[Openstack-security] Deriving Instance UUID

Brian Schott brian.schott at nimbisservices.com
Mon Dec 9 21:42:34 UTC 2013 

You probably have to wait about 100 years for that test ;-).  However, you are right that this is system dependent.  I came across this bug in mac os x when googling for the birthday problem table.  After a fork, uuid_generate_random() generates the same UUID in every child!

http://stackoverflow.com/questions/2759644/python-multiprocessing-doesnt-play-nicely-with-uuid-uuid4
http://bugs.python.org/issue8621
http://openradar.appspot.com/radar?id=334401


-------------------------------------------------
Brian Schott, CTO
Nimbis Services, Inc.
brian.schott at nimbisservices.com
ph: 443-274-6064  fx: 443-274-6060



On Dec 9, 2013, at 4:23 PM, Cody Bunch <cody.bunch at rackspace.com> wrote:

> Thanks! I'd replied, but seems I left the list off. The Nova sources (nova/openstack/common/uuidutils.py) use Pythons uuid.uuid4() to generate the uuids. The Python source for UUID4 seems to pull from a number of methods, going to (u)random or pythons random module, so heavily dependent on system(s) it's being run from:
> http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py
> 
> I did throw up a quick test to see if I can find a match... so far I've generated 20 million uuid's and not had a collision (didn't expect one, but it's good to see):
> https://gist.github.com/bunchc/7880710
> 
> It also seems that other services may use their own UUID generation or so, I've not looked into that however.
> 
> -C
> From: Brian Schott [brian.schott at nimbisservices.com]
> Sent: Monday, December 09, 2013 3:16 PM
> To: Clark, Robert Graham
> Cc: openstack-security at lists.openstack.org
> Subject: Re: [Openstack-security] Deriving Instance UUID
> 
> Rob,
> 
> That is a hard question.  The short answer is that it depends on the type of UUID.  Type 1 () is mac address of the server + timestamp, so probability of guessing another UUID in the system is very high.  Type 4 (random) has 122 bits, so probability of collision is extremely small and is also dependent on having a good random number generator.  A poor implementation might be predictable.  Type 5 (namespace) has fewer bits depending on the size of the namespace.  
> 
> http://en.wikipedia.org/wiki/Birthday_problem#Probability_table
> 
> I think in general web url usage, a bare UUID as authentication mechanism isn't considered good practice, but it really depends on how many elements you have in the system, how it is protected from brute-force attacks, etc.
> 
> Brian
> 
> -------------------------------------------------
> Brian Schott, CTO
> Nimbis Services, Inc.
> brian.schott at nimbisservices.com
> ph: 443-274-6064  fx: 443-274-6060
> 
> 
> 
> On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <robert.clark at hp.com> wrote:
> 
>> Guys,
>>  
>> Is there any way you know of to infer or guess at the UUID of a compute instance belonging to another tenant?
>>  
>> -Rob
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/b83cd1ff/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3662 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/b83cd1ff/attachment.bin>

More information about the Openstack-security mailing list