SlideShare une entreprise Scribd logo

Vulnerability Assessment of VOMS Core Middleware Package

Manuel Brugnoli
Manuel Brugnoli

This document describes a vulnerability assessment of the VOMS Core middleware package using a First Principles Vulnerability Assessment (FPVA) approach. The FPVA involves analyzing the VOMS Core architecture, resources, privileges, and components. No serious security vulnerabilities were found except for a potential denial of service issue. The VOMS Core design limits attacks through secure communication, privilege separation, and input validation. However, a lack of limits on simultaneous connections could enable a denial of service attack.

Technologie
1  sur  20
Télécharger pour lire hors ligne
www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.
www.egi.euEGI-InSPIRE RI-261323 ¿Questions? Thank you!!!

Recommandé

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systemsMohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 

Recommandé

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systemsMohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoorsn|u - The Open Security Community
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overviewali raza
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDDavide Veronese
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Jose Ulises Nino Rivera
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkIonic Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Contenu connexe

Similaire à Vulnerability Assessment of VOMS Core Middleware Package

Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overviewali raza
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDDavide Veronese
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Jose Ulises Nino Rivera
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkIonic Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 

Similaire à Vulnerability Assessment of VOMS Core Middleware Package (20)

Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCD
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 

Dernier

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Vulnerability Assessment of VOMS Core Middleware Package

  • 1. www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
  • 2. www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
  • 3. www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
  • 4. www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
  • 5. www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
  • 6. www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
  • 7. www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
  • 8. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 9. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 10. www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
  • 11. www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
  • 12. www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 13. www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 14. www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
  • 15. www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
  • 16. www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
  • 17. www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
  • 18. www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
  • 19. www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.