Redis ACL RCP1

1. Redis ACL - RCP 1
DaeMyung Kang (charsyam@naver.com)

2. Who am I?
• Software Engineer At Udemy
• Redis Contributor
• Redis Document Project Committer
• https://github.com/antirez/redis-doc
• Speaker in RedisConf 2016
• TroubleShooting Redis

3. Agenda
• What happened without Authentication for Redis?
• What is current Redis ACL?
• What is RCP1

4. What happened without
Authentication for Redis?

5. Memcrashed

6. Memcrashed
• Memcached DDOS issue not Redis
• Memcached is high-performance In-Memory K-V Store
• Memcached opened UDP port as Default(11211 port).
• Memcached doesn't support Authentication.
• It web patched in 28 Feb, 2018

7. Memcrashed
Attacker
Victim
UDP
Servers
UDP
Servers
UDP
Servers
1. IP spoofed Requests
They can't verify UDP source
2. Legitimate UDP Response Victim receives huge traffic
from Memcached servers

8. Redis in public

9. Redis in public
• Redis opens 6379 port in public.
• Redis runs with Root Permission.
• Redis runs without requirepass.

10. You are ready
to be Hacked

11. How to hack Redis
• Using RDB Saving
• I don't want to show you the detail steps.

12. How to hack Redis #2

13. How to hack Redis #3

14. Never expose Your
Redis in Public

15. Redis Status(2018/05/30 : Today)
• Globally 17,153 Redis Servers are in Public

16. Memcached Status(2018/05/30 : Today)
• Globally 37,839 Memcached Servers are in Public

17. What is current Redis ACL?

18. Redis only
support
requirepass

19. Limitation of requirepass
• if you know password, you can run all commands.
• O(N) Commands
• KEYS
• FLUSHALL
• LREM

20. rename-command
• We can change command name to another.
• or can Disable it
• But sometimes we need to use disabled commands for management.
• if someone know changed commands
• All people will know them.
• Still someone can make mistake.

21. RCP1
Redis ACL

22. ACL : Access Control List
• Specify who has granted access to objects
• In Redis
• Specify who is granted to execute specific commands

23. Examples
#<username> <password> [<acl> <acl> … <acl>]
charsyam "my password" +#all
client "my password" +#readonly
default "" +ping +info
charsyam can execute all commands
client can execute only readonly commands
default user only can run ping and info commands
- default is a user permission before auth step.

24. auth example
auth <username> <password>

25. Command Groups
Command Command
#readonly #zset
#write #hash
#slow #hyperloglog
#admin #scan
#string #pubsub
#list #transaction
#set #scripting

26. Implementation
RCP1

27. bit arrays for commands #1 Command Group
Command Index
in BitArray

28. ACL BitArray
module
0
Get
1
Set
1
Setnx
0
Setex
0
… … …
This user can't use module command

29. ACL BitArray
Module
0
Get
1
Set
1
Setnx
0
Setex
0
… … …
This user can use Get command

30. bit arrays for commands #2
64 * 4
256 bits
typedef unsigned long long acl_t;

31. bit arrays for commands #3

32. How we can use?

33. Default User
+#ALL
-KEYS
-FLUSHALL
-ADMIN
Admin
+#ALL
Read Only
+#ReadOnly

34. Some Issues for Redis Security
• SSL/TLS supporting
• Periodic Password Changing

35. DEMO for RCP1

36. Thanks