Security/Threat Analysis/Meetings/07-03-14


 * 19:00] == shohel02 [c1eada7a@gateway/web/freenode/ip.193.234.218.122] has joined ##openstack-threat-analysis
 * [19:01] Hi all
 * [19:01] hello
 * [19:01] hi Udit
 * [19:03] Hey!
 * [19:03] hey paulom, hw it going
 * [19:03] *paulmo*
 * [19:03] Good; glad you are driving threat modeling btw. :)
 * [19:04] yes, looks like we have low attendance today
 * [19:04] some other people also promised to join
 * [19:04] shohel02: What would help a lot is to post the time/location for this meeting on a wiki (or maybe I missed it).
 * [19:05] yes i did it
 * [19:05] https://wiki.openstack.org/wiki/Security/Threat_Analysis/
 * [19:05] Meeting section
 * [19:05] can we improve it some how
 * [19:06] Oh, sorry, that must have been added after I did some searching… my bad!
 * [19:06] yes, just updated this week...so it might be that
 * [19:07] We are low in numbers but still should we start the meeting
 * [19:08] I think we start now and lets see if others join
 * [19:08] Sure
 * [19:09] #startmeeting OpenStack Threat Modelling
 * [19:09] Some recap from last meeting.
 * [19:09] this what we discussed
 * [19:10] 1) A common framework for threat modelling of all openstack project
 * [19:10] 2) Some of us are working on Keystone Threat modelling     - Action point: engagement with keystone developers
 * [19:10] 3) Threat modelling can also be performed for other project in OpenStack e.g., Solum
 * [19:10] == bknudson [bknudson@nat/ibm/x-yupaaiitpfhxrhqp] has joined ##openstack-threat-analysis
 * [19:11] hi bknudson
 * [19:11] hi
 * [19:11] we have just started
 * [19:11] PS: solum is nearing milestone 1 and I plan to create threat models at each milestone if possible/feasible.
 * [19:11] sounds good
 * [19:12] couple of things has been done after the last meeting
 * [19:12] 1) Updating the Threat Modeling wiki page, so the information is update also meeting schedule is there
 * [19:12] https://wiki.openstack.org/wiki/Security/Threat_Analysis
 * [19:13] Any comment what can be included in the wiki or feel free to edit it
 * [19:14] Thanks for creating/posting those detailed steps/guidance.
 * [19:15] thanks, ok then move to the keystone work
 * [19:15] #Topic Keystone  Threat modelling status update
 * [19:15] We are continuing the work. We are ready to publish threat analysis report for another  component - Auth_token Middleware
 * [19:16] All these are WIP documents
 * [19:16] can be found in https://drive.google.com/file/d/0B1aEVfmQtqnoT28wd2Z1QTNaVXM/edit?usp=sharing
 * [19:16] In addition some correction are made to earlier files:
 * [19:17] for the token provider    https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing
 * [19:17] We are working on threat modelling of Token Manager/API and Policy Manger
 * [19:17] Love those diagrams and detail!
 * [19:18] There is need for reviewing this docs, so that we can improve align with Keystone developers
 * [19:18] bknudson do you have any thoughts on this
 * [19:18] thanks paulmo
 * [19:18] shohel02: looking at it now.
 * [19:19] Sorry for a tangent but uuid4 is deemed to have a suitable PRNG correct?  (this comes up often in the ML it seems)
 * [19:20] yes.. its correct
 * [19:21] Probably we need to remove threats, which are not feasible, and threats we have not considered yet
 * [19:21] shohel02: the assumption here shouldn't be a-priori -- 4 Signing cert and certificate authority are obtained and distributed in a secure way.
 * [19:21] because the auth_token middleware actually fetches the signing cert from keystone.
 * [19:22] ah haa!
 * [19:22] Didn't get a chance to dig too deep (you may have done this already) but I always like identifying local vs remote attacks where possible.
 * [19:22] also, I think another "objective" should be to provide the user info to the application... e.g., the roles.
 * [19:22] then there is a issue with certificate provision happens in auth_token
 * [19:23] ok, i  note that one
 * [19:23] yes, we need to consider potential abuses
 * [19:23] we had a vulnerability already around this
 * [19:23] the signing cert could be put into /tmp/keystone or something... but somebody could sneak in and create /tmp/keystone and spoof it.
 * [19:25] an internal attack is possible
 * [19:27] thanks bknudson
 * [19:28] One of the issue i would like to discuss is how we can collaborate and Way of working
 * [19:29] Should we form some small team where we publish all the WIP docs and each other gives feedback/review
 * [19:33] That sounds like a good idea to me
 * [19:33] ok
 * [19:33] It will also help train folks on the standard we create for threat models
 * [19:33] yes definitely
 * [19:34] Ok, then any other issues
 * [19:35] bknudson any thought
 * [19:35] shohel02: the doc is looking good so far.
 * [19:35] I assume there's work in progress here.
 * [19:36] ok, then we are almost end of the meeting (30 min)
 * [19:36] I'm on 3.2 Entry points -- what's the public port / private port mean? I think the only entry point to the auth_token middleware is essentially the paste pipeline.
 * [19:36] it's not accepting connections itself
 * [19:37] auth_token has to trust the wsgi container implicitly
 * [19:37] ok
 * [19:37] we thought it from different angle
 * [19:37] well, maybe I just don't know what the definition of an entry point is from a threat analysis viewpoint.
 * [19:38] public is the one where auth_token receives request client side
 * [19:38] and private one is the port it creates when validating UUID token
 * [19:38] that's provided by the wsgi container
 * [19:38] but may be our definition is wrong
 * [19:39] if it's "any way that data can get into auth_token from outside" ... that would include config files, too, I guess.
 * [19:40] and I can see how communicating with identity server is a private port that auth_token creates.
 * [19:43] thats good point, we check again how we can would be entry points
 * [19:43] shohel02: the doc is looking good so far
 * [19:44] thanks, so should we conclude the meeting now
 * [19:44] See you next time!
 * [19:44] thanks for setting this up!
 * [19:45] I will create a group, so send all the updated docs to interested people
 * [19:45] when's the next meeting?
 * [19:45] and we start working :)
 * [19:45] thanks everyone for joining
 * [19:45] btw - I did mention this work at the keystone meeting.
 * [19:45] so they know about it
 * [19:45] thanks
 * [19:45] for that
 * [19:45] and gyee mentioned that security group at hp had maybe done threat analysis.
 * [19:46] hmm
 * [19:46] lets see clark can engage some one from that team
 * [19:47] *Rob Clark*
 * [19:47] ok guys thanks for joining
 * [19:47] have a g8 weekend
 * [19:49] #endmeeting