Cloudy with a chance of zero day

This was a presentation by Jon Rose and Tom Leavey of Trustwave. They started off with about 15 minutes worth of cloud background. The problems (and potential problems) they identified were:

  • Vendor lock in may come up since the Amazon cloud is somewhat different from writing for Google's App Engine which is different from...
  • Enterprise ready vs. experimental, meaning that most uses of the cloud right now are non-mission-critical.
  • Forensics in the cloud are somewhat harder to perform since you can't necessarily get the log files.
  • Compliance is more difficult because you can't do physical visits to the data center.
  • Misuse is possible because you can not only use the cloud for good but can also fire up a malicious virtual machine.

They reviewed the Google Application Engine

After some discussion of how GAE works, they got into some possible attacks.

  • You can post data and that counts against incoming bandwidth, even if the application doesn't accept post requests at that URL. So, using XSS to get all the browsers to a site to run a POST against an application can easily blow past a site's incoming bandwidth quota and take them offline.
  • The task queue has a limit of 5 requests/second can be blown out with an attack.
  • Create dozens of proxies on GAE as a way to hide who you are when doing an attack.
  • You can create new versions of your application and switch between them, but using this means any visitor can choose which version of your application they want to run.
  • GQL Injection - may be possible to do injection, but they couldn't. Seems like it's probably not possible.