In this talk we will show how to attack enterprise-grade “big data” environments, based on e.g. HortonWorks or Cloudera, comprising components such as HDFS, Yarn, Hue, Flume, Hive, Spark, Sentry/Ranger.

These environments process huge amounts of data (either data stored in the cluster file system HDFS or streamed into the cluster, e.g. via Flume). The processing of the data is performed in jobs which are
typically submitted by customers into the cluster — and those jobs can be arbitrary code (even though the typical cluster language is Java).

We will give a detailed description on the overall concept of the environment, the tasks of the different components and how they communicate with each other. We will describe the possibilities of the attackers in different network/authentication positions (e.g. with or without the capabilities to submit jobs)and practically demonstrate break-out attacks from the job sandboxes which result from insufficient hardening of the different nodes or overall environment.

Such breakout attacks affect the information of all customers in the attacked cluster and are thus comparable to hypervisor breakouts in public cloud environments.

We will also describe the relevant hardening measures and architectural considerations to prevent the demonstrated attacks.

Birk Kauer is a security researcher working for ERNW GmbH. His main interests are application security, reverse engineering and exploitation. Besides the research work, he has extensive experience as a penetration tester in very large corporate environments.

[Slides (PDF)]

Comments are closed.