Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a standard for the security of iaas service software #765

Merged
merged 24 commits into from
Nov 20, 2024
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
dc34cee
Create scs-XXXX-v1-minimum-iaas-service-version.md
josephineSei Sep 30, 2024
913a775
First Draft of the Standard and Proposal of tests
josephineSei Oct 1, 2024
a2a2168
change link
josephineSei Oct 1, 2024
7417a30
Merge branch 'main' into minimun-iaas-service-versions
josephineSei Oct 1, 2024
1f28f0a
Update scs-XXXX-v1-minimum-iaas-service-version.md
josephineSei Oct 1, 2024
356c603
Update and rename scs-XXXX-v1-minimum-iaas-service-version.md to scs-…
josephineSei Oct 4, 2024
94c3c2c
Merge branch 'main' into minimun-iaas-service-versions
josephineSei Oct 4, 2024
a3c796c
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 8, 2024
60c7d61
Create scs-XXXX-w1-security-of-iaas-service-software.md
josephineSei Oct 8, 2024
a114d75
Apply suggestions from code review
josephineSei Oct 14, 2024
5278e77
rework glossary
josephineSei Oct 14, 2024
989cd0e
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 14, 2024
ddcaafa
Merge branch 'main' into minimun-iaas-service-versions
josephineSei Oct 14, 2024
384078c
Apply suggestions from code review
josephineSei Oct 18, 2024
1e10423
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 25, 2024
7d58189
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 25, 2024
447a569
Update scs-XXXX-w1-security-of-iaas-service-software.md
josephineSei Oct 25, 2024
e7a4ba0
Merge branch 'main' into minimun-iaas-service-versions
josephineSei Oct 28, 2024
e4e9d8e
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 28, 2024
9d93a30
Update scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Oct 28, 2024
d136bba
Apply suggestions from code review
josephineSei Nov 13, 2024
1f215c8
Merge branch 'main' into minimun-iaas-service-versions
josephineSei Nov 19, 2024
9a51b2f
Update Standards/scs-XXXX-v1-security-of-iaas-service-software.md
josephineSei Nov 19, 2024
3bde83b
Merge branch 'main' into minimun-iaas-service-versions
garloff Nov 20, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions Standards/scs-XXXX-v1-security-of-iaas-service-software.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
title: Standard for the security of IaaS service software
type: Standard
status: Draft
track: IaaS
---

## Introduction

Software security relies on bug patches and security updates being available for specific versions of the software.
The services, which build the IaaS Layer should be updated on a regular basis based on updates provided by their respective authors or distributors.
But older releases or versions of the software of these services may not receive updates anymore.
Unpatched versions should not be used in deployments as they are a security risk, so this standard will define how CSPs should deal with software versions and security updates.

## Terminology

| Term | Explanation |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| CSP | Cloud Service Provider, provider managing the OpenStack infrastructure. |
| SLURP | Skip Level Upgrade Release Process - A Process that allows upgrades between two releases, while skipping the one in between them. |
| OSSN | [OpenStack Security Note](https://wiki.openstack.org/wiki/Security_Notes) - security issues from 3rd parties or due to misconfigurations. |
| OSSA | [OpenStack Security Advisories](https://security.openstack.org/ossalist.html) - security issues and advices for OpenStack. |

## Motivation

In software projects like e.g. OpenStack the software will be modified and receive bug fixes continuously and will receive releases of new versions on a regular basis.
Older releases will at some point not receive updates anymore, because maintaining more and more releases simultaneously requires too much manpower.
Thus older software will also eventually not receive security updates anymore.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Using software which does not receive updates anymore threatens the baseline security of deployments and should be avoided under all circumstances.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved

## Design Considerations

It would be possible to define a minimum version of IaaS Layer software to avoid security risks.
In the following paragraphs several options of defining a minimum version or dealing with security patches otherwise are discussed.

### Options considered

#### Only Allow the current versions of Software

Considering that OpenStack as one provider of IaaS Layer Software has two releases per year, with one SLURP release per year, this option would require CSPs to update their deployment once or twice a year.
Updating a whole deployment is a lot of work and requires also good life-cycle management.
Following only the SLURP releases would reduce this work to once per year.

While following new releases closely already provides a deployment with recent bug fixes and new features, it also makes developing standards easier.
Differences between releases will accumulate eventually and may render older releases non-compliant to the SCS standards at some point.

On the other hand on the IaaS Level there aren't many breaking changes introduced by releases and also most standards will also work with older releases.
Security Updates and Bug fixes are also provided by OpenStack for a few older releases with the state `maintained`.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Additionally the [SCS reference implementation](https://github.com/SovereignCloudStack/release-notes/blob/main/Release7.md) is integrating OpenStack releases after half a year - so about the time when a new release is cut by OpenStack.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Considering a CSP that wants to use only SLURP releases and waiting for the reference implementation will already be over a year or 2 releases behind, which cannot be considered as using the current version of IaaS Layer Software.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Thus this option can be discarded.

#### Allow only maintained versions of Software

While following closely to the newest releases could be advised, there are several downsides to requiring this workflow, even if it would be only for SLURP releases.
Following the SCS reference implementation for example would also lead into being a little bit behind the newest release.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
But this is not as bad as it may seem to be, because security related fixes and bug fixes are backported to older but still `maintained` releases.
All releases that are still maintained can be looked up at the releases page from OpenStack[^1].
josephineSei marked this conversation as resolved.
Show resolved Hide resolved

Allowing maintained versions would give CSPs a little bit more time to update and test their environments, while still receiving relevant security updates and bug fixes.
Also CSPs that want to become SCS-compliant may not have the burden to upgrade their deployments, but can test before an upgrade, where they need to put in additional work to become SCS-compliant.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved

One problem is, that there might be new features implemented in the newest versions of the software, which are desired by other standards to be SCS-compliant.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
In that case allowing all maintained versions would lead to a two-year timespan customers would need to wait for before such a feature becomes available in all SCS-compliant deployments.
In case of security relevant features this is not advisable.

#### Standards implicitly define the minimum versions of Software

Instead of requiring a defined minimum software version, it could be derived from the standards.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Because: Whenever there is a new wanted behavior a standard should be created and a resonable timeframe given to CSPs to adopt a software version that can fulfill the new standard.
Through the combination of all standards that are in place, the minimum version for the IaaS service software is implicitly given.

This would avoid to have conflicting versions of software in terms of feature parity, while also allowing older software.
Using this approach requires an additional advise to CSPs to update or implement patches for security issues.

#### Advise CSPs to integrate software updates

As long as maintained versions of software are used, updates with security patches are available and only need to be integrated.
This can and should be done in a reasonable short timeframe.

But CSPs may even use releases of IaaS software, that are either not maintained anymore by an open source community or may be even closed source implementations of the mandatory IaaS APIs.
Allowing older versions or closed source software would only be acceptable, when CSPs assure (e.g. in documentation), that they themself will patch the software within their deployments.
Security bug fixes must be implemented and proof of the fix then provided.
Only under these circumstances deployments with older or alternative IaaS Layer software may be handled as compliant.

This option could be taken for granted, but to actually advise using it may encourage CSPs to take a closer look on their life-cycle management and security risk handling.
And CSPs using OpenStack could even be encouraged to upgrade their deployments.

## Standard for a minimum IaaS Layer Software version

If a deployment is affected by a security issue and a maintained[^1] version of OpenStack is used as implementation for IaaS Layer software, security patches noted in OSSNs and OSSAs MUST be integrated within a reasonable timeframe.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
Otherwise the CSP MUST implement security bug fixes themself within a reasonable timeframe, when the deplyoment is affected by a security issue.

In both cases proof of the update MUST be send to the OSBA, so that the compliance will not be revoked.
Copy link
Contributor

@anjastrunk anjastrunk Oct 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid, this will result in a lot of paper work and bureaucracy no one wants to do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That really is a problem:
We want to create standards that should be followed. Therefore we need tests.
But future CVEs or OSSNs cannot be known now and may be not easily testable. Should we consider writing a test for each of these vulnerabilities? This might be several tests a year to write, if a test from the outside is possible at all. And those tests might be considered as attacks (I mean they somehow are ;) ) and might trigger responses on the side of CSPs.

So a CSP giving notice about the fixing of a vulnerability, which already implicates, that we need to trust the CSP, could be an option. Maybe - if we already need to trust the CSPs - we may reduce the paper work:
MArkus suggested that there should be some kind of form file, that could be provided. We could do something like:

How did you deal with the vulnerability on your deployment XYZ:
[ ] Deployment was NOT affected, because ....... (e.g. we use another backend)
[ ] Functionality was disabled in the deployment.
[ ] Deployment was updated with a fix for the vulnerability, that .... (e.g. was provided be upstream openstack)

And only require short descriptions like above.
This may even be easier to evaluate in the compliance checker?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point @josephineSei and agree with @markus-hentsch. A form file could be a good trade-off. In fact, the file could be publicly available and evaluated automatically, which reduces paper-work. Assuming, we do not have any evil CSP (which will be recognizes sooner or later anyway ;)), I am fine with this approach.


An open SBOM list MAY be used to propagate the current version of the software and may be used as proof of updates.

[^1]: [OpenStack versions and their current status](https://releases.openstack.org)

## Conformance Tests

In case of provided SBOMs the version numbers of the software could be checked.
But this is not a requirement, so there cannot be such a test.
Tests on the integration of security patches itself are difficult.
And even if tests for certain security issues are possible, then those might be received as an attack.
josephineSei marked this conversation as resolved.
Show resolved Hide resolved
This is the reason there will be no conformance test.

Rather the standard requiring that CSPs provide proof of the fixed vulnerabilites themself.
40 changes: 40 additions & 0 deletions Standards/scs-XXXX-w1-security-of-iaas-service-software.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
title: "SCS Standard for the security of IaaS service software: Implementation and Testing Notes"
type: Supplement
track: IaaS
status: Draft
supplements:
- scs-XXXX-v1-security-of-iaas-service-software.md
---

## Testing or Detecting security updates in software

It is not always possible to automatically test, whether the software has the newest security updates.
This is because software versions may differ or some CSPs might have added downstream code parts or using other software than the reference.
Also vulnerabilites and their fixes are quite different in testing, some might not be testable while others are.
Additionally testing might be perceived as an attack on the infrastructure.
So this standard will rely on the work and information CSPs must provide.
There are different cases and procedures which are addressed in the following parts, that lead to compliance for this standard.

### Procedure to become compliant to the security of IaaS service software Standard

This is the procedure when a new deployment wants to achieve SCS-conformancy.
There are two states such a deployment can be in:

1. When a deployment is newly build or installed it usually uses software which includes all the latest security and bug fixes.
Such deployments should be considered compliant to the standard.

2. When a CSP wants to make an older deployment compliant to the SCS standards and thus also to this standard, it should be checked, whether the running software is up to date.
Any updates or upgrades to even newer versions should be done before the SCS compliance is checked.
Information about such updates or upgrade should be provided by the CSP.

### Procedure when new vulnerabilites are discovered

Whenever there are new vulnerabilities discovered in IaaS service software like OpenStack there is either an internal discussion ongoing or it is just a smaller issue.
In the first case CSPs should have someone following such discussions and may even help preparing and testing patches.
From the moment on the vulnerability is disclosed publicly, the risk of it being actively exploited increases greatly.
So CSPs MUST watch out for announcements like in the OSSAs and OSSNs and when they are affected, update their deployment as soon as possible.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we maybe consider cases here where vulnerabilities are not applicable to certain deployments? E.g. vulnerability concerns storage backend driver A whereas CSP is exclusively using storage backend driver B.
In such case, the update would not be a MUST for the CSP, in my opinion.

We should maybe put a preceeding step here to instruct the CSP to do an analysis first ASAP whether they are affected and if ...

  • ... they are affected, they MUST apply the update and report having done so to SCS
  • ... they are not affected, they MAY apply the update but MUST report a reasoning why they are not affected to SCS


Afterwards CSPs MUST provide proof, that they are not or not anymore affected by the vulnerabilty.
This can be done through either a manual test or through showing the updated software service version or showing configuration that renders the attack impossible.
It could also be provided a list of services, when the affected service is not used in that deployment.