Upload
trinhkhue
View
216
Download
0
Embed Size (px)
Citation preview
announcementsHW4 due in one week
This week: cloud computing and malware & ecrime
Next week: Bitcoin and Android security
Friday, May 6: Exam review session
Sunday, May 8: Final exam
todayCloud computing and placement vulnerabilities
Malware, botnets, and crime
CloudServices
VMsInfrastructure-as-a-service
Storage
WebCache/TLSTermination
Asimplifiedmodelofpubliccloudcomputing
Owned/operatedbycloudprovider
UserA
UserB
virtualmachines(VMs)
virtualmachines(VMs)
UsersrunVirtualMachines(VMs)oncloudprovider’sinfrastructure
VirtualMachineManager
VirtualMachineManager(VMM)managesphysicalserverresourcesforVMs
TotheVMshouldlooklikededicatedserver
Multitenancy(userssharephysicalresources)
Anewthreatmodel:
UserA
Badguy
AttackeridentifiesoneormorevictimsVMsincloud
2)Launchattacksusingphysicalproximity
1)AchieveadvantageousplacementvialaunchingofVMinstances
ExploitVMMvulnerability Side-channelattackDoS
Checkingforco-residence
Anatomyofattack
checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels
Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence
bruteforcingplacementinstancefloodingaftertargetlaunches
Location-basedattacksside-channels,DoS,escape-from-VM
Cross-VMsidechannelsusingCPUcachecontention
AttackerVM
VictimVM
Mainmemory
CPUdatacache
1)Readinalargearray(fillCPUcachewithattackerdata)
2)Busyloop(allowvictimtorun)
3)Measuretimetoreadlargearray(theloadmeasurement)
Cache-basedcross-VMloadmeasurementonEC2
RepeatedHTTPgetrequests
Performscacheloadmeasurements
RunningApacheserver
Instancesco-resident Instancesco-resident InstancesNOTco-resident
3pairsofinstances,2pairsco-residentand1not100cacheloadmeasurementsduringHTTPgets(1024bytepage)andwithnoHTTPgets
[Hey,You,GetOffofmyCloud,2009,Ristenpart,etal.]
Checkingforco-residence
Anatomyofattack
checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels
Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence
bruteforcingplacementinstancefloodingaftertargetlaunches
Location-basedattacksside-channels,DoS,escape-from-VM
Howhardshouldco-locationbe?
- Randomplacementpolicy- N=50kmachines- v=#victimVMs,a=#attackerVMs- Probabilityofcollision:Pc=1-(1-v/N)a
UserA
Badguy
Co-locationStrategies
• Basicstrategy
• TriggerlaunchofvictimVMs• DriveHTTPtrafficandtrigger
autoscalingtolaunchmorevictimVMs
• TimelaunchofattackerVMsinco-ordination
• Howeffectiveisthis?
• Howmuchdoesthiscost?
• Howlongdoesthistake?
[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]
[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]
• Cheapeststrategy:$0.14(GCE)
• Mostexpensivestrategy:$5.30(Azure)
ecrime
Botnets
• Botnets:– CommandandControl(C&C)
– Zombiehosts(bots)
• C&Ctype:– centralized,peer-to-peer
• Infectionvector:– spam,scanning,worm(self-propagatingvirus)
• Usage:?
Howtomakemoneyoffabotnet?
• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”
• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”
• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”
• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.
• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”
• Advertiseproducts
think-pair-share
TorpigBotnet
• 2005-2009?
• 50k-180kbots
• 2008:"Mostadvancedpieceofcrimewareeverbuilt"
• Usedomainfluxtocontactcommandandcontrol(C&C)servers
• HijackedbyUCSantaBarbararesearchersandstudiedfor10days
[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]
HowtojoinaTorpigbotnet
1: Clickondodgylinktovulnerablewebsite
2-4:DownloadMebrootmalware
5: MebrootdownloadsTorpigDLL(yourabot!)
6: UploadallyousensitivedatatoTorpigC&C
7: Profit!(notyours)
DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers
• Probeeachone,usethefirstonethattalkstheC&Cprotocol
• Researchersranthealgorithmforwardseveralweeks
• Discoveredun-registereddomainsandregisteredthem
• SetuptheirownC&Cserver
• Yourbotnetismybotnet
Stealingabotnet
• Researchersboughttwodomainsandhosting
• PutupC&Cservertocaptureallreportedinformationbybots
• ControlledTorpigbotnetfor10days
• Captured70GBsofstoleninformation
• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)
Estimatingbotnetsize
TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize
StealingFinancialAccounts
In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)
Ethics
● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.
● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.
Twoprinciplestoprotectvictims
recapCloud computing / Placement vulnerabilities / Co-residency detection via side-channels / Co-location strategies
Malware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking