Skip to content

Latest commit

 

History

History
128 lines (109 loc) · 14.5 KB

threat-modeling.md

File metadata and controls

128 lines (109 loc) · 14.5 KB

Threat Model Analysis for conductor-oss/conductor

Threat: Workflow Definition Injection

  • Threat: Workflow Definition Injection
    • Description: An attacker with access to create or modify workflow definitions (e.g., through the UI or API) injects malicious code or configurations into the JSON definition. This could involve manipulating task parameters, adding unauthorized tasks, or altering the workflow's control flow to execute arbitrary commands or access restricted resources. The attacker might exploit insufficient validation of the JSON input.
    • Impact: Remote code execution on worker nodes, data exfiltration, unauthorized access to internal systems, denial of service, complete system compromise.
    • Affected Component: core/src/main/java/com/netflix/conductor/core/execution/WorkflowExecutor.java (and related classes responsible for parsing and executing workflow definitions), Conductor API endpoints for workflow creation/modification, Conductor UI.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Input Validation: Implement rigorous schema validation and sanitization of all workflow definition JSON input, both through the API and UI. Reject any definition that doesn't strictly adhere to the expected schema.
      • Role-Based Access Control (RBAC): Enforce strict RBAC to limit who can create, modify, or delete workflow definitions. Only trusted users/roles should have these permissions.
      • Workflow Definition Approval Process: Implement a mandatory approval workflow for any changes to workflow definitions, requiring review and sign-off by authorized personnel.
      • Version Control and Auditing: Track all changes to workflow definitions using a version control system (e.g., Git). Maintain comprehensive audit logs of all workflow definition modifications, including who made the change and when.
      • Static Analysis: Integrate static analysis tools into the CI/CD pipeline to automatically scan workflow definitions for potential security vulnerabilities before deployment.

Threat: Malicious Worker Code Execution (Focus on Conductor's Role)

  • Threat: Malicious Worker Code Execution (Focus on Conductor's Role)
    • Description: While the worker code itself is a primary concern, Conductor's role in orchestrating the execution of potentially malicious workers is the direct threat here. If Conductor doesn't properly isolate or restrict worker execution, a compromised worker can leverage Conductor's orchestration capabilities to amplify the attack. For example, a malicious worker could use Conductor to schedule further malicious tasks or access resources it shouldn't.
    • Impact: Data breach, system compromise, lateral movement within the network, denial of service. Conductor's orchestration amplifies the impact.
    • Affected Component: Task Queues (e.g., core/src/main/java/com/netflix/conductor/dao/QueueDAO.java), Communication channels between workers and the Conductor server, Workflow execution engine (WorkflowExecutor.java).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Sandboxing/Containerization: Conductor should enforce the execution of workers within isolated environments (e.g., containers, sandboxes) to limit their access. This is a Conductor configuration and deployment concern.
      • Least Privilege (Conductor-Enforced): Conductor should be configured to grant workers only the minimum necessary permissions through its configuration and task definition. This limits the blast radius of a compromised worker.
      • Mutual TLS (mTLS): Conductor must use mTLS to authenticate both the worker and the Conductor server, preventing unauthorized workers from connecting and receiving tasks.
      • Network Segmentation (Enforced by Conductor's Deployment): The deployment of Conductor and its workers should enforce network segmentation, limiting worker communication.

Threat: Task Queue Poisoning

  • Threat: Task Queue Poisoning
    • Description: An attacker injects malicious tasks into the Conductor task queue. This could involve crafting tasks with malicious input data, exploiting vulnerabilities in the task submission process, or bypassing authentication/authorization checks. The malicious tasks could then be executed by legitimate workers, leading to unintended consequences.
    • Impact: Code execution on worker nodes, data corruption, denial of service, system compromise.
    • Affected Component: core/src/main/java/com/netflix/conductor/dao/QueueDAO.java (and related queue implementations), API endpoints for task submission.
    • Risk Severity: High
    • Mitigation Strategies:
      • Authentication and Authorization: Require strong authentication and authorization for all task submissions. Only authorized users/services should be able to add tasks to the queue.
      • Input Validation: Thoroughly validate and sanitize all task input data before adding it to the queue. Reject any input that doesn't conform to the expected format or contains potentially malicious content.
      • Rate Limiting: Implement rate limiting on task submissions to prevent attackers from flooding the queue with malicious tasks.
      • Queue Monitoring: Continuously monitor the task queue for suspicious activity, such as unusually large numbers of tasks, tasks with unexpected input data, or tasks originating from unknown sources.

Threat: Denial of Service (DoS) against Conductor Server

  • Threat: Denial of Service (DoS) against Conductor Server
    • Description: An attacker overwhelms the Conductor server with a large number of requests, making it unresponsive and preventing legitimate workflows from being executed. This could involve flooding the API with requests, submitting a large number of resource-intensive workflows, or exploiting vulnerabilities in the server's code.
    • Impact: Disruption of workflow execution, application downtime, potential data loss (if workflows are interrupted mid-execution).
    • Affected Component: Conductor Server (all components), API endpoints, Database connections.
    • Risk Severity: High
    • Mitigation Strategies:
      • Rate Limiting: Implement rate limiting on all API endpoints to prevent attackers from overwhelming the server with requests.
      • Load Balancing: Distribute traffic across multiple Conductor server instances using a load balancer.
      • Resource Quotas: Set resource quotas (e.g., CPU, memory, number of concurrent workflows) for users and workflows to prevent resource exhaustion.
      • Web Application Firewall (WAF): Deploy a WAF to protect against common web attacks, including DoS attacks.
      • Monitoring and Alerting: Continuously monitor server performance and resource utilization. Set up alerts to notify administrators of potential DoS attacks.
      • Connection Timeouts: Configure appropriate timeouts for connections to the Conductor server and database to prevent long-lived connections from consuming resources.

Threat: Data Exfiltration via Workflow Output (Conductor's Role)

  • Threat: Data Exfiltration via Workflow Output (Conductor's Role)
    • Description: An attacker designs a workflow to extract sensitive data. Conductor's role is in facilitating this exfiltration by providing the mechanism (task output) and not adequately controlling it. The attacker leverages Conductor's orchestration to move the data.
    • Impact: Data breach, privacy violation, regulatory non-compliance.
    • Affected Component: Task output handling (core/src/main/java/com/netflix/conductor/core/execution/WorkflowExecutor.java), potentially worker communication if Conductor doesn't enforce restrictions.
    • Risk Severity: High
    • Mitigation Strategies:
      • Data Loss Prevention (DLP) (Integration with Conductor): Integrate DLP mechanisms with Conductor to monitor and control the flow of sensitive data within task outputs.
      • Output Sanitization (Enforced by Conductor): Conductor should provide mechanisms (or integrate with tools) to sanitize and validate all task output data.
      • Network Restrictions (Enforced by Conductor's Deployment): The deployment of Conductor should enforce network restrictions on workers, limiting their ability to send data externally.
      • Auditing (Conductor's Audit Logs): Conductor's audit logs should be comprehensive and regularly reviewed for suspicious data movement.

Threat: Unauthorized Access to Conductor UI/API

  • Threat: Unauthorized Access to Conductor UI/API
    • Description: An attacker gains unauthorized access to the Conductor UI or API, potentially by exploiting weak authentication mechanisms, guessing passwords, or leveraging stolen credentials. With unauthorized access, the attacker could view, modify, or delete workflows, tasks, and other Conductor resources.
    • Impact: Workflow manipulation, data exfiltration, denial of service, system compromise.
    • Affected Component: Conductor UI, Conductor API endpoints, Authentication and authorization mechanisms.
    • Risk Severity: High
    • Mitigation Strategies:
      • Strong Authentication: Enforce strong password policies and require multi-factor authentication (MFA) for all users accessing the UI and API.
      • API Key Management: Use API keys for programmatic access to the Conductor API. Implement secure key management practices, including regular key rotation and revocation.
      • Role-Based Access Control (RBAC): Implement RBAC to restrict access to specific UI and API functionalities based on user roles.
      • Session Management: Implement secure session management practices, including short session timeouts and secure cookie handling.
      • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the UI and API.

Threat: Dependency Vulnerabilities (in Conductor itself)

  • Threat: Dependency Vulnerabilities (in Conductor itself)
    • Description: Vulnerabilities in Conductor's own dependencies (libraries, frameworks) are exploited. This is distinct from vulnerabilities in worker dependencies.
    • Impact: Varies depending on the vulnerability, potentially leading to code execution, data breaches, or denial of service on the Conductor server itself.
    • Affected Component: All Conductor components (server, UI), build process.
    • Risk Severity: High
    • Mitigation Strategies:
      • Software Composition Analysis (SCA): Use an SCA tool to identify and track all dependencies used by Conductor itself.
      • Regular Updates: Keep Conductor up to date with the latest security patches.
      • Vulnerability Scanning: Regularly scan Conductor's codebase and build artifacts for known vulnerabilities.
      • Dependency Pinning: Pin Conductor's dependency versions to specific, known-good versions.
      • Vulnerability Monitoring: Subscribe to security advisories and mailing lists for Conductor.

Threat: Insecure Deserialization (within Conductor)

  • Threat: Insecure Deserialization (within Conductor)
    • Description: An attacker crafts malicious input data that, when deserialized by the Conductor server, leads to arbitrary code execution. This focuses on vulnerabilities within Conductor's code, not within worker code.
    • Impact: Remote code execution on the Conductor server, system compromise.
    • Affected Component: core/src/main/java/com/netflix/conductor/common/metadata/tasks/Task.java (and related classes if they handle task input/output deserialization insecurely), API endpoints if they accept serialized data processed by the Conductor server.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Avoid Untrusted Deserialization: Avoid deserializing data from untrusted sources within Conductor's server-side code.
      • Whitelist Allowed Classes: If deserialization is necessary within Conductor, implement strict whitelisting of allowed classes.
      • Use Safe Deserialization Libraries: Use libraries that provide secure deserialization mechanisms within Conductor's codebase.
      • Input Validation: Thoroughly validate and sanitize all data before deserialization within Conductor.

Threat: Database Compromise (Impacting Conductor)

  • Threat: Database Compromise (Impacting Conductor)
    • Description: An attacker gains direct, unauthorized access to the Conductor database. While the database itself isn't part of Conductor, Conductor's reliance on it makes this a direct threat.
    • Impact: Complete data loss, data modification, workflow manipulation, denial of service (of Conductor), potential for lateral movement.
    • Affected Component: Conductor's persistence layer (conductor/db), Database server.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strong Database Credentials: Use strong, unique passwords for the database user account used by Conductor.
      • Database Hardening: Follow database security best practices, including disabling unnecessary features, restricting network access, and applying security patches.
      • Least Privilege: Grant the Conductor database user only the minimum necessary privileges.
      • Encryption at Rest and in Transit: Encrypt the database data both at rest and in transit.
      • Regular Backups: Implement regular, secure backups of the database.
      • Database Firewall: Use a firewall to restrict access to the database server to only authorized hosts (Conductor server).
      • Auditing: Enable database auditing to track all database activity.
      • Intrusion Detection System (IDS): Deploy an IDS to monitor for suspicious database activity.