualization Technology 94

Identifying and Targeting Assets 96

Versions 102

Supporting Infrastructure 103

Mail Servers 103

Web Servers 103

Domain Name Service 104

Databases and Directory Services 104

Timing an Attack 104

Long-versus Short-Term Objectives 104

How Long before You Are Ready to Attack? 104

How Long before You Can Attack Again? 105

Summary 106

Chapter 4 Denial of Service 109

Finding Signal in Noise 109

Improving Denial 111

Distributing Denial 112

Defi ning Success 113

Finding Service Vulnerabilities 115

Scanning and Validating Service Levels 115

Abstracting and Overcommitting 115

Validating Complexity 118

Limits of Penetration Testing 120

Denial of Testing 120

Testing for Denial 121

Abusing Proximity of Services: Step Attacks and Speed Attacks 125

Exploiting Service Vulnerabilities 127

Breaking Connections Between Services 127

Exhausting Resources 130

CPU 130

Memory 130

Disk Space and IOPS 131

The Dangers of Overcommitment 132

Locking Out Others 132

Summary 137

Chapter 5 Abusing the Hypervisor 141

Replacing Hardware Layers with Software 142

Relating Physical to Virtual 142

Displays 143

Memory 144

Disk 145

Network 147

Compromising the Kernel 147

Low-Level Interception 148

Real-World Example: Duqu 148

Classification and Defense 150

Breaking Out of KVM 151

Attacking Virtual CPU and Memory 161

The Cup Is Half Secure 162

Taking Plato’s Shadow Pill 162

Demonstrating the Risks 163

Qualifying Fear and Uncertainty 164

Measuring Failure Rates 165

Focusing on the Shortcomings of New Technology 166

Finding the Different Yet Old Attack Surfaces 167

Network 168

Systems 171

Databases 172

Escaping Jails, Sandboxes, and Buffers 174

What Is the Purpose of Root, Anyway? 176

Breaking Away from Identifi ers 177

Every Door Is the Front Door 178

Summary 180

Chapter 6 Finding Leaks and Obtaining a Side Channel 185

Peeping Toms 186

Working Around Layer 2 and Layer 3 Controls 187

Becoming a Regular Man in the Middle 189

VMware vmKernel, vMotion, and Management Traffic 190

Xen and Live Migration 190

Mayhem with Certificates 191

Eliciting a Response by Manipulating State 193

Noisy Neighbors 194

Working on Shared Paths 195

Risk of Co-Tenancy 195

Detecting Co-Tenancy 197

IP-Based Detection 197

Timestamp Fingerprinting 198

Latency Testing 198

Cache-Based Detection 199

Conclusion 199

Forcing Co-Tenancy 199

Avoiding Co-Tenancy 200

Summary 201

Chapter 7 Logging and Orchestration 205

Logging Events 205

Virtualization and Cloud Logs 208

Multitenancy 210

Collating, Archiving, and Protecting 216

What to Look for in a SIEM Solution 217

Safety and Reliability 219

Sampling, or Getting Ready for the Auditors 219

Testing Incident Responsiveness 220

Tampering with Infrastructure 220

Adding, Duplicating, Deleting, and Modifying VMs 226

Modifying Logs: Hiding from SIEM 234

Orchestration: Good and Evil 236

Solving Business Challenges 237

Why Orchestrate? 237

The Power of Elasticity and Agility 238

Devops and the Cloud 238

Risks Resulting from Orchestration 239

Outdated Images or Templates 239

Archived Exploits 241

Runaway Infrastructure Intelligence 242

Exploiting Orchestration Directly 243

Tarnishing Gold Images 243

Exploiting Image Customization to Modify VMs 246

Attacks Against Backups and Snapshots 248

P2V 249

Summary 249

Chapter 8 Forcing an Interception 251

Mapping the Infrastructure 251

Finding and Exploiting the Middle Ground 258

Abuse of Management Interfaces 259

APIs and System Communication 261

Getting around API Blockades 264

Playing Games with Management Tools 265

Elastic Nightmares: Moving Data in the Clear 265

Finding Secure Boundaries 266

Summary 270

Chapter 9 Abusing Software as a Service 273

When All You Are Is a Nail, Everything Wants to Be a Hammer 274

Managing Identities 277

Centralizing and Federating 278

Finding Integrity Bugs 279

Finding Confidentiality Bugs 282

Trusting Authorities 285

Secure Development 287

Data Entropy 290

The Ubiquity of the Browser 299

Average Users and the Pain of Software Evolution 301

Stuck on JavaScript 303

The Risks of SaaS 305

The Attackers Have Your Environment 310

Homogeneity and the Rate of Infection 312

Summary 313

Chapter 10 Building Compliance into Virtual and Cloud Environments 319

Compliance versus Security 319

Virtualization Security 322

Brokering 326

Proxies 327

Federation 329

Virtualization Compliance 330

Working with Auditors and Assessors 335

Using Checklists and a Master Matrix 339

Should Do versus How To 341

ISO 27001, SAS 70, and SOC 2 341

Managing Expectations 342

Service Organization Controls 344

Automating Scope Assessments 347

Managing Change 348

HIPAA 351

FISMA, NIST, and FedRAMP 353

Summary 356

Appendix A Building a Virtual Attack Test Lab 361

Components of the Virtual Penetration Testing Lab 362

Physical versus Virtual 362

Hungry for RAM 363

Installation Order 363

Bill of Materials 364

Building the Gateway 364

Building the ESXi Hypervisor System 367

Configuring Shared Client Networking 372

Adding a Secondary IP Address to Windows 7 372

Adding a Secondary IP Address to a Mac 374

Adding a Secondary IP Address to a Linux System 375

Building Xen 376

Building KVM 383

Using Your Virtual Environments: Virtual Attacks 392

Adding Vulnerable Virtual Machines 392

Setting Up Backtrack 396

Where to Go from Here 398

Build the Cloud Stack 398

Eucalyptus 399

VMware vCloud 399

OpenStack 399

Amazon AWS 399

Start Building an Archive 400

Appendix B About the Media 401

Index 403