Upload
austin-reynolds
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Ragib HasanUniversity of Alabama at BirminghamCS 491/691/791 Fall 2013 Lecture 3
09/03/2013
Security and Privacy in Cloud Computing
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attacks and Attack Surfaces
Goal: – Examine attack surfaces in a cloud– Learn about novel attacks on clouds
Recommended reading (no reviews)Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Announcements
• Review Assignment #1 will be posted to course website this afternoon– Due: Tuesday, September 10, 12.29 pm
• Please send reviews to ragib AT cis.uab.edu – Send review in plain text, in the email body (no attachments
please)
• Review format: Summary (5-6 sentences), Pros (3 or more points), Cons (3 or more points), Ideas for improvement
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Announcement
Term Project– Must be a project related to cloud security– Form 2-member groups for the project– Project kickstart meeting: 9/5/2013, 12.30 pm-
1.30 pm• Some sample project ideas will be provided• Feel free to come up with your own ideas
– Amazon has donated compute time on the EC2 Cloud for this course
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Due dates
• Project team formation: 9/5
• Project ideas: Due by 9/12
• Project progress meetings (Every 2 weeks, Sep-Nov)
• Project demo: Early December
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Project Deliverables
• Project Report: – A brief, 10-12 page writeup on the project and
experiments
• Project Demo:– (If possible and relevant)
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vs
Cloud Computing Security
Securing a traditional system
Securing a cloud
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vs
Cloud Computing Security
Securing a house Securing a motel
Owner and user are often the same entity
Owner and users are almost invariably distinct entities
Analogy
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vs
Cloud Computing Security
Securing a house Securing a motel
Biggest user concernsSecuring perimeter
Checking for intrudersSecuring assets
Biggest user concernSecuring room against
(the bad guy in next room | hotel owner)
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surfaces
An attack surface is a vulnerability in a system that malicious users may utilize
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Clouds extend the attack surface
• How?– By requiring users to communicate with the cloud
over a public / insecure network– By sharing the infrastructure among multiple users
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Analyzing Attack Surfaces in Clouds
9/3/2013
Figure from: Gruschka et al., Attack Surfaces: A Taxonomy for Attacks on Cloud Services.
Cloud attack surfaces can be modeled using a 3 entity model (user, service, cloud)
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 1
• Service interface exposed towards clients
• Possible attacks: Common attacks in client-server architectures– E.g., Buffer overflow, SQL injection, privilege
escalation
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 2
• User exposed to the service• Common attacks– E.g., SSL certificate spoofing, phishing
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 3
• Cloud resources/interfaces exposed to service
• Attacks run by service on cloud infrastructure
– E.g., Resource exhaustion, DoS
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 4
• Service interface exposed to cloud
• Privacy attack• Data integrity attack• Data confidentiality attack
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 5
• Cloud interface exposed to users
• Attacks on cloud control
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 6
• User exposed to cloud
• How much the cloud can learn about a user?
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attacking a cloud
Question:Given enough resources, how would you attack a cloud?
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attacking a cloud
Options:– From outside• Launch denial of service attacks• Probe cloud from outside
– From inside• Exhaust resources internally• Probe cloud and/or other
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Novel attacks on clouds
• Question: Can you attack a cloud or other users, without violating any law?
• Answer: Yes!! By launching side channel attacks, while not violating Acceptable User Policy.
9/3/2013
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Utilizing Side Channels
• A Side Channel is a passive attack in which attacker gains information about target through indirect observations.
• Examples?
9/3/2013