[Openstack-security] Deriving Instance UUID
Sriram Subramanian
sriram at sriramhere.com
Mon Dec 9 22:52:14 UTC 2013
Thanks for the reply all.
If I have the UIUD of an instance of another tenant, what more can I do
with it? In other words, what is the impact of someone guessing/ inferring
UIUID of an instance that they don't belong to'?
RBAC would prevent controlling the state of the VM. Is there anyway one can
get access to the VM itself?
Thanks,
-Sriram
On Mon, Dec 9, 2013 at 1:42 PM, Brian Schott <
brian.schott at nimbisservices.com> wrote:
> You probably have to wait about 100 years for that test ;-). However, you
> are right that this is system dependent. I came across this bug in mac os
> x when googling for the birthday problem table. After a fork,
> uuid_generate_random() generates the same UUID in every child!
>
>
> http://stackoverflow.com/questions/2759644/python-multiprocessing-doesnt-play-nicely-with-uuid-uuid4
> http://bugs.python.org/issue8621
> http://openradar.appspot.com/radar?id=334401
>
>
> -------------------------------------------------
> Brian Schott, CTO
> Nimbis Services, Inc.
> brian.schott at nimbisservices.com
> ph: 443-274-6064 fx: 443-274-6060
>
>
>
> On Dec 9, 2013, at 4:23 PM, Cody Bunch <cody.bunch at rackspace.com> wrote:
>
> Thanks! I'd replied, but seems I left the list off. The Nova sources
> (nova/openstack/common/uuidutils.py) use Pythons uuid.uuid4() to generate
> the uuids. The Python source for UUID4 seems to pull from a number of
> methods, going to (u)random or pythons random module, so heavily dependent
> on system(s) it's being run from:
> http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py
>
> I did throw up a quick test to see if I can find a match... so far I've
> generated 20 million uuid's and not had a collision (didn't expect one, but
> it's good to see):
> https://gist.github.com/bunchc/7880710
>
> It also seems that other services may use their own UUID generation or so,
> I've not looked into that however.
>
> -C
> ------------------------------
> *From:* Brian Schott [brian.schott at nimbisservices.com]
> *Sent:* Monday, December 09, 2013 3:16 PM
> *To:* Clark, Robert Graham
> *Cc:* openstack-security at lists.openstack.org
> *Subject:* Re: [Openstack-security] Deriving Instance UUID
>
> Rob,
>
> That is a hard question. The short answer is that it depends on the type
> of UUID. Type 1 () is mac address of the server + timestamp, so
> probability of guessing another UUID in the system is very high. Type 4
> (random) has 122 bits, so probability of collision is extremely small and
> is also dependent on having a good random number generator. A poor
> implementation might be predictable. Type 5 (namespace) has fewer bits
> depending on the size of the namespace.
>
> http://en.wikipedia.org/wiki/Birthday_problem#Probability_table
>
> I think in general web url usage, a bare UUID as authentication mechanism
> isn't considered good practice, but it really depends on how many elements
> you have in the system, how it is protected from brute-force attacks, etc.
>
> Brian
>
> -------------------------------------------------
> Brian Schott, CTO
> Nimbis Services, Inc.
> brian.schott at nimbisservices.com
> ph: 443-274-6064 fx: 443-274-6060
>
>
>
> On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <robert.clark at hp.com>
> wrote:
>
> Guys,
>
> Is there any way you know of to infer or guess at the UUID of a compute
> instance belonging to another tenant?
>
> -Rob
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
--
Thanks,
-Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/9f57fe5a/attachment.html>
More information about the Openstack-security
mailing list