SO it’s a blast watching patch 61 of 98 installing at 2AM…
Something my troubled brain has pondered is why companies seem to be migrating services to cloud servers in droves. How can you
trust anything if you don’t manage the physical hardware?
Whoever manages that physical hardware is
holding all the keys. No matter how “secure”
you make the VM from network attacks, use duper strong pass phrases and keep the
system patches and even install HIPS its easily bypassed by the provider.
This article about how a collection of 3 letter agencies
were able to take down "The Silk Road" a website that operated in the Tor network (just to be clear I am not upset they took the website down but this is not a post about morality). Anyway this re-started my brain pondering the security of cloud VMs and hosted servers.
The interesting part in the article was “the government
asked for an image of the server's hard drives”. This was accomplished without turning off or
shutting down the VM. It happened
without the owner ever knowing something happened.
It’s a security issue that’s been raised before.
So what can we do to mitigate this type of security issue?
Nothing. Seriously,
nothing.
For example how about installing PGP WDE/TrueCrypt on the VM
and encrypt the entire VM contents?
Sound like that would fix everything right? I mean the virtual drive is encrypted and so
if they capture that then it’s still encrypted. Great!
Oh well the problem is "they" have physical access to the host so the
operator can simply snapshot the entire VM and dump the VM Memory to a
file. Now can you guess where the
encryption keys are stored while the VM is running? Yep in memory. So now they just search the memory for where
PGP WDE/TrueCrypt stores the keys. Well
shoot we didn’t even have to hack into the console redirection code of the host
operating system to log console redirection when the VM owner had to manually
enter the PGP WDE/TrueCrypt key to get the VM to boot.
So not even the coveted whole disk encryption can save your
VM from curious eyes that might be working for a cloud provider.
Now this could have also been done on any physical server with raid 1 drives.
They would just have to pull a drive out claiming it had failed and
needed to be replace. Once pulled they
could simply pop that drive into another
system and capture the image. For physical servers there is some additional security such
as adding some type of whole disk encryption on the physical server would
prevent the drive from being pulled and used to capture the system image. However it would still be possible to extract
the encryption keys from the physical servers memory the process is much more
involved and would require some noticeable downtime while the system memory was
dumped.
There is also the TPM (Trusted Platform Module) chip on some
motherboards that provides a secure location to store the encryption keys
between rebooting. This eliminates the
requirement to enter any pass phrase to being booting the system. The problem here is that the manufacture
creates the RSA keys used by the TPM chip and they cannot be re-generated (to my knowledge). So every TPM chip produced is intentionally
compromised. Yah very “trusted”. This is similar to the issue with centralized
Certification Authorities. So even [insert trusted root CA here] SSL certificates are intentionally compromised but that’s another rant of mine.
If you cannot trust the physical network, physical security
and host the VM is being executed on there is no amount of “security” you can
patch on to make it secure.
So where does that leave us?
Lockup your servers in a dark, cold, tower of a room and do not let
anyone in.
Ok back to watching servers patch.
J