Cloud Penetration Testing
This addresses security risks in cloud management software for cloud administrators and users, though it is incremental as it applies existing testing methods to a specific system.
The paper conducted penetration tests on OpenStack Essex Cloud Management Software, discovering exploitable vulnerabilities that could allow attackers to access restricted information or gain full administrative privileges.
This paper presents the results of a series of penetration tests performed on the OpenStack Essex Cloud Management Software. Several different types of penetration tests were performed including network protocol and command line fuzzing, session hijacking and credential theft. Using these techniques exploitable vulnerabilities were discovered that could enable an attacker to gain access to restricted information contained on the OpenStack server, or to gain full administrative privileges on the server. Key recommendations to address these vulnerabilities are to use a secure protocol, such as HTTPS, for communications between a cloud user and the OpenStack Horizon Dashboard, to encrypt all files that store user or administrative login credentials, and to correct a software bug found in the OpenStack Cinder typedelete command.