Securing Redis with Sedona
Will Urbanski
#lascon2013
About Me
• Security Researcher
• Outdoor Enthusiast
• Tweet @willurbanski
• Blog/tools available @shakingrock.com
#lascon2013
Today’s Talk
• Security in
• What you can do about it
#lascon2013
• Open-source data-structure server
• Key-value store
– Lists
– Hashes
– Sorted sets
• Lightweight, fast & free
• http://redis.io
#lascon2013
Redis Security Model
“Redis is not designed for maximum security but
rather maximum performance and simplicity”
“Redis is designed to be accessed by trusted
clients inside trusted environments”
• http://redis.io/topics/security
#lascon2013
Commands
• Command-oriented, not query-oriented
• Not all commands are created equal
#lascon2013
Safe Commands
• Read-only
• Single key usage
• Not resource intensive
GET
EXISTS
LLEN
TTL
#lascon2013
Commands with Consequences
• Read or Write
• Single Key
SET
DEL
LPOP
EXPIRES
#lascon2013
Dangerous Commands
• Affect multiple keys or
entire service
• Impact availability if
misused
EVAL
CLIENT KILL
SAVE
CONFIG SET
#lascon2013
Commands That Will Ruin Your
Weekend™
• Impacts entire service
• Devastating if misused
FLUSH
FLUSHALL
SHUTDOWN
#lascon2013
#lascon2013
Problem #1
There is no data control language
All clients can access all commands
#lascon2013
Command Renaming
• Rename dangerous commands!
– SHUTDOWN can become cc23772aded8
• Reduces Usability
• Ideally only authorized users should be able to
run SHUTDOWN
#lascon2013
#lascon2013
Problem #2
Redis doesn’t really support authentication*
#lascon2013
Redis Authentication
• AUTH command
• No multiuser support
• No ACLs (see problem #1)
#lascon2013
#lascon2013
Problem #3
Even if you could authenticate, you wouldn’t want to.
Redis lacks encryption support
#lascon2013
This is Okay
• Redis’ design focuses on
performance and
simplicity
• The Redis security
model is transparent
#lascon2013
Compensating Controls
Authorization/Authentication
• Rename dangerous
commands?
Confidentiality
• SSL Proxy (In Transit)?
• Wrap Redis libs (At Rest)?
• AUTH command?
• Local-only w/ SSH?
#lascon2013
An ideal solution would…
• Encrypt
• Authorize
– Support SSL/TLS natively
– Support key-value encryption
– Not require command
renaming (security-throughobscurity)
– Implement SQL’s DCL in a keyvalue domain
• Authenticate
– Support user accounts
– Support modular
authentication
– Log access
– Support rate-limiting
• Flexible command access
• Flexible key access
• Be Practical
– Not impose unnecessary
burdens
• Performance
• Administration
– Be compatible with native
clients
#lascon2013
Sedona
• PoC application firewall for Redis
• Implements authentication, authorization and
encryption enhancements
• Requires no changes to Redis core
• Python 2.7 w/ Twisted
#lascon2013
Authentication
• Adds user parameter to AUTH command
– AUTH <user> <password>
• Supports modular authentication
• Preserves native AUTH functionality
– AUTH <password> still works
#lascon2013
Authorization
• Adds per-user access control lists
• Command- and key-based ACLs
• ACCEPT, and REJECT
• Returns native Redis err/success for
compatibility
#lascon2013
ACLs
"rules": [
{"command": "set", "key": "test\\-*", "action”:"accept"},
{"command": "get", "key": "test\\-*", "action”:"accept"},
{"command": "ping", "action": "accept"},
{"command": "echo", "action": "accept"},
{"action": "reject"}
]
#lascon2013
Encryption
• Adds SSL support
• CLI tool for using SSL
#lascon2013
Use Cases
• Dev/Ops command segregation
– Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG
SET’
– Dev may require ‘SET’,’GET’, ‘LPOP’, …
• Key Enforcement
• Command blacklisting w/o renaming
– SHUTDOWN, FLUSH, FLUSHALL
#lascon2013
Deployment Strategies
Inline
• Intercepts all traffic to
server
Edge of Trusted Environment
• Only intercept untrusted
traffic
• More secure
• Less secure (you decide
what’s trusted)
• More performance
impacting
• Less performance impacting
#lascon2013
Performance
+
+
+
=
Parsing
Authorizing
Tracking State
performance penalty
#lascon2013
Sedona Request Transit Times
100
90
80
70
SET
Time (ms)
60
GET
LPUSH
50
LPOP
Linear (SET)
40
Linear (GET)
Linear (LPUSH)
30
Linear (LPOP)
20
10
0
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
Percent of Requests (%)
#lascon2013
70.00%
80.00%
90.00%
100.00%
Demos
• Configuration Files
• Authentication
• Authorization
#lascon2013
Wrapping Up
• Sedona is a tool that adds additional security
to Redis installations
• If you find the tool useful, please contribute!
#lascon2013
Q&A
Fork Sedona @ Github
Follow me on Twitter
#lascon2013