Securing software while maintaining usability Alexander Reelsen @spinscale alex@elastic.co
Slide 2
Today’s goal
Improve security in your own apps!
Slide 3
Slide 4
Slide 5
today’s topic
Slide 6
Elasticsearch in 10 seconds Search Engine (FTS, Analytics, Geo), real-time Distributed, scalable, highly available, resilient Interface: HTTP & JSON Heart of the Elastic Stack Uneducated conservative guess: Tens of thousands of clusters worldwide, hundreds of thousands of instances
Slide 7
Naming is hard Security vs. Safety vs. Resiliency Do not run as root Integrity checks OutOfMemoryException System.exit Stop writing data before running out of disk space
Slide 8
Agenda Sandboxing your code Sandboxing others people’s code Prevent system call executions Ensure a smooth ride into production
Slide 9
Sandbox Sandboxing all the code!
Slide 10
What is a sandbox? connect 192.168.1.1:9300
Your code
write /var/log/elasticsearch.log
unlink /var/lib/elasticsearch/…
✅ ✅ ✅
Slide 11
What is a sandbox? open /etc/passwd
Your code
connect bitcoin-miner.foo.bar
unlink /var/lib/elasticsearch
⛔ ⛔ ⛔
Slide 12
What is a sandbox? sandbox ✅ Your code
⛔
Slide 13
Sandbox my own code?! Expect your code to be exploited Prevent unknown attack vectors Is it really your code being executed Simple security model Blocklist vs. allowlist
Slide 14
Java Security Manager Java Security Manager
Java Program
Policy
Java Security Manager Java Security Manager Policy Java Program
Slide 17
Java Security Manager Java Security Manager Policy Java Program
Slide 18
Java Security Manager Java Security Manager Policy Java Program
Slide 19
Java Security Manager Java Security Manager Policy Java Program
Slide 20
Java Security Manager Java Security Manager Policy Java Program
Slide 21
java.io.File
Slide 22
java.lang.SecurityManager
Slide 23
Security Manager Summary Extensible Requires knowledge of code execution within your dependencies! Many dependencies are not tested with the security manager, resulting in unknown code paths executions No OOM protection! No stack overflow protection! No protection against java agents
Slide 24
Elasticsearch & the security manager Elasticsearch
plugins core
modules
Plugins & modules plugins are just zip files each can have its own jars/dependencies each is loaded with its own classloader each can have its own security permissions
JVM Startup
Elasticsearch startup
time
Read configuration file
Slide 32
time
Read configuration file
JVM Startup
Elasticsearch startup
Native system calls
Slide 33
time
Native system calls
Read configuration file
JVM Startup
Elasticsearch startup
Set security manager
Slide 34
time
Set security manager
Native system calls
Read configuration file
JVM Startup
Elasticsearch startup
Load plugins
Slide 35
time
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Elasticsearch startup
Bootstrap checks
Slide 36
time
Bootstrap checks
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Elasticsearch startup
Network enabled
Slide 37
time
Network enabled
Bootstrap checks
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Elasticsearch startup
Slide 38
#noroot there is no reason to run code as root!
Slide 39
time
Network enabled
Bootstrap checks
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Do not run as root
Slide 40
Do not run as root
Slide 41
seccomp … or how I loved to abort system calls
Slide 42
time
Network enabled
Bootstrap checks
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Seccomp - prevent process forks
Slide 43
Seccomp - prevent process forks Security manager could fail Elasticsearch should still not be able to fork processes One way transition to tell the operating system to deny execve, fork, vfork, execveat system calls Works on Linux, Windows, Solaris, BSD, osx
Slide 44
Seccomp - prevent process forks
Slide 45
Seccomp - prevent process forks
Slide 46
seccomp sandbox seccomp ✅ Your code
⛔
Slide 47
bootstrap checks Annoying you now instead of devastating you later
Slide 48
time
Network enabled
Bootstrap checks
Load plugins
Set security manager
Native system calls
Read configuration file
JVM Startup
Bootstrap checks
Slide 49
Bootstrap checks
Slide 50
Bootstrap checks
Slide 51
Bootstrap checks
Slide 52
bonus: ease-of-use don’t forget your users…
Slide 53
Mark sensitive settings
Slide 54
Register all your settings
Slide 55
Summary Security is hard - let’s go shopping!
Slide 56
Summary Developers have huge impact on security Developers know their application best! Don’t reinvent, check out existing features! Developers are responsible for writing secure code! Before something happens!
Slide 57
Thanks for listening! Questions?
Alexander Reelsen @spinscale alex@elastic.co