Securing software while maintaining usability

A presentation at Code.Talks in October 2019 in Hamburg, Germany by Alexander Reelsen

Slide 1

Slide 1

Securing software while maintaining usability Alexander Reelsen @spinscale alex@elastic.co

Slide 2

Slide 2

Today’s goal Improve security in your own apps!

Slide 3

Slide 3

Slide 4

Slide 4

Slide 5

Slide 5

today’s topic

Slide 6

Slide 6

Elasticsearch in 10 seconds Search Engine (FTS, Analytics, Geo), real-time Distributed, scalable, highly available, resilient Interface: HTTP & JSON Heart of the Elastic Stack Uneducated conservative guess: Tens of thousands of clusters worldwide, hundreds of thousands of instances

Slide 7

Slide 7

Naming is hard Security vs. Safety vs. Resiliency Do not run as root Integrity checks OutOfMemoryException System.exit Stop writing data before running out of disk space

Slide 8

Slide 8

Agenda Sandboxing your code Sandboxing others people’s code Prevent system call executions Ensure a smooth ride into production

Slide 9

Slide 9

Sandbox Sandboxing all the code!

Slide 10

Slide 10

What is a sandbox? connect 192.168.1.1:9300 Your code write /var/log/elasticsearch.log unlink /var/lib/elasticsearch/… ✅ ✅ ✅

Slide 11

Slide 11

What is a sandbox? open /etc/passwd Your code connect bitcoin-miner.foo.bar unlink /var/lib/elasticsearch ⛔ ⛔ ⛔

Slide 12

Slide 12

What is a sandbox? sandbox ✅ Your code ⛔

Slide 13

Slide 13

Sandbox my own code?! Expect your code to be exploited Prevent unknown attack vectors Is it really your code being executed Simple security model Blocklist vs. allowlist

Slide 14

Slide 14

Java Security Manager Java Security Manager Java Program Policy

Slide 15

Slide 15

Java Security Manager Java Security Manager Policy FilePermission read /etc/elasticsearch Java Program FilePermission write /var/log/elasticsearch SocketPermission connect *

Slide 16

Slide 16

Java Security Manager Java Security Manager Policy Java Program

Slide 17

Slide 17

Java Security Manager Java Security Manager Policy Java Program

Slide 18

Slide 18

Java Security Manager Java Security Manager Policy Java Program

Slide 19

Slide 19

Java Security Manager Java Security Manager Policy Java Program

Slide 20

Slide 20

Java Security Manager Java Security Manager Policy Java Program

Slide 21

Slide 21

java.io.File

Slide 22

Slide 22

java.lang.SecurityManager

Slide 23

Slide 23

Security Manager Summary Extensible Requires knowledge of code execution within your dependencies! Many dependencies are not tested with the security manager, resulting in unknown code paths executions No OOM protection! No stack overflow protection! No protection against java agents

Slide 24

Slide 24

Elasticsearch & the security manager Elasticsearch plugins core modules

Slide 25

Slide 25

Elasticsearch & the security manager Elasticsearch plugins core modules modules & plugins lang-mustache lang-painless transport-netty4 repository-azure analysis-icu

Slide 26

Slide 26

Plugins & modules plugins are just zip files each can have its own jars/dependencies each is loaded with its own classloader each can have its own security permissions

Slide 27

Slide 27

Plugins & modules Java Security Manager Policy Elasticsearch Plugin

Slide 28

Slide 28

Plugins & modules Java Security Manager Elasticsearch Plugin Policy

Slide 29

Slide 29

Plugins & modules Elasticsearch Module Elasticsearch Plugin Policy Policy Elasticsearch Module Policy

Slide 30

Slide 30

Elasticsearch startup JVM Startup time

Slide 31

Slide 31

JVM Startup Elasticsearch startup time Read configuration file

Slide 32

Slide 32

time Read configuration file JVM Startup Elasticsearch startup Native system calls

Slide 33

Slide 33

time Native system calls Read configuration file JVM Startup Elasticsearch startup Set security manager

Slide 34

Slide 34

time Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Load plugins

Slide 35

Slide 35

time Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Bootstrap checks

Slide 36

Slide 36

time Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Network enabled

Slide 37

Slide 37

time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup

Slide 38

Slide 38

#noroot there is no reason to run code as root!

Slide 39

Slide 39

time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Do not run as root

Slide 40

Slide 40

Do not run as root

Slide 41

Slide 41

seccomp … or how I loved to abort system calls

Slide 42

Slide 42

time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Seccomp - prevent process forks

Slide 43

Slide 43

Seccomp - prevent process forks Security manager could fail Elasticsearch should still not be able to fork processes One way transition to tell the operating system to deny execve, fork, vfork, execveat system calls Works on Linux, Windows, Solaris, BSD, osx

Slide 44

Slide 44

Seccomp - prevent process forks

Slide 45

Slide 45

Seccomp - prevent process forks

Slide 46

Slide 46

seccomp sandbox seccomp ✅ Your code ⛔

Slide 47

Slide 47

bootstrap checks Annoying you now instead of devastating you later

Slide 48

Slide 48

time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Bootstrap checks

Slide 49

Slide 49

Bootstrap checks

Slide 50

Slide 50

Bootstrap checks

Slide 51

Slide 51

Bootstrap checks

Slide 52

Slide 52

bonus: ease-of-use don’t forget your users…

Slide 53

Slide 53

Mark sensitive settings

Slide 54

Slide 54

Register all your settings

Slide 55

Slide 55

Summary Security is hard - let’s go shopping!

Slide 56

Slide 56

Summary Developers have huge impact on security Developers know their application best! Don’t reinvent, check out existing features! Developers are responsible for writing secure code! Before something happens!

Slide 57

Slide 57

Thanks for listening! Questions? Alexander Reelsen @spinscale alex@elastic.co

Slide 58

Slide 58

Resources https://github.com/elastic/elasticsearch/ https://www.elastic.co/blog/bootstrap_checks_annoying_instead_of_devastating https://www.elastic.co/blog/scripting https://www.elastic.co/blog/scripting-security https://docs.oracle.com/javase/9/security/toc.htm https://docs.oracle.com/javase/9/security/permissions-java-development-kit.htm https://www.elastic.co/blog/seccomp-in-the-elastic-stack

Slide 59

Slide 59

Thanks for listening! Questions? Alexander Reelsen @spinscale alex@elastic.co