Cloud Services and kernel mitigations and OpenBSD cli support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Cloud Services and kernel mitigations and OpenBSD cli support

Kevin Chadwick-4
We all know Bare metal is more secure (ignoring physical security)
especially with OpenBSD but if you need cost effective global resources
on tap then I believe you need cloud.

We all know microsoft have a huge user base and userland issues that
are problematic however despite some recent Linux kernel mitigation
adoption attemps, Linux focus on kernel mitigations have been
lacklustre whilst microsoft have been comparatively active albeit
enabling and enforcing mitigations (even ASLR) for all applications by
default has been lacklustre.

As cloud services are free from microsofts userland it is a *hopeful*
assumption that their security mitigation works applies to their cloud
too whereas I expect it is unlikely with Amazon and Google (AFAIK
Android fairs better than Linux for mitigations due to Google
however??)

Perhaps OpenBSD mitigations still apply effectively to ec2 instances
and cloud services isolation is good enough to never undermine this,
though I find that hard to believe. Perhaps new processor developments
will solve this issue.

None of this matters if you cannot get things done. I know there is
OpenBSD AWS client availability but I am unsure about Azure, Google etc.

Any advice and experience is welcome, Thankyou.

Reply | Threaded
Open this post in threaded view
|

Re: Cloud Services and kernel mitigations and OpenBSD cli support

Jeroen
Hi,

I've yet to stumble upon the first provider which actually uses OpenBSD
as the hypervisor, instead of VMware, Xen, KVM, etc. That, in fact,
would be an awesome development. I have been thinkering with this
thought back and forth, but the IT company I work for isn't big enough
to facilitate this - yet.

As to public clouds, no doubt it's far less secure than running OpenBSD
bare metal. However, public clouds do have one advantage over bare
metal, VMs can be made with the mere click of a button, whereas bare
metal often takes time to be put online.

Having said that, it isn't always that more cost effective. There are
very cheap dedicated servers available. Like in Germany, there is
Hetzner, Servdiscount, etc. If you need bulk storage, a dedi is often
more affordable than a VM/VPS. However, they do oversell bandwith - a
lot.

I always prefer a dedicated server to run OpenBSD on, which is my
preferred OS. However, if you would hold a gun to my head and made me
pick a public cloud provider, I'd pick Azure. There have been some
developments that sound okay-ish, like confidential computing: https://
arstechnica.com/gadgets/2017/09/azure-confidential-computing-will-keep-
data-secret-even-from-microsoft/

As to the exploit mitigation, I really don't know how this upholds
after four years or whether this even applies to public clouds - this
might be somewhat related at best: https://www.youtube.com/watch?v=OXS8
ljif9b8

I am keen to know whether someone has real hands-on experience with
OpenBSD, exploit mitigations and public clouds - I don't.

-J.


On Thu, 2018-03-08 at 10:51 +0000, Kevin Chadwick wrote:

> We all know Bare metal is more secure (ignoring physical security)
> especially with OpenBSD but if you need cost effective global resources
> on tap then I believe you need cloud.
>
> We all know microsoft have a huge user base and userland issues that
> are problematic however despite some recent Linux kernel mitigation
> adoption attemps, Linux focus on kernel mitigations have been
> lacklustre whilst microsoft have been comparatively active albeit
> enabling and enforcing mitigations (even ASLR) for all applications by
> default has been lacklustre.
>
> As cloud services are free from microsofts userland it is a *hopeful*
> assumption that their security mitigation works applies to their cloud
> too whereas I expect it is unlikely with Amazon and Google (AFAIK
> Android fairs better than Linux for mitigations due to Google
> however??)
>
> Perhaps OpenBSD mitigations still apply effectively to ec2 instances
> and cloud services isolation is good enough to never undermine this,
> though I find that hard to believe. Perhaps new processor developments
> will solve this issue.
>
> None of this matters if you cannot get things done. I know there is
> OpenBSD AWS client availability but I am unsure about Azure, Google etc.
>
> Any advice and experience is welcome, Thankyou.
>





Reply | Threaded
Open this post in threaded view
|

Re: Cloud Services and kernel mitigations and OpenBSD cli support

Rupert Gallagher
In reply to this post by Kevin Chadwick-4
Cloud poses a risk to privacy that you cannot and must not ignore in business. Ignore everyone that says otherwise. --- If you are a fabless company, for example, it is easy for a cloud sysadmin to exploit the latest vulnerabilities to read your data bank and sell your secrets. Email (yahoo, hotmail, gmail, you name it) is another example of cloud service: sysadmins do not need to exploit anything, because the contents are stored in plain text. --- If you need a cloud, you better make your own.

Sent from ProtonMail Mobile

On Thu, Mar 8, 2018 at 11:51, Kevin Chadwick <[hidden email]> wrote:

> We all know Bare metal is more secure (ignoring physical security) especially with OpenBSD but if you need cost effective global resources on tap then I believe you need cloud. We all know microsoft have a huge user base and userland issues that are problematic however despite some recent Linux kernel mitigation adoption attemps, Linux focus on kernel mitigations have been lacklustre whilst microsoft have been comparatively active albeit enabling and enforcing mitigations (even ASLR) for all applications by default has been lacklustre. As cloud services are free from microsofts userland it is a *hopeful* assumption that their security mitigation works applies to their cloud too whereas I expect it is unlikely with Amazon and Google (AFAIK Android fairs better than Linux for mitigations due to Google however??) Perhaps OpenBSD mitigations still apply effectively to ec2 instances and cloud services isolation is good enough to never undermine this, though I find that hard to believe. Perhaps new processor developments will solve this issue. None of this matters if you cannot get things done. I know there is OpenBSD AWS client availability but I am unsure about Azure, Google etc. Any advice and experience is welcome, Thankyou.