An Analysis of OpenStack Vulnerabilities

Cloud management frameworks provide an effective way to deploy and manage the hardware, storage and network resources for supporting critical cloud infrastructures. OpenStack is used in the context of business critical systems and frequently deals with highly sensitive resources, where a security breach may result in severe damage, including information theft or financial losses. Despite this, there is little information on how much security is a concern during design and implementation of OpenStack components. This work analyses 5 years of security reports on OpenStack and the corresponding patches, with the goal of characterizing the most frequent vulnerabilities, how they can be exploited, and their root causes. The goal is to identify vulnerability trends, characterize frequent threats, and shed some light on the overall security of OpenStack. Special focus is placed on the framework component for virtualization management (Nova), by also analyzing the code of the available patches. Overall results show a preponderance of vulnerabilities that may be exploited to cause DoS and expose sensitive information. Also, 2/3 of the total number of vulnerabilities can be exploited by insider attacks, urging administrators to focus protection efforts on them. Finally, many bugs remain undetected for long periods when most of them are easy to avoid or detect and correct.

[1]  Carrie Gates,et al.  Defining the insider threat , 2008, CSIIRW '08.

[2]  Xue-Jie Zhang,et al.  Comparison of open-source cloud management platforms: OpenStack and OpenNebula , 2012, 2012 9th International Conference on Fuzzy Systems and Knowledge Discovery.

[3]  Marco Vieira,et al.  Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection , 2014, IEEE Transactions on Dependable and Secure Computing.

[4]  Philip Koopman,et al.  Comparing the robustness of POSIX operating systems , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[5]  Dimitris Gritzalis,et al.  The Insider Threat in Cloud Computing , 2011, CRITIS.

[6]  Henrique Madeira,et al.  Emulation of Software Faults: A Field Data Study and a Practical Approach , 2006, IEEE Transactions on Software Engineering.

[7]  Inderpal S. Bhandari,et al.  Orthogonal Defect Classification - A Concept for In-Process Measurements , 1992, IEEE Trans. Software Eng..

[8]  James Purtilo,et al.  Mining Security Vulnerabilities from Linux Distribution Metadata , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[9]  Samuel Kounev,et al.  Experience Report: An Analysis of Hypercall Handler Vulnerabilities , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[10]  Selvakumar Manickam,et al.  Critical Review of OpenStack Security: Issues and Weaknesses , 2014, J. Comput. Sci..

[11]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[12]  Sasko Ristov,et al.  OpenStack Cloud Security Vulnerabilities from Inside and Outside , 2013, CLOUD 2013.