Upload
yama-haku
View
511
Download
0
Tags:
Embed Size (px)
Citation preview
CCSW '12
Adam Bates, Benjamin Mood, Joe Pletcher,Hannah Pruse,Masoud Valafar, and Kevin Butler
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
University of Oregon, Eugene
Detecting Co-Residency with Active Traffic Analysis Techniques
Outline
2
1. Introduction
2. Cloud co-recidency
3. Active traffic analysis
4. system design
5. Implementation
6. Evaluation
7. Analysis
8. Discussion
9. Related work
10. Conclusion
1. Introduction
3
New challenges to securitysharing of a common physical platform
co-residency determination alternatives that may be availablefocus on the network interfaceactive traffic analysiscreate an outbound covert channel for data exfiltration
1. Introduction
4
Investigates virtualization side channels in physical hardware
Assesses severity of threat through extensive evaluation
Introduces proof-of-concept attacks for the network flow channel
2. Cloud co-recidency
5
Victimslegitimate cloud customers
Adversary wishes to discover valuable information about his targetlaunch many instances, perform the co-residency check
3. Active traffic analysis
6
Network flow watermarking a type of network covert timing channelrecently as a method for detecting stepping stone relays
Blind schemesAll necessary information is contained within the
watermarknon-blind scheme
Information is stored for access by the exit gatewaysExploits virtualization’s dependence on traffic mixingDoes not require a corrupt network server
4. system design
7
Inject a target's network traffic with a persistent watermarking
Break hypervisor isolation guaranteeson-off interval-based packet arrival scheme
Due to the coarse-grained abilities of a co-located VM to inject network delay
out-of-band communicationovercome its limited ability to inject delay through
network activity
4.1 threat model
8
motivationinvestigate the existence of hardware-level side channelsthe viability of isolation assurances for virtual machines
assumenaive timing channels are unavailableroute all local traffic through a switchadministrators proactively apply patchesadministrators not interfere with the activities of customersvictim trust of the cloud infrestructurevictim's instances are available to the adversary over an
open network
4.2 co-resident watermarking
9
relies on the pigeonhole principleSERVER, CLIENT, FLOODERs
4.2 co-resident watermarking
10
CLIENT initiates a web session with our target instance
CLIENT iterates through its list of registered FLOODERs
FLOODERs injects network activity into the outbound interface
If no watermark signature is detectedterminate all instances and launch a new set
If a signature is detecteduse the co-resident FLOODER for a second phase of
attack
4.3 Signal Encoding
11
the watermark embedding processT : length of unwatermarked network flown : intervalsti : length of intervalspi : a certain number of packet arrivals+d, -d : two different levels of packet delaywi = {+d, -d} +d : injecting a constant stream of UDP packets-d : taking no action for the length of the interval
4.4 Signal Decoding
12
sorting intervals into X+d, X-dPoisson distributionKolmogorov-Smirnov(KS) test
5. Implementation
13
SERVERApache 2a script simulate background noise
CLIENTcontinuously re-requesting a 10MB file
FLOODERraw socket injection binarycreate outbound multi-threaded UDP streams
6. Evaluation
14
Hardware Dell workstations *2Dell PowerEdge R610 server *1
4-core Intel Xeon E5606 processor *212 GB RAM
Intel 82599 10Gbps Ethernet controllerHypervisor
VMWare ESXi 4.1Xenified Linux 2.6.40 kernel
Virtual machineLinux 2.6.34 kernel1 vCPU1.7 GB memory
6.1 Xen hypervisor
15
3200 total measurements 13 minutes and 20 second
6.2 VMWare ESXi hypervisor
16
6.3 system load
17
6.4 Network conditions
18
Measure the resiliency of encoded watermarkstraveling across longer network paths
6.5 Science clouds
19
ACISS compute cloud serviceFuturegrid’s Sierra cloudre-attempted the trial with multiple co-resident
FLOODERs
6.5 Science clouds
20
6.6 Neighboring instance false positives
21
This attack must avoid false positivesInstances are not co-resident but share a common
network pathinject layer 2 packets that are routed by MAC address
6.6 Neighboring instance false positives
22
6.7 Virtualization-Aware hardware
23
viability of hardware level defenses against co-resident watermarking
Repeated original Xen trial on an SR-IOV-enabled NIC
configured the driver to present two virtual functions (VFs) on a single outgoing port
connected SERVER and FLOODER to one VF each on our Xen testbed
6.7 Virtualization-Aware hardware
24
7. Analysis
25
co-resident watermarkingbypassing VM isolationexploiting underlying hardware configurations
scouting mechanism
7.1 Covert communication
26
Transmit a secret such as a small key or message
7.2 Load measurement
27
Discovering more accurate traffic informationMonitoring the throughput of the undisturbed
CLIENT-SERVER TCP session
8. Discussion
28
Embedding a message into a network floweffectively multicast to all visitors to the serverretrieve the message while retaining plausible deniability
8.1 Invisibility
29
FLOODER’s activity would arouse immediate suspicion
Invisibility is extremely difficult to achieve
8.2 Defences
30
Provide each virtual machine instance with a dedicated path out of its physical host
Net relative to the network transmission speed of their physical host
Provision networks to not take advantage of the "free" bandwidth
Virtualization-aware hardware can address and close this side channel
random scheduling mechanism
9. Related work
31
9.1 Cloud side channels9.2 Hypervisor Security9.3 In-the-wild exploits
9.1 Cloud side channels
32
network timing side channelchallenge fault tolerance guaranteesbe used to detect drive-failure vulnerabilities
Cache-based side channelexploit the timing difference between the cache and main
memory
9.2 Hypervisor Security
33
Preventing cache-based side channelsChecks whether organizations has any conflict with the
SLAmonitors how the physical memory used by applicationschanging how caches assign memory to applications
Reducing the role and size of the hypervisorproposing the near elimination of the hypervisor
9.3 In-the-wild exploits
34
A handful of privilege escalation exploits in Xen and VMWare
An early version of Xen 3allowed users to craft malicious grub.confbuffer overflow error
VMWarea bug in the folder-sharingunprivileged user code to be executed by the vmx
process
10. conclusion
35
determining co-residency of instances in cloud environmentsLeveraged active traffic analysis techniques
co-resident watermarking schemedetermination of co-residency in 10 seconds
interpose a covert channelperforming passive attacks
End
36