Thursday, November 3, 2022

A new security attack vector on multitenant solutions

Multitenancy is about sharing provisioned resources for customers. It is often explained as: 

virtualization + resource sharing = multi-tenancy 


Tenancy is about customers not users. Multiple users from a single organization can form a single tenant. Examples of multi-tenant applications include Business-to-Business solutions, Business-to-Consumer solutions, and Enterprise-wide platform solutions. 

One of the ways to manage resources is resource governance. Resource governance is hierarchical in nature. From top to bottom, limits can be enforced at various levels using their level-appropriate mechanisms starting with the operating systems, then the resource pools and the workload groups. Data I/O governance limits both the read and the write physical I/O against persisted data. IOPS limits are set for each service level to minimize the noisy neighbor effect. 

While noisy neighbors are a common scenario, it is not an attack vector. Those are determined based on threat model. A common methodology to study threats is STRIDE analysis and threat mitigation. It is an acronym for the following: Spoofing Identity – is the threat when a user can impersonate another user. Tampering with data- is the threat when a user can access Kubernetes resources or modify the contents of security artifacts. Repudiation – is the threat when a user can perform an illegal action that the Kubernetes cannot deter. Information Disclosure – is the threat when, say a guest user can access resources as if the guest was the owner. Denial of service – is the threat when say a crucial component in the operations of the Kubernetes is overwhelmed by requests so that others experience outage. Elevation of privilege – is the threat when the user has gained access to the components within the trust boundary and the system is therefore compromised. 

One of the unique threats posed to multitenant solutions is that the attacker and the victim can share the same server. Such a setup cannot be mitigated by traditional security measures. When the attacker and the victim are in the same provider but located on separate servers, the attack vector is only penetrating the virtualization layer. When they are collocated, the attack vector is penetrating resource sharing. Traditional network security fails to provide adequate protection in this regard. 

Consider the case when an attacker begins the attack with network probing and follows it up with a brute force attack to take advantage of the multitenancy effect by allocating the attacker’s virtual machine besides the victim’s virtual machine. When this is achieved, a side channel attack can take advantage of system characteristics with which the attacker extracts the data of the victims. Hypervisor and operating systems do not help mitigate this adequately. 

Potential mitigations of this attack vector include the case where a resource allocation technique is employed that determines the location of resources randomly. Another way to provide mitigation to select tenants could be to restrict the number of usages of those resources. In these cases, the attackers’ cost, effort, and time are dramatically increased. 

Not all multitenant solutions need to focus on such advanced mitigations. With proper network security at higher levels, these attacks not only become rare, but they become insignificant to mitigate. East-West network security is often planned for with the security compliance efforts of the multitenant solution provider. 


#codingexercise

https://ideone.com/TTu3xF

No comments:

Post a Comment