SlideShare une entreprise Scribd logo

44CON 2013 - Hack the Gibson - Exploiting Supercomputers - John Fitzpatrick & Luke Jennings

44CON
44CON

We have had the luxury of conducting security research and penetration testing activities on a few Supercomputers on the world top 500 list. Having spent some time assessing the security of these awesome machines it’s fair to say that many of the technologies involved have been largely untouched by public security scrutiny and consequently the security bar is much lower than we have come to expect in 2013. This presentation will cover our research and demonstrate some of the most interesting and significant vulnerabilities we have uncovered so far. We will also be demonstrating 0-day exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once. There are many ways to hack the Gibson and today you’ll learn some.

Technologie
1  sur  56
Télécharger pour lire hors ligne
Public EXTERNAL Hack the Gibson Exploiting Supercomputers 44Con Edition – September 2013 John Fitzpatrick Luke Jennings Labs.mwrinfosecurity.com | © MWR Labs Labs.mwrinfosecurity.com | © MWR Labs 1
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 2
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 3
Public EXTERNAL What is High Performance Computing? • Computer hardware and software aimed at solving very heavy computational tasks • Common Uses – Weather forecasting – Data Mining – Cryptanalysis – Nuclear weapons simulation – Molecular dynamics Labs.mwrinfosecurity.com | © MWR Labs 4
Public EXTERNAL History Labs.mwrinfosecurity.com | © MWR Labs 5
Public EXTERNAL Some Numbers Tianhe-2 Top500 rank: #1 (June 2013) • China’s National University of Defense Technology • 33.86 petaflops/s (Linpack) • 16,000 nodes (2x Intel Xeon IvyBridge + 3x Xeon Phi processors) • Total 3,120,000 cores • Memory: 1,375 TiB ~1,500 TB • Storage: 12.4 PB • Cost: ~£256 Million Labs.mwrinfosecurity.com | © MWR Labs Blue Joule (UK Fastest) Top500 rank: #18 (June 2013) • Daresbury Laboratory • IBM Blue Gene/Q • 1.25 petaflops/s (Linpack) • Total 114,688 cores • Storage ~5 PB 6
Public EXTERNAL Parallel Computing - Limits • Not all tasks can be parallelised e.g. Task B requires the result of Task A Labs.mwrinfosecurity.com | © MWR Labs 7
Public EXTERNAL Message Passing Interface • Achieves Cluster Computing Goal • Implements the concept of “Distributed Shared Memory” Labs.mwrinfosecurity.com | © MWR Labs 8
Public EXTERNAL Supercomputer vs Cluster • What really makes a true “supercomputer” is the use of extremely high performance networking kit to link the nodes • “Distributed Shared Memory” with normal Ethernet network connections will be orders of magnitude slower than RAM • Infiniband and Myrinet • Upto 300 Gbit/s with link aggregation! • 1 µs latency (that’s micro not milli) Labs.mwrinfosecurity.com | © MWR Labs 9
Public EXTERNAL Supercomputer – what about file systems? • Distributed file systems are used • Much higher performance • Each node will generally have access to identical data • Though its boot drive may be unique • Examples • GPFS • Lustre Labs.mwrinfosecurity.com | © MWR Labs 10
Public EXTERNAL Supercomputer – Job Scheduling • Not all nodes should be useable by anyone all the time…. Wait your turn! • Generally a user may write a parallel program using MPI and then submit it to a job scheduler • This then manages all the submissions and decides what runs on what nodes and what time etc. Labs.mwrinfosecurity.com | © MWR Labs 11
Public EXTERNAL Summary Architecture Labs.mwrinfosecurity.com | © MWR Labs 12
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 13
Public EXTERNAL Important Security Considerations Considerations • Users can typically connect to login nodes • Users run code on compute nodes • Trust relationships exist (passwordless key based SSH) • Job scheduling happens across many nodes • Nodes may need regular rebuilding Implications • Local priv-esc is a very big deal • Users have access to inner components • Remote imaging is pretty much essential • Several critical OS mechanisms are now network accessible Labs.mwrinfosecurity.com | © MWR Labs 14
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 15
Public EXTERNAL Job Schedulers • Resource Managers e.g. Torque, SLURM • Handle actual running of jobs on a single cluster • Basic logic for scheduling e.g. FIFO, round robin etc • Workload Managers (Schedulers) e.g. MOAB • Sit on top of resource managers • Can handle multiple clusters potentially with different resource • managers Intelligent, flexible, scalable scheduling Labs.mwrinfosecurity.com | © MWR Labs 16
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 17
Public EXTERNAL Job Schedulers - MOAB • Submit jobs using the “msub” command • This talks to a web server using XML • HMAC verifies authenticity of user information submitted • Default behaviour is insecure – key to generate hmac is hardcoded in binary Labs.mwrinfosecurity.com | © MWR Labs 18
Public EXTERNAL Job Schedulers - MOAB • More secure option is to use “mauth” authentication • Key is configured in a protected file -r-------- 1 root root 15 2007-04-05 03:47 /opt/moab/.moab.key • When “msub” is called, it makes use of a SUID root binary called • • • “mauth” to obtain the HMAC for the XML “mauth” can read the key (SUID root) If the user information submitted does not match the caller, it rejects the request Should be secure right? Labs.mwrinfosecurity.com | © MWR Labs 19
Public EXTERNAL Job Schedulers - MOAB Labs.mwrinfosecurity.com | © MWR Labs 20
Public EXTERNAL Job Schedulers - MOAB • Web service and “mauth” check different user IDs  • By default, “root” jobs are not allowed • However, web service allows “dynamic reconfiguration” • Pretend to be “root” to enable root jobs, then submit after  Labs.mwrinfosecurity.com | © MWR Labs 21
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 22
Public EXTERNAL Job Schedulers - Torque • Resource manager • Terascale Open-Source Resource and Queue Manager • Can integrate with MAIU/MOAB • Based on the original PBS project Labs.mwrinfosecurity.com | © MWR Labs 23
Public EXTERNAL Job Schedulers - Torque 2.4.x – support ended August 2012 2.5.x – Widely used, recommended, considered reliable 2.5.12 = Latest 3.0.x - has everything 2.5.x has plus it supports NUMA architectures 4.0.x - has significant enhancements to scalability for petaflop and large environments 4.1.x - has added significant enhancements for Cray systems 4.2.x – Includes support for Intel Xeon Phi 4.2.3.1 = Latest Labs.mwrinfosecurity.com | © MWR Labs 24
Public EXTERNAL Job Schedulers - Torque Simplified Overview Head Node 1. Submit Job pbs_server 2. Inform Scheduler Compute Node Scheduler pbs_mom 4. Instructions on how to run job 3. Find node for job Labs.mwrinfosecurity.com | © MWR Labs 25
Public EXTERNAL Job Schedulers - Torque $ qstat Job id ------------------85.server1 87.host1 88.host2 89.host2 90.server1 91.host1 Labs.mwrinfosecurity.com | © MWR Labs Name ------------STDIN STDIN STDIN STDIN STDIN STDIN User Time Use ------------ -------hpc1 0 rd002 0 user1 0 user1 0 testuser 0 rd002 0 S Q Q Q Q Q Q Queue ----batch batch batch batch batch batch 26
Public EXTERNAL Job Schedulers - Torque So let’s hack the Gibson… - unauthenticated remote root ;) Labs.mwrinfosecurity.com | © MWR Labs 27
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 28
Public EXTERNAL Open MPI Running standard program e.g. uname root@bt5:~/mpi# mpirun -H node,localhost uname -a Linux bt5 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux Running custom MPI program root@bt5:~/mpi# mpirun -H node,localhost helloworld Hello from process 0 of 2 running on bt (0) Processor 0 sending buf data Hello from process 1 of 2 running on bt5 (0) Processor 1 received buf data: Hello :) Process 0 received reply: Wagwan! Labs.mwrinfosecurity.com | © MWR Labs 29
Public EXTERNAL Open MPI /usr/bin/ssh -x node orted --daemonize -mca ess env -mca orte_ess_jobid 76873728 -mca orte_ess_vpid 1 -mca orte_ess_num_procs 2 --hnp-uri "76873728.0;tcp://192.168.154.130:43622" Labs.mwrinfosecurity.com | © MWR Labs 30
Public EXTERNAL Open MPI Labs.mwrinfosecurity.com | © MWR Labs 31
Public EXTERNAL Open MPI Labs.mwrinfosecurity.com | © MWR Labs 32
Public EXTERNAL Open MPI • Vulnerable to a MITM...but most MITM attacks require root privileges e.g. ARP spoofing • If we have root on a node, we have root on everything anyway • The “Super-fast” network is only going to be physically accessible from within the data centre • ...so is this vulnerability actually applicable to the environment? Labs.mwrinfosecurity.com | © MWR Labs 33
Public EXTERNAL Open MPI • Exploitable as a low privileged user? • What if I connect to the port first, before the remote node? • Will the master node give up listening, so I can hijack the • port? Race condition? • Can I win the race? • Legitimate workflow involves an SSH connection then a TCP • • connect back My code can all run on the master node No network comms = I have the speed advantage Labs.mwrinfosecurity.com | © MWR Labs 34
Public EXTERNAL Open MPI • The port we could brute force, but we need that ID too… --hnp-uri "76873728.0;tcp://192.168.154.130:43622" • …but Linux normally gives away command line arguments via /proc file system e.g. “ps aux” below daemon 833 0.0 0.0 18932 392 ? Ss Nov05 0:00 atd root 834 0.0 0.0 21124 1024 ? Ss Nov05 0:15 cron root 835 0.0 0.0 11332 640 ? Ss Nov05 0:12 /usr/sbin/irqbalance root 844 0.0 0.1 120676 3644 ? Sl Nov05 0:00 /usr/sbin/console-kit-daemon --no-daemon postgres 965 0.0 0.1 49356 4080 ? S Nov05 0:00 /opt/metasploit/postgresql/bin/postgres -D /opt/metasploit/postgresql/data -p 7337 postgres 1278 0.0 0.0 49356 1244 ? Ss Nov05 0:20 postgres: writer process postgres 1279 0.0 0.0 49356 976 ? Ss Nov05 0:17 postgres: wal writer process postgres 1280 0.0 0.0 49492 1180 ? Ss Nov05 0:19 postgres: autovacuum launcher process postgres 1281 0.0 0.0 20764 1008 ? Ss Nov05 0:03 postgres: stats collector process root 1303 0.0 0.0 59480 716 ? Ssl Nov05 0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse root 1359 0.0 0.1 85000 4008 ? S Nov05 1:28 /usr/sbin/vmtoolsd root 1423 0.0 0.0 0 0 ? S Nov05 0:05 [flush-8:0] root 1439 0.0 0.0 6604 664 ? Ss Nov05 0:15 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp3/dhclient.eth1.leases eth1 ntp 1560 0.0 0.0 27912 1580 ? Ss Nov05 0:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 113:121 Labs.mwrinfosecurity.com | © MWR Labs 35
Public EXTERNAL Open MPI The Exploit 1. Monitor /proc file system 2. When the ssh connection is detected, read the port number and application specific ID 3. Connect to port and “talk” MPI to it along with the correct ID so the master node is happy execution has started 4. Master node will then release the port, so we can listen on it 5. If we are quick enough, we receive the connect back from the remote node and “talk” MPI and issue our own “command” Labs.mwrinfosecurity.com | © MWR Labs 36
Public EXTERNAL Open MPI The Exploit DEMO Labs.mwrinfosecurity.com | © MWR Labs 37
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 38
Public EXTERNAL Distributed Filesystems • Gbit/sec • Infiniband • Petabytes • Tens of thousands of disks Labs.mwrinfosecurity.com | © MWR Labs 39
Public EXTERNAL Distributed Filesystems • Commonly used: – GPFS – NFS – Lustre • Performance is Key Labs.mwrinfosecurity.com | © MWR Labs 40
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 41
Public EXTERNAL Distributed Filesystems - GPFS IBM – file system “It’s quite expensive - we bought an instance of GPFS from IBM and they gave us a free supercomputer with it” Good tech overview here: https://computing.llnl.gov/code/sio/ucrl-web-148419-pt-1.pdf Labs.mwrinfosecurity.com | © MWR Labs 42
Public EXTERNAL Distributed Filesystems - GPFS Bill Loewe: https://computing.llnl.gov/code/sio/ucrl-web-148419-pt-1.pdf Labs.mwrinfosecurity.com | © MWR Labs 43
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 44
Public EXTERNAL Distributed Filesystems - Lustre • Widely used • Over 60 of the top 100 supercomputers use Lustre • Resold in appliances Labs.mwrinfosecurity.com | © MWR Labs 45
Public EXTERNAL Distributed Filesystems - Lustre Labs.mwrinfosecurity.com | © MWR Labs 46
Public EXTERNAL Distributed Filesystems - Lustre The Exploit (found by reading the documentation!) DEMO Labs.mwrinfosecurity.com | © MWR Labs 47
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 48
Public EXTERNAL Cluster Management • Tens of thousands of nodes = remote imaging is the norm • Used to this sort of technology from corporate environments e.g. PXE booting rebuilds etc. • We’ve seen a couple of vendor implementations – Both used PXE + TFTP (as is common) – One used custom protocols for the second stage – The other used common protocols like rsync Labs.mwrinfosecurity.com | © MWR Labs 49
Public EXTERNAL Cluster Management • The nature of this type of technology makes it very difficult to secure directly • But two things are key: – Read-only images -> otherwise suffer backdoors – No sensitive information in the images -> work to the assumption of no confidentiality • Sensitive information – E.g. root’s private SSH key or MOAB key files – This information can be added securely as a post imaging step within scripts Labs.mwrinfosecurity.com | © MWR Labs 50
Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 51
Public EXTERNAL Local Privilege Escalation • When all your users run code on “servers”, this is important • Besides patch management and usual UNIX file permissions etc., pay attention to manufacturer added attack surface, e.g. SUID binaries • On one manufacturer default install we found two non-standard SUID root binaries • One looked particularly interesting as it had an “extract to directory” option Labs.mwrinfosecurity.com | © MWR Labs 52
Public EXTERNAL Local Privilege Escalation • When run normally it lists something related to the local directory contents • After much investigation, it turns out the cryptic numbers encode the ownership info and file permissions • After further investigation, when supplied to the “extract” option, it modifies the local directory contents to match Labs.mwrinfosecurity.com | © MWR Labs 53
Public EXTERNAL Local Privilege Escalation • …Oh dear! So if we encode something like this on our own system… -rwsr-xr-x 1 root root 136 Feb 26 2012 /bin/sh • …and then extract the output on the target system • We get a SUID root shell. Nice  • Neither SUID binary even appeared to be needed, let alone require SUID permissions! – Remove unnecessary attack surface Labs.mwrinfosecurity.com | © MWR Labs 54
Public EXTERNAL Summary • Interesting Challenges – Performance and security – Authenticating users across multiple nodes securely Labs.mwrinfosecurity.com | © MWR Labs 55
Public EXTERNAL Questions? http://labs.mwrinfosecurity.com | @mwrlabs John.fitzpatrick@mwrinfosecurity.com | @j0hn__f Luke.jennings@mwrinfosecurity.com Labs.mwrinfosecurity.com | © MWR Labs 56

Recommandé

High Availability in Neutron
High Availability in NeutronHigh Availability in Neutron
High Availability in NeutronRossella Sblendido
 
Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Arthur Berezin
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sdn command line controller lab
Sdn command line controller labSdn command line controller lab
Sdn command line controller labGuedda houssem eddin
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutronHaifeng Yan (颜海峰)
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Open stack HA - Theory to Reality
Open stack HA - Theory to RealityOpen stack HA - Theory to Reality
Open stack HA - Theory to RealitySriram Subramanian
 

Recommandé

High Availability in Neutron
High Availability in NeutronHigh Availability in Neutron
High Availability in NeutronRossella Sblendido
 
Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Neutron high availability open stack architecture openstack israel event 2015
Neutron high availability open stack architecture openstack israel event 2015Arthur Berezin
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sdn command line controller lab
Sdn command line controller labSdn command line controller lab
Sdn command line controller labGuedda houssem eddin
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutronHaifeng Yan (颜海峰)
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Open stack HA - Theory to Reality
Open stack HA - Theory to RealityOpen stack HA - Theory to Reality
Open stack HA - Theory to RealitySriram Subramanian
 
Introduction to MidoNet
Introduction to MidoNetIntroduction to MidoNet
Introduction to MidoNetTaku Fukushima
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
OpenStack HA
OpenStack HAOpenStack HA
OpenStack HAKenneth Hui
 
Enabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaEnabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaNETWAYS
 
Open stack ha design & deployment kilo
Open stack ha design & deployment kiloOpen stack ha design & deployment kilo
Open stack ha design & deployment kiloSteven Li
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackVietnam Open Infrastructure User Group
 
OpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloudOpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloudAnees Shaikh
 
MidoNet deep dive
MidoNet deep diveMidoNet deep dive
MidoNet deep diveTaku Fukushima
 
L2 and L3 agent restructure
L2 and L3 agent restructureL2 and L3 agent restructure
L2 and L3 agent restructureRossella Sblendido
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015Belmiro Moreira
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
Quantum - Virtual networks for Openstack
Quantum - Virtual networks for OpenstackQuantum - Virtual networks for Openstack
Quantum - Virtual networks for Openstacksalv_orlando
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronSana Khan
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High AvailabilityJakub Pavlik
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with NeutronKwonSun Bae
 
IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)MarkTaylorIBM
 
Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!Globus
 

Contenu connexe

Tendances

Introduction to MidoNet
Introduction to MidoNetIntroduction to MidoNet
Introduction to MidoNetTaku Fukushima
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
Enabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaEnabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaNETWAYS
 
Open stack ha design & deployment kilo
Open stack ha design & deployment kiloOpen stack ha design & deployment kilo
Open stack ha design & deployment kiloSteven Li
 
OpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloudOpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloudAnees Shaikh
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015Belmiro Moreira
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
Quantum - Virtual networks for Openstack
Quantum - Virtual networks for OpenstackQuantum - Virtual networks for Openstack
Quantum - Virtual networks for Openstacksalv_orlando
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronSana Khan
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High AvailabilityJakub Pavlik
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with NeutronKwonSun Bae
 

Tendances (20)

Introduction to MidoNet
Introduction to MidoNetIntroduction to MidoNet
Introduction to MidoNet
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
 
OpenStack HA
OpenStack HAOpenStack HA
OpenStack HA
 
Enabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebulaEnabling Scientific Workflows on FermiCloud using OpenNebula
Enabling Scientific Workflows on FermiCloud using OpenNebula
 
Open stack ha design & deployment kilo
Open stack ha design & deployment kiloOpen stack ha design & deployment kilo
Open stack ha design & deployment kilo
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStack
 
OpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloudOpenDaylight: an open source SDN for your OpenStack cloud
OpenDaylight: an open source SDN for your OpenStack cloud
 
MidoNet deep dive
MidoNet deep diveMidoNet deep dive
MidoNet deep dive
 
L2 and L3 agent restructure
L2 and L3 agent restructureL2 and L3 agent restructure
L2 and L3 agent restructure
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
 
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
Tips Tricks and Tactics with Cells and Scaling OpenStack - May, 2015
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutron
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
Quantum - Virtual networks for Openstack
Quantum - Virtual networks for OpenstackQuantum - Virtual networks for Openstack
Quantum - Virtual networks for Openstack
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack Neutron
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High Availability
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with Neutron
 

Similaire à 44CON 2013 - Hack the Gibson - Exploiting Supercomputers - John Fitzpatrick & Luke Jennings

IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)MarkTaylorIBM
 
Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!Globus
 
HPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journeyHPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journeyPeter Clapham
 
Open Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesOpen Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesTal Lavian Ph.D.
 
SC15 PMIx Birds-of-a-Feather
SC15 PMIx Birds-of-a-FeatherSC15 PMIx Birds-of-a-Feather
SC15 PMIx Birds-of-a-Featherrcastain
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECShumon Huque
 
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebula Project
 
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander Dibbo
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander DibboOpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander Dibbo
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander DibboOpenNebula Project
 
Climb stateoftheartintro
Climb stateoftheartintroClimb stateoftheartintro
Climb stateoftheartintrothomasrconnor
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryMarkTaylorIBM
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container MonitoringDerek Chen
 
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based InfrastructuresMesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructurespierrecdn -
 
Preparing OpenSHMEM for Exascale
Preparing OpenSHMEM for ExascalePreparing OpenSHMEM for Exascale
Preparing OpenSHMEM for Exascaleinside-BigData.com
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)NAIM Networks, Inc.
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 
OpenStack monitoring - Unidata S.p.A. Case Report
OpenStack monitoring - Unidata S.p.A. Case ReportOpenStack monitoring - Unidata S.p.A. Case Report
OpenStack monitoring - Unidata S.p.A. Case ReportDavide Guerri
 
Deep Dive Into the CERN Cloud Infrastructure - November, 2013
Deep Dive Into the CERN Cloud Infrastructure - November, 2013Deep Dive Into the CERN Cloud Infrastructure - November, 2013
Deep Dive Into the CERN Cloud Infrastructure - November, 2013Belmiro Moreira
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 

Similaire à 44CON 2013 - Hack the Gibson - Exploiting Supercomputers - John Fitzpatrick & Luke Jennings (20)

IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)
 
Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!Shaping the Future: To Globus Compute and Beyond!
Shaping the Future: To Globus Compute and Beyond!
 
HPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journeyHPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journey
 
Open Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network DevicesOpen Programmable Architecture for Java-enabled Network Devices
Open Programmable Architecture for Java-enabled Network Devices
 
SC15 PMIx Birds-of-a-Feather
SC15 PMIx Birds-of-a-FeatherSC15 PMIx Birds-of-a-Feather
SC15 PMIx Birds-of-a-Feather
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
OpenNebulaConf 2013 - Keynote: Enabling Scientific Workflows on FermiCloud us...
 
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander Dibbo
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander DibboOpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander Dibbo
OpenNebulaConf2015 1.07 Cloud for Scientific Computing @ STFC - Alexander Dibbo
 
Climb stateoftheartintro
Climb stateoftheartintroClimb stateoftheartintro
Climb stateoftheartintro
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster Recovery
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
 
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based InfrastructuresMesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
 
Preparing OpenSHMEM for Exascale
Preparing OpenSHMEM for ExascalePreparing OpenSHMEM for Exascale
Preparing OpenSHMEM for Exascale
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 
OpenStack monitoring - Unidata S.p.A. Case Report
OpenStack monitoring - Unidata S.p.A. Case ReportOpenStack monitoring - Unidata S.p.A. Case Report
OpenStack monitoring - Unidata S.p.A. Case Report
 
Deep Dive Into the CERN Cloud Infrastructure - November, 2013
Deep Dive Into the CERN Cloud Infrastructure - November, 2013Deep Dive Into the CERN Cloud Infrastructure - November, 2013
Deep Dive Into the CERN Cloud Infrastructure - November, 2013
 
Resource Aware Scheduling in Apache Storm
Resource Aware Scheduling in Apache StormResource Aware Scheduling in Apache Storm
Resource Aware Scheduling in Apache Storm
 
Resource Aware Scheduling in Apache Storm
Resource Aware Scheduling in Apache StormResource Aware Scheduling in Apache Storm
Resource Aware Scheduling in Apache Storm
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 

Plus de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Plus de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Dernier

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

44CON 2013 - Hack the Gibson - Exploiting Supercomputers - John Fitzpatrick & Luke Jennings

  • 1. Public EXTERNAL Hack the Gibson Exploiting Supercomputers 44Con Edition – September 2013 John Fitzpatrick Luke Jennings Labs.mwrinfosecurity.com | © MWR Labs Labs.mwrinfosecurity.com | © MWR Labs 1
  • 2. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 2
  • 3. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 3
  • 4. Public EXTERNAL What is High Performance Computing? • Computer hardware and software aimed at solving very heavy computational tasks • Common Uses – Weather forecasting – Data Mining – Cryptanalysis – Nuclear weapons simulation – Molecular dynamics Labs.mwrinfosecurity.com | © MWR Labs 4
  • 6. Public EXTERNAL Some Numbers Tianhe-2 Top500 rank: #1 (June 2013) • China’s National University of Defense Technology • 33.86 petaflops/s (Linpack) • 16,000 nodes (2x Intel Xeon IvyBridge + 3x Xeon Phi processors) • Total 3,120,000 cores • Memory: 1,375 TiB ~1,500 TB • Storage: 12.4 PB • Cost: ~£256 Million Labs.mwrinfosecurity.com | © MWR Labs Blue Joule (UK Fastest) Top500 rank: #18 (June 2013) • Daresbury Laboratory • IBM Blue Gene/Q • 1.25 petaflops/s (Linpack) • Total 114,688 cores • Storage ~5 PB 6
  • 7. Public EXTERNAL Parallel Computing - Limits • Not all tasks can be parallelised e.g. Task B requires the result of Task A Labs.mwrinfosecurity.com | © MWR Labs 7
  • 8. Public EXTERNAL Message Passing Interface • Achieves Cluster Computing Goal • Implements the concept of “Distributed Shared Memory” Labs.mwrinfosecurity.com | © MWR Labs 8
  • 9. Public EXTERNAL Supercomputer vs Cluster • What really makes a true “supercomputer” is the use of extremely high performance networking kit to link the nodes • “Distributed Shared Memory” with normal Ethernet network connections will be orders of magnitude slower than RAM • Infiniband and Myrinet • Upto 300 Gbit/s with link aggregation! • 1 µs latency (that’s micro not milli) Labs.mwrinfosecurity.com | © MWR Labs 9
  • 10. Public EXTERNAL Supercomputer – what about file systems? • Distributed file systems are used • Much higher performance • Each node will generally have access to identical data • Though its boot drive may be unique • Examples • GPFS • Lustre Labs.mwrinfosecurity.com | © MWR Labs 10
  • 11. Public EXTERNAL Supercomputer – Job Scheduling • Not all nodes should be useable by anyone all the time…. Wait your turn! • Generally a user may write a parallel program using MPI and then submit it to a job scheduler • This then manages all the submissions and decides what runs on what nodes and what time etc. Labs.mwrinfosecurity.com | © MWR Labs 11
  • 13. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 13
  • 14. Public EXTERNAL Important Security Considerations Considerations • Users can typically connect to login nodes • Users run code on compute nodes • Trust relationships exist (passwordless key based SSH) • Job scheduling happens across many nodes • Nodes may need regular rebuilding Implications • Local priv-esc is a very big deal • Users have access to inner components • Remote imaging is pretty much essential • Several critical OS mechanisms are now network accessible Labs.mwrinfosecurity.com | © MWR Labs 14
  • 15. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 15
  • 16. Public EXTERNAL Job Schedulers • Resource Managers e.g. Torque, SLURM • Handle actual running of jobs on a single cluster • Basic logic for scheduling e.g. FIFO, round robin etc • Workload Managers (Schedulers) e.g. MOAB • Sit on top of resource managers • Can handle multiple clusters potentially with different resource • managers Intelligent, flexible, scalable scheduling Labs.mwrinfosecurity.com | © MWR Labs 16
  • 17. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 17
  • 18. Public EXTERNAL Job Schedulers - MOAB • Submit jobs using the “msub” command • This talks to a web server using XML • HMAC verifies authenticity of user information submitted • Default behaviour is insecure – key to generate hmac is hardcoded in binary Labs.mwrinfosecurity.com | © MWR Labs 18
  • 19. Public EXTERNAL Job Schedulers - MOAB • More secure option is to use “mauth” authentication • Key is configured in a protected file -r-------- 1 root root 15 2007-04-05 03:47 /opt/moab/.moab.key • When “msub” is called, it makes use of a SUID root binary called • • • “mauth” to obtain the HMAC for the XML “mauth” can read the key (SUID root) If the user information submitted does not match the caller, it rejects the request Should be secure right? Labs.mwrinfosecurity.com | © MWR Labs 19
  • 20. Public EXTERNAL Job Schedulers - MOAB Labs.mwrinfosecurity.com | © MWR Labs 20
  • 21. Public EXTERNAL Job Schedulers - MOAB • Web service and “mauth” check different user IDs  • By default, “root” jobs are not allowed • However, web service allows “dynamic reconfiguration” • Pretend to be “root” to enable root jobs, then submit after  Labs.mwrinfosecurity.com | © MWR Labs 21
  • 22. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 22
  • 23. Public EXTERNAL Job Schedulers - Torque • Resource manager • Terascale Open-Source Resource and Queue Manager • Can integrate with MAIU/MOAB • Based on the original PBS project Labs.mwrinfosecurity.com | © MWR Labs 23
  • 24. Public EXTERNAL Job Schedulers - Torque 2.4.x – support ended August 2012 2.5.x – Widely used, recommended, considered reliable 2.5.12 = Latest 3.0.x - has everything 2.5.x has plus it supports NUMA architectures 4.0.x - has significant enhancements to scalability for petaflop and large environments 4.1.x - has added significant enhancements for Cray systems 4.2.x – Includes support for Intel Xeon Phi 4.2.3.1 = Latest Labs.mwrinfosecurity.com | © MWR Labs 24
  • 25. Public EXTERNAL Job Schedulers - Torque Simplified Overview Head Node 1. Submit Job pbs_server 2. Inform Scheduler Compute Node Scheduler pbs_mom 4. Instructions on how to run job 3. Find node for job Labs.mwrinfosecurity.com | © MWR Labs 25
  • 26. Public EXTERNAL Job Schedulers - Torque $ qstat Job id ------------------85.server1 87.host1 88.host2 89.host2 90.server1 91.host1 Labs.mwrinfosecurity.com | © MWR Labs Name ------------STDIN STDIN STDIN STDIN STDIN STDIN User Time Use ------------ -------hpc1 0 rd002 0 user1 0 user1 0 testuser 0 rd002 0 S Q Q Q Q Q Q Queue ----batch batch batch batch batch batch 26
  • 27. Public EXTERNAL Job Schedulers - Torque So let’s hack the Gibson… - unauthenticated remote root ;) Labs.mwrinfosecurity.com | © MWR Labs 27
  • 28. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 28
  • 29. Public EXTERNAL Open MPI Running standard program e.g. uname root@bt5:~/mpi# mpirun -H node,localhost uname -a Linux bt5 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux Running custom MPI program root@bt5:~/mpi# mpirun -H node,localhost helloworld Hello from process 0 of 2 running on bt (0) Processor 0 sending buf data Hello from process 1 of 2 running on bt5 (0) Processor 1 received buf data: Hello :) Process 0 received reply: Wagwan! Labs.mwrinfosecurity.com | © MWR Labs 29
  • 30. Public EXTERNAL Open MPI /usr/bin/ssh -x node orted --daemonize -mca ess env -mca orte_ess_jobid 76873728 -mca orte_ess_vpid 1 -mca orte_ess_num_procs 2 --hnp-uri "76873728.0;tcp://192.168.154.130:43622" Labs.mwrinfosecurity.com | © MWR Labs 30
  • 33. Public EXTERNAL Open MPI • Vulnerable to a MITM...but most MITM attacks require root privileges e.g. ARP spoofing • If we have root on a node, we have root on everything anyway • The “Super-fast” network is only going to be physically accessible from within the data centre • ...so is this vulnerability actually applicable to the environment? Labs.mwrinfosecurity.com | © MWR Labs 33
  • 34. Public EXTERNAL Open MPI • Exploitable as a low privileged user? • What if I connect to the port first, before the remote node? • Will the master node give up listening, so I can hijack the • port? Race condition? • Can I win the race? • Legitimate workflow involves an SSH connection then a TCP • • connect back My code can all run on the master node No network comms = I have the speed advantage Labs.mwrinfosecurity.com | © MWR Labs 34
  • 35. Public EXTERNAL Open MPI • The port we could brute force, but we need that ID too… --hnp-uri "76873728.0;tcp://192.168.154.130:43622" • …but Linux normally gives away command line arguments via /proc file system e.g. “ps aux” below daemon 833 0.0 0.0 18932 392 ? Ss Nov05 0:00 atd root 834 0.0 0.0 21124 1024 ? Ss Nov05 0:15 cron root 835 0.0 0.0 11332 640 ? Ss Nov05 0:12 /usr/sbin/irqbalance root 844 0.0 0.1 120676 3644 ? Sl Nov05 0:00 /usr/sbin/console-kit-daemon --no-daemon postgres 965 0.0 0.1 49356 4080 ? S Nov05 0:00 /opt/metasploit/postgresql/bin/postgres -D /opt/metasploit/postgresql/data -p 7337 postgres 1278 0.0 0.0 49356 1244 ? Ss Nov05 0:20 postgres: writer process postgres 1279 0.0 0.0 49356 976 ? Ss Nov05 0:17 postgres: wal writer process postgres 1280 0.0 0.0 49492 1180 ? Ss Nov05 0:19 postgres: autovacuum launcher process postgres 1281 0.0 0.0 20764 1008 ? Ss Nov05 0:03 postgres: stats collector process root 1303 0.0 0.0 59480 716 ? Ssl Nov05 0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse root 1359 0.0 0.1 85000 4008 ? S Nov05 1:28 /usr/sbin/vmtoolsd root 1423 0.0 0.0 0 0 ? S Nov05 0:05 [flush-8:0] root 1439 0.0 0.0 6604 664 ? Ss Nov05 0:15 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp3/dhclient.eth1.leases eth1 ntp 1560 0.0 0.0 27912 1580 ? Ss Nov05 0:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 113:121 Labs.mwrinfosecurity.com | © MWR Labs 35
  • 36. Public EXTERNAL Open MPI The Exploit 1. Monitor /proc file system 2. When the ssh connection is detected, read the port number and application specific ID 3. Connect to port and “talk” MPI to it along with the correct ID so the master node is happy execution has started 4. Master node will then release the port, so we can listen on it 5. If we are quick enough, we receive the connect back from the remote node and “talk” MPI and issue our own “command” Labs.mwrinfosecurity.com | © MWR Labs 36
  • 38. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 38
  • 39. Public EXTERNAL Distributed Filesystems • Gbit/sec • Infiniband • Petabytes • Tens of thousands of disks Labs.mwrinfosecurity.com | © MWR Labs 39
  • 40. Public EXTERNAL Distributed Filesystems • Commonly used: – GPFS – NFS – Lustre • Performance is Key Labs.mwrinfosecurity.com | © MWR Labs 40
  • 41. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 41
  • 42. Public EXTERNAL Distributed Filesystems - GPFS IBM – file system “It’s quite expensive - we bought an instance of GPFS from IBM and they gave us a free supercomputer with it” Good tech overview here: https://computing.llnl.gov/code/sio/ucrl-web-148419-pt-1.pdf Labs.mwrinfosecurity.com | © MWR Labs 42
  • 43. Public EXTERNAL Distributed Filesystems - GPFS Bill Loewe: https://computing.llnl.gov/code/sio/ucrl-web-148419-pt-1.pdf Labs.mwrinfosecurity.com | © MWR Labs 43
  • 44. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 44
  • 45. Public EXTERNAL Distributed Filesystems - Lustre • Widely used • Over 60 of the top 100 supercomputers use Lustre • Resold in appliances Labs.mwrinfosecurity.com | © MWR Labs 45
  • 46. Public EXTERNAL Distributed Filesystems - Lustre Labs.mwrinfosecurity.com | © MWR Labs 46
  • 47. Public EXTERNAL Distributed Filesystems - Lustre The Exploit (found by reading the documentation!) DEMO Labs.mwrinfosecurity.com | © MWR Labs 47
  • 48. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 48
  • 49. Public EXTERNAL Cluster Management • Tens of thousands of nodes = remote imaging is the norm • Used to this sort of technology from corporate environments e.g. PXE booting rebuilds etc. • We’ve seen a couple of vendor implementations – Both used PXE + TFTP (as is common) – One used custom protocols for the second stage – The other used common protocols like rsync Labs.mwrinfosecurity.com | © MWR Labs 49
  • 50. Public EXTERNAL Cluster Management • The nature of this type of technology makes it very difficult to secure directly • But two things are key: – Read-only images -> otherwise suffer backdoors – No sensitive information in the images -> work to the assumption of no confidentiality • Sensitive information – E.g. root’s private SSH key or MOAB key files – This information can be added securely as a post imaging step within scripts Labs.mwrinfosecurity.com | © MWR Labs 50
  • 51. Public EXTERNAL Outline • Introduction • Important Security Considerations • Job Schedulers – MOAB – Torque • OpenMPI • Distributed Filesystems – GPFS – Lustre • Cluster Management • Local Privilege Escalation Labs.mwrinfosecurity.com | © MWR Labs 51
  • 52. Public EXTERNAL Local Privilege Escalation • When all your users run code on “servers”, this is important • Besides patch management and usual UNIX file permissions etc., pay attention to manufacturer added attack surface, e.g. SUID binaries • On one manufacturer default install we found two non-standard SUID root binaries • One looked particularly interesting as it had an “extract to directory” option Labs.mwrinfosecurity.com | © MWR Labs 52
  • 53. Public EXTERNAL Local Privilege Escalation • When run normally it lists something related to the local directory contents • After much investigation, it turns out the cryptic numbers encode the ownership info and file permissions • After further investigation, when supplied to the “extract” option, it modifies the local directory contents to match Labs.mwrinfosecurity.com | © MWR Labs 53
  • 54. Public EXTERNAL Local Privilege Escalation • …Oh dear! So if we encode something like this on our own system… -rwsr-xr-x 1 root root 136 Feb 26 2012 /bin/sh • …and then extract the output on the target system • We get a SUID root shell. Nice  • Neither SUID binary even appeared to be needed, let alone require SUID permissions! – Remove unnecessary attack surface Labs.mwrinfosecurity.com | © MWR Labs 54
  • 55. Public EXTERNAL Summary • Interesting Challenges – Performance and security – Authenticating users across multiple nodes securely Labs.mwrinfosecurity.com | © MWR Labs 55
  • 56. Public EXTERNAL Questions? http://labs.mwrinfosecurity.com | @mwrlabs John.fitzpatrick@mwrinfosecurity.com | @j0hn__f Luke.jennings@mwrinfosecurity.com Labs.mwrinfosecurity.com | © MWR Labs 56