Attacking and Protecting Big Data Environments

Presented at TROOPERS16 (2016), March 17, 2016, 1:30 p.m. (Unknown duration).

In this talk we will show how to attack enterprise-grade "big data" environments, based on e.g. HortonWorks or Cloudera, comprising components such as HDFS, Yarn, Hue, Flume, Hive, Spark, Sentry/Ranger. These environments process huge amounts of data (either data stored in the cluster file system HDFS or streamed into the cluster, e.g. via Flume). The processing of the data is performed in **jobs** which are typically submitted by customers into the cluster -- and those jobs can be arbitrary code (even though the typical cluster language is Java). We will give a detailed description on the overall concept of the environment, the tasks of the different components and how they communicate with each other. We will describe the possibilities of the attackers in different network/authentication positions (e.g. with or without the capabilities to submit jobs)and practically demonstrate break-out attacks from the job sandboxes which result from insufficient hardening of the different nodes or overall environment. Such breakout attacks affect the information of all customers in the attacked cluster and are thus comparable to hypervisor breakouts in public cloud environments.

Presenters:

  • Matthias Luft
    Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.
  • Birk Kauer
    Birk is a Security Researcher at ERNW and enjoys exploitation the most, especially in very tricky and complex situations. He often attends CTFs (Capture the Flags) to challenge himself with tricky exploits while keeping up with daily consulting and assessment work. He currently holds OSCP, OSCE and OSEE certificates from offsec (Offensive-Security).

Links:

Similar Presentations: