security and privacy in cloud computing n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security and Privacy in Cloud Computing PowerPoint Presentation
Download Presentation
Security and Privacy in Cloud Computing

Loading in 2 Seconds...

play fullscreen
1 / 48

Security and Privacy in Cloud Computing - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

Security and Privacy in Cloud Computing. Ragib Hasan Johns Hopkins University en.600.412 Spring 2011. Lecture 2 02/ 07/ 2010. Attack Modeling, and Novel Attack Surfaces. Goal

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security and Privacy in Cloud Computing' - saddam


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security and privacy in cloud computing

Security and Privacy in Cloud Computing

Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011

Lecture 2

02/07/2010

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attack modeling and novel attack surfaces
Attack Modeling, and Novel Attack Surfaces

Goal

Learn the cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud

Examine a novel topology attack on cloud

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

assignment for next class
Assignment for next class
  • Review: Thomas Ristenpart et al., Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds, proc. ACM CCS 2009.
  • Format:
    • Summary: A brief overview of the paper, 1 paragraph (5 / 6 sentences)
    • Pros: 3 or more issues
    • Cons: 3 or more issues
    • Possible improvements: Any possible suggestions to improve the work
  • Due: 2.59 pm 2/14/2010
  • Submission: By email to rhasan7@jhu.edu (text only, no attachments please) (Please use the subject line: Review Assignment 1)

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

threat model
Threat Model

A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions

Steps:

  • Identify attackers, assets, threats and other components
  • Rank the threats
  • Choose mitigation strategies
  • Build solutions based on the strategies

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

threat model1
Threat Model

Basic components

  • Attacker modeling
    • Choose what attacker to consider
    • Attacker motivation and capabilities
  • Assets / Attacker Goals
  • Vulnerabilities / threats

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

recall cloud computing stack
Recall: Cloud Computing Stack

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

recall cloud architecture
Recall: Cloud Architecture

SaaS / PaaS Provider

Client

Cloud Provider

(IaaS)

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attackers
Attackers

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

who is the attacker
Who is the attacker?
  • Insider?
    • Malicious employees at client
    • Malicious employees at Cloud provider
    • Cloud provider itself
  • Outsider?
    • Intruders
    • Network attackers?

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attacker capability malicious insiders
Attacker Capability: Malicious Insiders
  • At client
    • Learn passwords/authentication information
    • Gain control of the VMs
  • At cloud provider
    • Log client communication

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attacker capability cloud provider
Attacker Capability: Cloud Provider
  • What?
    • Can read unencrypted data
    • Can possibly peek into VMs, or make copies of VMs
    • Can monitor network communication, application patterns

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attacker motivation cloud provider
Attacker motivation: Cloud Provider
  • Why?
    • Gain information about client data
    • Gain information on client behavior
    • Sell the information or use itself
  • Why not?
    • Cheaper to be honest?
  • Why? (again)
    • Third party clouds?

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attacker capability outside attacker
Attacker Capability: Outside attacker
  • What?
    • Listen to network traffic (passive)
    • Insert malicious traffic (active)
    • Probe cloud structure (active)
    • Launch DoS

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

assets
Assets

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

threat model2
Threat Model

Basic components

  • Attacker modeling
    • Choose what attacker to consider
    • Attacker motivation and capabilities
  • Assets / Attacker Goals
  • Vulnerabilities / threats

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

attacker goals outside attackers
Attacker goals: Outside attackers
  • Intrusion
  • Network analysis
  • Man in the middle
  • Cartography

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

assets attacker goals
Assets (Attacker goals)
  • Confidentiality:
    • Data stored in the cloud
    • Configuration of VMs running on the cloud
    • Identity of the cloud users
    • Location of the VMs running client code

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

assets attacker goals1
Assets (Attacker goals)
  • Integrity
    • Data stored in the cloud
    • Computations performed on the cloud

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

assets attacker goals2
Assets (Attacker goals)
  • Availability
    • Cloud infrastructure
    • SaaS / PaaS

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

threats
Threats

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

organizing the threats using stride
Organizing the threats using STRIDE
  • Spoofing identity
  • Tampering with data
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

typical threats
Typical threats

[STRIDE]

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

typical threats contd
Typical threats (contd.)

[STRIDE]

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

summary
Summary
  • A threat model helps in designing appropriate defenses against particular attackers
  • Your solution and security countermeasures will depend on the particular threat model you want to address

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

mapping topology attacks
Mapping/topology Attacks
  • Lecture Goal
    • Learn about mapping attacks
    • Discuss different techniques and mitigation strategies
    • Analyze the practicality and impact
    • Reading:
      • Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al., CCS 2009

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

why cloud computing brings new threats
Why Cloud Computing brings new threats?

Traditional system security mostly means keeping bad guys out

The attacker needs to either compromise the auth/access control system, or impersonate existing users

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

why cloud computing brings new threats1
Why Cloud Computing brings new threats?

But clouds allow co-tenancy :

Multiple independent users share the same physical infrastructure

So, an attacker can legitimately be in the same physical machine as the target

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

challenges for the attacker
Challenges for the attacker

How to find out where the target is located

How to be co-located with the target in the same (physical) machine

How to gather information about the target

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

slide29
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al., CCS 2009
  • First work on cloud cartography
  • Attack launched against commercially available “real” cloud (Amazon EC2)
  • Claims up to 40% success in co-residence with target VM

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

strategy
Strategy
  • Map the cloud infrastructure to find where the target is located
  • Use various heuristics to determine co-residency of two VMs
  • Launch probe VMs trying to be co-resident with target VMs
  • Exploit cross-VM leakage to gather info about target

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

threat model3
Threat model

Attacker model

  • Cloud infrastructure provider is trustworthy
  • Cloud insiders are trustworthy
  • Attacker is a malicious third party who can legitimately the cloud provider as a client

Assets

  • Confidentiality aware services run on cloud
  • Availability of services run on cloud

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

tools of the trade
Tools of the trade
  • Nmap, hping, wget for network probing
  • Amazon EC2’s own DNS to map dns names to IPs

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

sidenote ec2 configuration
Sidenote: EC2 configuration

EC2 uses Xen, with up to 8 instances per physical machine

Dom0 is the first instance on the machine, connected to physical adapter

All other instances route to external world via dom0

[Figures from Xen Wiki]

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 1 mapping the cloud
Task 1: Mapping the cloud

Reverse engineering the VM placement schemes provides useful heuristics about EC2’s strategy

Different availability zones use different IP regions.

Each instance has one internal IP and one external IP. Both are static.

For example:

External IP: 75.101.210.100

External Name: ec2-75-101-210-100.computer-1.amazonaws.com

Internal IP: 10.252.146.52

Internal Name: domU-12-31-38-00-8D-C6.computer-1.internal

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 1 mapping the cloud1
Task 1: Mapping the Cloud

Finding: same instance type within the same zone= similar IP regions

Reverse engineered mapping decision heuristic:

A /24 inherits any included sampled instance type.

A /24 containing a Dom0 IP address only contains Dom0 IP address.

All /24’s between two consecutive Dom0 /24’s inherit the former’s associated type.

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 2 determining co residence
Task #2: Determining co-residence
  • Co-residence: Check to determine if a given VM is placed in the same physical machine as another VM
  • Network based check:
    • Match Dom0 IP addresses, check packet RTT, close IP addresses (within 7, since each machine has 8 VMs at most)
    • Traceroute provides Dom0 of target
    • No false positives found during experiments

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 3 making a probe vm co resident with target vm
Task #3: Making a probe VM co-resident with target VM

Brute force scheme

  • Idea: figure out target’s availability zone and type
  • Launch many probe instances in the same area
  • Success rate: 8.4%

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 3 making a probe vm co resident with target vm1
Task #3: Making a probe VM co-resident with target VM

Smarter strategy: utilize locality

  • Idea: VM instances launched right after target are likely to be co-resident with the target
  • Paper claims 40% success rate

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 3 making a probe vm co resident with target vm2
Task #3: Making a probe VM co-resident with target VM

Window of opportunity is quite large, measured in days

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 4 gather leaked information
Task #4: Gather leaked information

Now that the VM is co-resident with target, what can it do?

  • Gather information via side channels
  • Perform DoS

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

task 4 1 gathering information
Task 4.1: Gathering information

If VM’s are separated and secure, the best the attacker can do is to gather information

  • Measure latency of cache loads
  • Use that to determine
    • Co-residence
    • Traffic rates
    • Keystroke timing

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

mitigation strategies 1 mapping
Mitigation strategies #1: Mapping
  • Use a randomized scheme to allocate IP addresses
  • Block some tools (nmap, traceroute)

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

mitigation strategies 2 co residence checks
Mitigation strategies #2: Co-residence checks
  • Prevent traceroute (i.e., prevent identification of dom0)

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

mitigation strategies 3 co location
Mitigation strategies #3: Co-location
  • Not allow co-residence at all
    • Beneficial for cloud user
    • Not efficient for cloud provider

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

mitigation strategies 4 information leakage
Mitigation strategies #4: Information leakage
  • Prevent cache load attacks?

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

discussion
Discussion
  • How is the problem different from other attacks?
  • What’s so special about clouds?

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

discussion1
Discussion

Cons

  • Are the side channels *really* effective?

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

slide48

Further Reading

Frank Swiderski and Window Snyder , “Threat Modeling “, Microsoft Press, 2004

The STRIDE Threat Model

Amazon downplays report highlighting vulnerabilities in its cloud service

Hypothetical example described in report much harder to pull off in reality, company saysTechWorld, Oct 29, 2009. http://bit.ly/dvxEZp

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan