Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security

1. Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security Evan Gilman, Matt Moyer @moyerma @evan2645
2. Evan Gilman Engineer at Scytale @moyerma @evan2645
3. Matt Moyer Engineer at Heptio @moyerma @evan2645
4. What is SPIFFE? Secure Production Identity Framework for Everyone @moyerma @evan2645
5. SPIFFE is a specification. @moyerma @evan2645
6. SPIFFE ID spiffe://example.org/foo @moyerma @evan2645
7. SPIFFE Verifiable Identity Document spiffe://example.org/foo @moyerma @evan2645
8. SPIFFE Workload API Workload Workload Workload API @moyerma @evan2645 Server Workload
9. What is SPIRE? SPIFFE Runtime Environment @moyerma @evan2645
10. SPIRE is an (open source) implementation. @moyerma @evan2645
11. spire-server spire-agent ● Identity Mapping ●Workload Attestation ● Node Attestation ●Workload API ● SVID Issuance @moyerma @evan2645
12. SPIRE Walkthrough spire-server CA @moyerma @evan2645
13. SPIRE Walkthrough spire-server CA @moyerma @evan2645 Upstream CA Existing PKI (optional)
14. SPIRE Walkthrough Registration API spire-server CA @moyerma @evan2645 Upstream CA Existing PKI (optional)
15. SPIRE Walkthrough Parent ID: spiffe://example.org/k8s/cluster/foo Selector: k8s:ns:operations Selector: k8s:sa:mediawiki Selector: docker:image-id:746b819f315e SPIFFE ID: spiffe://example.org/ops/wiki @moyerma @evan2645
16. SPIRE Walkthrough spire-server Node Attestor AWS @moyerma @evan2645
17. SPIRE Walkthrough spire-agent spire-server Node Attestor Node Attestor AWS @moyerma @evan2645
18. SPIRE Walkthrough spire-agent spire-server Node Attestor Node Attestor AWS @moyerma @evan2645
19. SPIRE Walkthrough spire-agent spire-server Node Attestor Node Attestor AWS @moyerma @evan2645
20. SPIRE Walkthrough spire-agent spire-server Node Attestor Node Attestor AWS @moyerma @evan2645
21. SPIRE Walkthrough spire-agent spire-server Node Attestor Node Attestor AWS @moyerma @evan2645
22. SPIRE Walkthrough spire-agent Server API Socket Linux Kernel @moyerma @evan2645
23. SPIRE Walkthrough spire-agent Server API Socket Linux Kernel @moyerma @evan2645 Workload
24. SPIRE Walkthrough spire-agent Server API Socket Linux Kernel @moyerma @evan2645 Workload
25. SPIRE Walkthrough kubelet spire-agent Server API Socket Linux Kernel @moyerma @evan2645 Workload
26. What is this all about? @moyerma @evan2645
27. Community Security Modeling Exercise ● Study SPIRE and describe its security model. ● Kicked off December 2017 in collaboration with: Justin Cappos (NYU) @moyerma @evan2645 Enrico Schiattarella
28. Goals 1. Understand the expected security properties of a SPIFFE implementation. 2. Explore what vulnerability classes exist in a SPIFFE system. 3. Identify how SPIRE (the implementation) can be improved. 4. Identify how SPIFFE (the specification) can be improved. @moyerma @evan2645
29. Non-Goals 1. Identify specific implementation vulnerabilities in SPIRE. 2. Formally prove anything about SPIFFE/SPIRE. @moyerma @evan2645
30. What security properties do we expect? @moyerma @evan2645
31. Attacker Goals • Impersonate a workload, node agent, or server. • Deny service to workloads or node agents. • Create a new (forged) identity. @moyerma @evan2645
32. Attacker Goals (cont.) • Modify permissions associated with an identity. • Trick a party into using the wrong identity. • Compromise the software running on a system. @moyerma @evan2645
33. Attacker Starting Position spire-server spire-agent workload @moyerma @evan2645
34. Attacker Superpowers ● Container escape vulnerability. ● Network-level interception/manipulation capability. ● Malformed certificate or CSR (short of RCE). ● Ability to overwhelm server with requests. @moyerma @evan2645
35. Attacker Superpowers (cont.) ● Remote code execution reachable from… ○ Go CSR parser. ○ Go X.509 certificate parser. ○ Pre-authenticated protocol stack (TLS, HTTP, gRPC) @moyerma @evan2645
36. Attacker Superpowers (cont.) ● Exploit for explicitly mitigated problem. @moyerma @evan2645
37. (State) Space Explorers @moyerma @evan2645
38. The Matrix ● We explored combinations of: ○ Attacker Goal ○ Starting Position ○ Victim Component ○ Attacker Capabilities ● This involved a lot of talking. ● The results went into a big spreadsheet. @moyerma @evan2645
39. Relative Likelihood 1,000 100 10 1 a c s pe E @moyerma @evan2645 M M T I C n l u V SR X 50 n l u V 9 o t o r P f u b y t i d C d O SR m a H r e m e n No Ba e d o C d
40. Relative Severity 1,000 100 Server Agent Container 10 Identity Theft @moyerma @evan2645 Misrepresentation Compromise DoS
41. Joint Ranking 10,000 1,000 100 10 @moyerma @evan2645
42. Findings @moyerma @evan2645
43. Finding: Add Rate Limiting in spire-server ● SPIRE server should have some rate limiting controls: @moyerma @evan2645
44. Finding: Eliminate CSR Parsing ● SPIFFE could drop CSR parsing altogether. ○ CSR (PKCS #10) format is complex. ○ CSR parsers are in general are likely less exercised than certificate parsers. ○ Security of SPIFFE doesn’t rely on its signing guarantees. @moyerma @evan2645
45. Finding: No Big Surprises ● Overall, the design of the system enables the desired security properties. ● Doesn’t mean there aren’t issues we overlooked, but this is a good sign. @moyerma @evan2645
46. Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security Matt Moyer, Evan Gilman @moyerma @evan2645