cs642

cloud computing & e-crime

adam everspaugh ace@cs.wisc.edu

computer security

announcementsHW4 due in one week

This week: cloud computing and malware & ecrime

Next week: Bitcoin and Android security

Friday, May 6: Exam review session

Sunday, May 8: Final exam

todayCloud computing and placement vulnerabilities

Malware, botnets, and crime

CloudServices

VMsInfrastructure-as-a-service

Storage

WebCache/TLSTermination

Asimplifiedmodelofpubliccloudcomputing

Owned/operatedbycloudprovider

UserA

UserB

virtualmachines(VMs)

virtualmachines(VMs)

UsersrunVirtualMachines(VMs)oncloudprovider’sinfrastructure

VirtualMachineManager

VirtualMachineManager(VMM)managesphysicalserverresourcesforVMs

TotheVMshouldlooklikededicatedserver

Multitenancy(userssharephysicalresources)

Anewthreatmodel:

UserA

Badguy

AttackeridentifiesoneormorevictimsVMsincloud

2)Launchattacksusingphysicalproximity

1)AchieveadvantageousplacementvialaunchingofVMinstances

ExploitVMMvulnerability Side-channelattackDoS

Checkingforco-residence

Anatomyofattack

checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels

Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence

bruteforcingplacementinstancefloodingaftertargetlaunches

Location-basedattacksside-channels,DoS,escape-from-VM

Cross-VMsidechannelsusingCPUcachecontention

AttackerVM

VictimVM

Mainmemory

CPUdatacache

1)Readinalargearray(fillCPUcachewithattackerdata)

2)Busyloop(allowvictimtorun)

3)Measuretimetoreadlargearray(theloadmeasurement)

Cache-basedcross-VMloadmeasurementonEC2

RepeatedHTTPgetrequests

Performscacheloadmeasurements

RunningApacheserver

Instancesco-resident Instancesco-resident InstancesNOTco-resident

3pairsofinstances,2pairsco-residentand1not100cacheloadmeasurementsduringHTTPgets(1024bytepage)andwithnoHTTPgets

[Hey,You,GetOffofmyCloud,2009,Ristenpart,etal.]

Checkingforco-residence

Anatomyofattack

checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels

Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence

bruteforcingplacementinstancefloodingaftertargetlaunches

Location-basedattacksside-channels,DoS,escape-from-VM

Howhardshouldco-locationbe?

- Randomplacementpolicy- N=50kmachines- v=#victimVMs,a=#attackerVMs- Probabilityofcollision:Pc=1-(1-v/N)a

UserA

Badguy

Co-locationStrategies

• Basicstrategy

• TriggerlaunchofvictimVMs• DriveHTTPtrafficandtrigger

autoscalingtolaunchmorevictimVMs

• TimelaunchofattackerVMsinco-ordination

• Howeffectiveisthis?

• Howmuchdoesthiscost?

• Howlongdoesthistake?

[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]

[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]

• Cheapeststrategy:$0.14(GCE)

• Mostexpensivestrategy:$5.30(Azure)

ecrime

Botnets

• Botnets:– CommandandControl(C&C)

– Zombiehosts(bots)

• C&Ctype:– centralized,peer-to-peer

• Infectionvector:– spam,scanning,worm(self-propagatingvirus)

• Usage:?

Howtomakemoneyoffabotnet?

• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”

• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”

• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”

• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.

• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”

• Advertiseproducts

think-pair-share

TorpigBotnet

• 2005-2009?

• 50k-180kbots

• 2008:"Mostadvancedpieceofcrimewareeverbuilt"

• Usedomainfluxtocontactcommandandcontrol(C&C)servers

• HijackedbyUCSantaBarbararesearchersandstudiedfor10days

[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]

HowtojoinaTorpigbotnet

1: Clickondodgylinktovulnerablewebsite

2-4:DownloadMebrootmalware

5: MebrootdownloadsTorpigDLL(yourabot!)

6: UploadallyousensitivedatatoTorpigC&C

7: Profit!(notyours)

DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers

• Probeeachone,usethefirstonethattalkstheC&Cprotocol

• Researchersranthealgorithmforwardseveralweeks

• Discoveredun-registereddomainsandregisteredthem

• SetuptheirownC&Cserver

• Yourbotnetismybotnet

Stealingabotnet

• Researchersboughttwodomainsandhosting

• PutupC&Cservertocaptureallreportedinformationbybots

• ControlledTorpigbotnetfor10days

• Captured70GBsofstoleninformation

• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)

Estimatingbotnetsize

TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize

StealingFinancialAccounts

In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)

Ethics

● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.

● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.

Twoprinciplestoprotectvictims

recapCloud computing / Placement vulnerabilities / Co-residency detection via side-channels / Co-location strategies

Malware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking