#lascon2013

Securing Redis with Sedona

Will Urbanski

#lascon2013

About Me

• Security Researcher

• Outdoor Enthusiast

• Tweet @willurbanski

• Blog/tools available @shakingrock.com

#lascon2013

Today’s Talk

• Security in

• What you can do about it

#lascon2013

• Open-source data-structure server• Key-value store– Lists– Hashes– Sorted sets

• Lightweight, fast & free• http://redis.io

#lascon2013

Redis Security Model

“Redis is not designed for maximum security but rather maximum performance and simplicity”

“Redis is designed to be accessed by trusted clients inside trusted environments”

• http://redis.io/topics/security

#lascon2013

Commands

• Command-oriented, not query-oriented

• Not all commands are created equal

#lascon2013

Safe Commands

• Read-only• Single key usage• Not resource intensive

GETEXISTSLLENTTL

#lascon2013

Commands with Consequences

• Read or Write• Single Key SET

DELLPOPEXPIRES

#lascon2013

Dangerous Commands

• Affect multiple keys or entire service

• Impact availability if misused

EVALCLIENT KILLSAVECONFIG SET

#lascon2013

Commands That Will Ruin Your Weekend™

• Impacts entire service• Devastating if misused FLUSH

FLUSHALLSHUTDOWN

#lascon2013

#1

#lascon2013

Problem #1

There is no data control language

All clients can access all commands

#lascon2013

Command Renaming

• Rename dangerous commands!– SHUTDOWN can become cc23772aded8

• Reduces Usability

• Ideally only authorized users should be able to run SHUTDOWN

#lascon2013

#2

#lascon2013

Problem #2

Redis doesn’t really support authentication*

#lascon2013

Redis Authentication

• AUTH command

• No multiuser support

• No ACLs (see problem #1)

#lascon2013

#3

#lascon2013

Problem #3

Even if you could authenticate, you wouldn’t want to.

Redis lacks encryption support

#lascon2013

This is Okay

• Redis’ design focuses on performance and simplicity

• The Redis security model is transparent

#lascon2013

Compensating Controls

Authorization/Authentication• Rename dangerous

commands?

• AUTH command?

• Local-only w/ SSH?

Confidentiality• SSL Proxy (In Transit)?

• Wrap Redis libs (At Rest)?

#lascon2013

An ideal solution would…

• Encrypt– Support SSL/TLS natively– Support key-value

encryption

• Authenticate– Support user accounts– Support modular

authentication– Log access– Support rate-limiting

• Authorize– Not require command renaming

(security-through-obscurity)– Implement SQL’s DCL in a key-

value domain• Flexible command access• Flexible key access

• Be Practical– Not impose unnecessary

burdens• Performance• Administration

– Be compatible with native clients

#lascon2013

Sedona

• PoC application firewall for Redis

• Implements authentication, authorization and encryption enhancements

• Requires no changes to Redis core

• Python 2.7 w/ Twisted

#lascon2013

Authentication

• Adds user parameter to AUTH command– AUTH <user> <password>

• Supports modular authentication

• Preserves native AUTH functionality– AUTH <password> still works

#lascon2013

Authorization

• Adds per-user access control lists

• Command- and key-based ACLs

• ACCEPT, and REJECT

• Returns native Redis err/success for compatibility

#lascon2013

ACLs"rules": [

{"command": "set", "key": "test\\-*", "action”:"accept"},

{"command": "get", "key": "test\\-*", "action”:"accept"},

{"command": "ping", "action": "accept"},

{"command": "echo", "action": "accept"},

{"action": "reject"}

]

#lascon2013

Encryption

• Adds SSL support

• CLI tool for using SSL

#lascon2013

Use Cases

• Dev/Ops command segregation– Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG

SET’– Dev may require ‘SET’,’GET’, ‘LPOP’, …

• Key Enforcement

• Command blacklisting w/o renaming– SHUTDOWN, FLUSH, FLUSHALL

#lascon2013

Deployment Strategies

Inline• Intercepts all traffic to

server

• More secure

• More performance impacting

Edge of Trusted Environment• Only intercept untrusted

traffic

• Less secure (you decide what’s trusted)

• Less performance impacting

#lascon2013

Performance

+ Parsing+ Authorizing+ Tracking State= performance penalty

#lascon2013

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00%0

10

20

30

40

50

60

70

80

90

Sedona Request Transit Times

SETLinear (SET)GETLinear (GET)LPUSHLinear (LPUSH)LPOPLinear (LPOP)

Percent of Requests (%)

Tim

e (m

s)

#lascon2013

Demos

• Configuration Files

• Authentication

• Authorization

#lascon2013

Wrapping Up

• Sedona is a tool that adds additional security to Redis installations

• If you find the tool useful, please contribute!

#lascon2013

Q&A

Fork Sedona @ Github Follow me on Twitter