CloudFest 2018 Hackathon Project Results Presentation - CFHack18

Automated security check for
WordPress plugins

Static Code Analysis
• Powered by RIPS Technologies
• High-tech company based in Bochum, Germany
• Supports the full feature stack of the PHP language
• Detects security vulnerabilities from
user-controlled input
• Used by Open Source projects

SQL Injection
Write your content onto everybody else’s sites

File Upload
Write your files onto everybody else’s servers

Code execution
Run your code directly

What we have achieved
• Reviewed findings for many plugins
• Most Plugins are secure
• Contacted plugin authors with vulnerabilities
• Build a PHP tool to use the API for WordPress and other
projects

FTPd
login username:password
OK
login username:password
OK
The problem

FTPd
login username: {password⏳}
OK
login username:{password⌛️}
KO!!
A solution: OTP

Done:
• Dockerised a ProFTPD build
and run environment
• Modified mod_auth_otp to add
Yubikey OTP validation
• Dockerised yubikeyedup for
yubikey validation
• Used gitlab-ci and Rancher as
devops pipeline
• Ate pizza, consumed lots of
beer and coffee!
Containerise all the things!

TODO:
• Create a dedicated module
for yubi OTP
• Allow for configuration of auth
backend
• Collaborate with ProFTPD
team for upstream integration

Singed Autoupdate
A save way to deploy updates for developer

The Problem
• Online (auto) Updates are necessary for the maintenance of
Web Software and Extensions
• Dealing with outdated software is therefore important but comes
with its own problems
• If an update server gets compromised a large number of
websites get infected

Our Solution
Sign Update
• We create a list with all file hashes
of the update
• We sign our list with a private key
and send it with our update
package
Verify the Update on Installation
• We Unpack the update and check
with a public key if the file list was
from the developer
• We check each file against the
hash list and the amount of files
• We discard the update if anything
doesn‘t match

Toolset for Developer
• CLI Tool for creating the
Update with
• $ signer.phar signer:sign [options] [--] <path> <key>
$public_key = hex2bin('< Developer Public Key >');
$update = new Update(__DIR__.'/update-deploy',$public_key);
$update->setTempDir('upload_test'); //optional
$update->ProcessUpdate('https://example.com/update.zip');

GitHubhttps://github.com/Cloudfest/signed-autoupdate

Secure Websites and Content Management Systems

Domain Connect
Three Projects Outside of Rust, Germany

What is Domain Connect?
• Domain Connect is an open standard that makes it easy for a
user to configure DNS for a domain running at a DNS provider
to work with a Service running at an independent Service
Provider. The user can do so without understanding any of the
complexities of DNS.
• Supported by 20+ Service Providers, 14+ DNS Providers
• Microsoft, Automatic, GoDaddy, 1&1, etc.
• http://domainconnect.org

Project 1: Example DNS Provider
• Goal: Build an Open Source Reference Implementation of Domain
Connect for DNS Providers
• Challenge: Harder than the Service Provider Example (Requires
State, and Working DNS)
• Components (all dockerized):
• MySQL: Stores Users and Zones
• DNS Server: Based on Open Source DNS, modified to work on MySQL
• API Server: Implements Domain Connect API
• Front End: Implements Domain Connect UX

Project 2: Plesk Integration
• Goal: Implement Domain Connect for DNS and Service Provider
• Plesk is a hosting control panel
• Hosting
• Email
• DNS “Optional”
• Implementation
• DNS Provider: When running DNS
• Useful for email Services (O365), hosting services on sub-domains (blogs etc.)
• Service Provider: When not running DNS
• Allows configuration of host, email, and sub-domains to work

Project 3: Dynamic DNS
• Goal: Use Domain Connect to implement Dynamic DNS
• Dynamic DNS
• Keeps IP current when host has a dynamic IP address from ISP
• Often built into routers or services running on the host
• No universal way to handle between DNS Providers
• DynDNS has a protocol that made its way into routers
• Different DNS Providers have bespoke APIs
• Implementation:
• Model DDNS as a template
• Installer application gets Oauth consent
• Windows Service checks IP and applies template as necessary

Results
• All three projects will require refinement, but shown to be viable
and will be further developed
• DNS Service Example code will be open sourced
• Plesk integration finished and shipped
• Dynamic DNS Application open sourced and shipped as a proof of
concept (branded Domain Connect)
• Identified minor specification changes (improvements) to
support several of these scenarios easier
• Improved clarity on several complex issues in specification

Project 6
Marcel Wagner &
Michael Sommerer

CSP Ready IoT Solution
for SMB
Ali Kocal (Intel), Jessica Smith (1&1), Marcel Wagner (Intel),
Ben Rösler (GzEvD), Gabrielle W. Poerwarwinata (Intel),
Christian Buchwald (TÜV Rheinland), Steven Briscoe (Intel),
Jamal El Youssefi (Intel), Elias Hackradt (GzEvD),
Chris Mcadam (1&1), Michael Sommerer (IDI GmbH)

Problem Statement
• IoT Device integration with Cloud services is complicated
and today based on proprietary solutions which have similar
functionality but different API
• Develop an End to End Open Source architecture for CSPs
and System Integrators ready to be deployed in Industrial
environment
• Using last year’s Hackathon initiated Open IoT Service Platform
(OISP) as middleware to orchestrate IoT devices and connect
them with additional CSP Services
Target of this Project

Architecture
IoT Device
Sensor1 Sensor2
Node-RED GUI
Open IoT
Service
Platform
Function as
a Service
Platform
Mobile App for
Service Engineer
CSP
Dashboard/Admin GUI for OISP
Node RED
OISP
Agent
Libmraa/UPM
Kubernetes GUI
Hardware:
UP Squared Grove IoT
KitRaspberry Pi ZeroW

44
Kubernetes UI for OISP deployment
FaaS console to submit function
Mobile App for Service Engineer
Service/Admin GUI
Node RED IoT configuration
Impressions

Results
During the Hackathon (2 days) we
• Decoupled IoT and Cloud dependencies by OISP services
allowing efficient parallel development (IoT, Cloud and Mobile)
• Integrated Node RED with OISP on IoT Devices
• Made OISP deployable in CSP infrastructure with Kubernetes
• Integrated a FaaS framework (OpenWhisk) with OISP
• Developed a mobile application for local service engineer
• ALL Open Source and on github:
https://github.com/Open-IoT-Service-Platform/platform-launcher

CloudFest 2018 Hackathon Project Results Presentation - CFHack18

Recommended

More Related Content

What's hot (20)

Similar to CloudFest 2018 Hackathon Project Results Presentation - CFHack18 (20)

Recently uploaded (20)

CloudFest 2018 Hackathon Project Results Presentation - CFHack18

Editor's Notes