Securing software while maintaining usability Alexander Reelsen @spinscale alex@elastic.co
A presentation at Code.Talks in October 2019 in Hamburg, Germany by Alexander Reelsen
Securing software while maintaining usability Alexander Reelsen @spinscale alex@elastic.co
Today’s goal Improve security in your own apps!
today’s topic
Elasticsearch in 10 seconds Search Engine (FTS, Analytics, Geo), real-time Distributed, scalable, highly available, resilient Interface: HTTP & JSON Heart of the Elastic Stack Uneducated conservative guess: Tens of thousands of clusters worldwide, hundreds of thousands of instances
Naming is hard Security vs. Safety vs. Resiliency Do not run as root Integrity checks OutOfMemoryException System.exit Stop writing data before running out of disk space
Agenda Sandboxing your code Sandboxing others people’s code Prevent system call executions Ensure a smooth ride into production
Sandbox Sandboxing all the code!
What is a sandbox? connect 192.168.1.1:9300 Your code write /var/log/elasticsearch.log unlink /var/lib/elasticsearch/… ✅ ✅ ✅
What is a sandbox? open /etc/passwd Your code connect bitcoin-miner.foo.bar unlink /var/lib/elasticsearch ⛔ ⛔ ⛔
What is a sandbox? sandbox ✅ Your code ⛔
Sandbox my own code?! Expect your code to be exploited Prevent unknown attack vectors Is it really your code being executed Simple security model Blocklist vs. allowlist
Java Security Manager Java Security Manager Java Program Policy
Java Security Manager Java Security Manager Policy FilePermission read /etc/elasticsearch Java Program FilePermission write /var/log/elasticsearch SocketPermission connect *
Java Security Manager Java Security Manager Policy Java Program
Java Security Manager Java Security Manager Policy Java Program
Java Security Manager Java Security Manager Policy Java Program
Java Security Manager Java Security Manager Policy Java Program
Java Security Manager Java Security Manager Policy Java Program
java.io.File
java.lang.SecurityManager
Security Manager Summary Extensible Requires knowledge of code execution within your dependencies! Many dependencies are not tested with the security manager, resulting in unknown code paths executions No OOM protection! No stack overflow protection! No protection against java agents
Elasticsearch & the security manager Elasticsearch plugins core modules
Elasticsearch & the security manager Elasticsearch plugins core modules modules & plugins lang-mustache lang-painless transport-netty4 repository-azure analysis-icu
Plugins & modules plugins are just zip files each can have its own jars/dependencies each is loaded with its own classloader each can have its own security permissions
Plugins & modules Java Security Manager Policy Elasticsearch Plugin
Plugins & modules Java Security Manager Elasticsearch Plugin Policy
Plugins & modules Elasticsearch Module Elasticsearch Plugin Policy Policy Elasticsearch Module Policy
Elasticsearch startup JVM Startup time
JVM Startup Elasticsearch startup time Read configuration file
time Read configuration file JVM Startup Elasticsearch startup Native system calls
time Native system calls Read configuration file JVM Startup Elasticsearch startup Set security manager
time Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Load plugins
time Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Bootstrap checks
time Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup Network enabled
time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Elasticsearch startup
#noroot there is no reason to run code as root!
time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Do not run as root
Do not run as root
seccomp … or how I loved to abort system calls
time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Seccomp - prevent process forks
Seccomp - prevent process forks Security manager could fail Elasticsearch should still not be able to fork processes One way transition to tell the operating system to deny execve, fork, vfork, execveat system calls Works on Linux, Windows, Solaris, BSD, osx
Seccomp - prevent process forks
Seccomp - prevent process forks
seccomp sandbox seccomp ✅ Your code ⛔
bootstrap checks Annoying you now instead of devastating you later
time Network enabled Bootstrap checks Load plugins Set security manager Native system calls Read configuration file JVM Startup Bootstrap checks
Bootstrap checks
Bootstrap checks
Bootstrap checks
bonus: ease-of-use don’t forget your users…
Mark sensitive settings
Register all your settings
Summary Security is hard - let’s go shopping!
Summary Developers have huge impact on security Developers know their application best! Don’t reinvent, check out existing features! Developers are responsible for writing secure code! Before something happens!
Thanks for listening! Questions? Alexander Reelsen @spinscale alex@elastic.co
Resources https://github.com/elastic/elasticsearch/ https://www.elastic.co/blog/bootstrap_checks_annoying_instead_of_devastating https://www.elastic.co/blog/scripting https://www.elastic.co/blog/scripting-security https://docs.oracle.com/javase/9/security/toc.htm https://docs.oracle.com/javase/9/security/permissions-java-development-kit.htm https://www.elastic.co/blog/seccomp-in-the-elastic-stack
Thanks for listening! Questions? Alexander Reelsen @spinscale alex@elastic.co
