SlideShare una empresa de Scribd logo

Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

Manuel Brugnoli
Manuel Brugnoli

This document describes a vulnerability assessment of the VOMS Core middleware package using a First Principles Vulnerability Assessment (FPVA) approach. The FPVA involves analyzing the VOMS Core architecture, resources, privileges, and components. No serious security vulnerabilities were found except for a potential denial of service issue. The VOMS Core design limits attacks through secure communication, privilege separation, and input validation. However, a lack of limits on simultaneous connections could enable a denial of service attack.

Tecnología
1 de 20
Descargar para leer sin conexión
www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.
www.egi.euEGI-InSPIRE RI-261323 ¿Questions? Thank you!!!

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systemsMohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systemsMohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoorsn|u - The Open Security Community
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overviewali raza
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDDavide Veronese
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Jose Ulises Nino Rivera
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkIonic Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Más contenido relacionado

Similar a Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overviewali raza
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDDavide Veronese
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Jose Ulises Nino Rivera
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkIonic Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 

Similar a Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case (20)

Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCD
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 

Último

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

  • 1. www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
  • 2. www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
  • 3. www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
  • 4. www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
  • 5. www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
  • 6. www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
  • 7. www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
  • 8. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 9. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 10. www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
  • 11. www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
  • 12. www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 13. www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 14. www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
  • 15. www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
  • 16. www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
  • 17. www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
  • 18. www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
  • 19. www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.