Security and Privacy in Cloud Computing

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 1

Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011

Lecture 202/07/2010

Security and Privacy in Cloud Computing

2/07/2010


Attack Modeling, and Novel Attack Surfaces

2/07/2010

Goal

1. Learn the cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud

2. Examine a novel topology attack on cloud


Assignment for next class• Review: Thomas Ristenpart et al., Hey, You, Get Off of My Cloud! Exploring Information Leakage in

Third-Party Compute Clouds, proc. ACM CCS 2009.

• Format:– Summary: A brief overview of the paper, 1 paragraph (5 / 6 sentences)– Pros: 3 or more issues– Cons: 3 or more issues– Possible improvements: Any possible suggestions to improve the work

• Due: 2.59 pm 2/14/2010

• Submission: By email to [email protected] (text only, no attachments please) (Please use the subject line: Review Assignment 1)

2/07/2010


Threat ModelA threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions

Steps:– Identify attackers, assets, threats and other

components– Rank the threats– Choose mitigation strategies– Build solutions based on the strategies

2/07/2010


Threat Model

Basic components

• Attacker modeling– Choose what attacker to consider– Attacker motivation and capabilities

• Assets / Attacker Goals

• Vulnerabilities / threats

2/07/2010

6

Recall: Cloud Computing Stack

2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan


Recall: Cloud Architecture

2/07/2010

Client SaaS / PaaS Provider

Cloud Provider(IaaS)


Attackers

2/07/2010


Who is the attacker?

2/07/2010

Insider?•Malicious employees at client•Malicious employees at Cloud

provider•Cloud provider itself

Outsider?•Intruders•Network attackers?


Attacker Capability: Malicious Insiders

• At client– Learn passwords/authentication information– Gain control of the VMs

• At cloud provider– Log client communication

2/07/2010


Attacker Capability: Cloud Provider

• What?– Can read unencrypted data– Can possibly peek into VMs, or make copies of

VMs– Can monitor network communication, application

patterns

2/07/2010


Attacker motivation: Cloud Provider• Why?– Gain information about client data– Gain information on client behavior– Sell the information or use itself

• Why not?– Cheaper to be honest?

• Why? (again)– Third party clouds?

2/07/2010


Attacker Capability: Outside attacker

• What?– Listen to network traffic (passive)– Insert malicious traffic (active)– Probe cloud structure (active)– Launch DoS

2/07/2010


Assets

2/07/2010


Threat Model

Basic components

• Attacker modeling– Choose what attacker to consider– Attacker motivation and capabilities

• Assets / Attacker Goals

• Vulnerabilities / threats

2/07/2010


Attacker goals: Outside attackers

• Intrusion

• Network analysis

• Man in the middle

• Cartography

2/07/2010


Assets (Attacker goals)

• Confidentiality:– Data stored in the cloud– Configuration of VMs running on the cloud– Identity of the cloud users– Location of the VMs running client code

2/07/2010



• Integrity– Data stored in the cloud– Computations performed on the cloud

2/07/2010



• Availability– Cloud infrastructure– SaaS / PaaS

2/07/2010


Threats

2/07/2010


Organizing the threats using STRIDE

• Spoofing identity• Tampering with data• Repudiation• Information disclosure• Denial of service• Elevation of privilege

2/07/2010


Typical threats

2/07/2010

Threat type Mitigation technique

Spoofing identity•Authentication•Protect secrets•Do not store secrets

Tampering with data•Authorization•Hashes•Message authentication codes•Digital signatures•Tamper-resistant protocols

Repudiation•Digital signatures•Timestamps•Audit trails

[STRIDE]


Typical threats (contd.)

2/07/2010

Threat type Mitigation technique

Information disclosure•Authorization•Privacy-enhanced protocols•Encryption•Protect secrets•Do not store secrets

Denial of service•Authentication•Authorization•Filtering•Throttling•Quality of service

Elevation of privilege •Run with least privilege

[STRIDE]


Summary

• A threat model helps in designing appropriate defenses against particular attackers

• Your solution and security countermeasures will depend on the particular threat model you want to address

2/07/2010

25

Mapping/topology Attacks

2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan

Lecture Goal•Learn about mapping attacks•Discuss different techniques and mitigation

strategies•Analyze the practicality and impact

Reading: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al., CCS 2009


Why Cloud Computing brings new threats?

Traditional system security mostly means keeping bad guys out

The attacker needs to either compromise the auth/access control system, or impersonate existing users

2/07/2010


Why Cloud Computing brings new threats?

But clouds allow co-tenancy :

Multiple independent users share the same physical infrastructure

So, an attacker can legitimately be in the same physical machine as the target

2/07/2010


Challenges for the attacker

How to find out where the target is located

How to be co-located with the target in the same (physical) machine

How to gather information about the target

2/07/2010


Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al., CCS 2009

• First work on cloud cartography• Attack launched against commercially

available “real” cloud (Amazon EC2)• Claims up to 40% success in co-residence with

target VM

2/07/2010


Strategy

• Map the cloud infrastructure to find where the target is located

• Use various heuristics to determine co-residency of two VMs

• Launch probe VMs trying to be co-resident with target VMs

• Exploit cross-VM leakage to gather info about target

2/07/2010


Threat model

Attacker model– Cloud infrastructure provider is trustworthy– Cloud insiders are trustworthy– Attacker is a malicious third party who can

legitimately the cloud provider as a clientAssets– Confidentiality aware services run on cloud– Availability of services run on cloud

2/07/2010


Tools of the trade

• Nmap, hping, wget for network probing

• Amazon EC2’s own DNS to map dns names to IPs

2/07/2010


Sidenote: EC2 configuration

EC2 uses Xen, with up to 8 instances per physical machine

2/07/2010

Dom0 is the first instance on the machine, connected to physical adapter

All other instances route to external world via dom0

[Figures from Xen Wiki]


Task 1: Mapping the cloud

Reverse engineering the VM placement schemes provides useful heuristics about EC2’s strategy

2/07/2010

Different availability zones use different IP regions.

Each instance has one internal IP and one external IP. Both are static.For example: External IP: 75.101.210.100 External Name: ec2-75-101-210-100.computer-1.amazonaws.com Internal IP: 10.252.146.52 Internal Name: domU-12-31-38-00-8D-C6.computer-1.internal


Task 1: Mapping the Cloud

2/07/2010

Finding: same instance type within the same zone = similar IP regions

Reverse engineered mapping decision heuristic: A /24 inherits any included sampled instance type. A /24 containing a Dom0 IP address only contains Dom0 IP address. All /24’s between two consecutive Dom0 /24’s inherit the former’s associated type.


Task #2: Determining co-residence

• Co-residence: Check to determine if a given VM is placed in the same physical machine as another VM

• Network based check:– Match Dom0 IP addresses, check packet RTT, close IP

addresses (within 7, since each machine has 8 VMs at most)

– Traceroute provides Dom0 of target– No false positives found during experiments

2/07/2010


Task #3: Making a probe VM co-resident with target VM

Brute force scheme– Idea: figure out target’s availability zone and type– Launch many probe instances in the same area

– Success rate: 8.4%

2/07/2010



Smarter strategy: utilize locality– Idea: VM instances launched right after target are

likely to be co-resident with the target

– Paper claims 40% success rate

2/07/2010



2/07/2010

Window of opportunity is quite large, measured in days


Task #4: Gather leaked information

Now that the VM is co-resident with target, what can it do?– Gather information via side channels– Perform DoS

2/07/2010


Task 4.1: Gathering information

If VM’s are separated and secure, the best the attacker can do is to gather information– Measure latency of cache loads– Use that to determine• Co-residence• Traffic rates• Keystroke timing

2/07/2010


Mitigation strategies #1: Mapping

• Use a randomized scheme to allocate IP addresses

• Block some tools (nmap, traceroute)

2/07/2010


Mitigation strategies #2: Co-residence checks

• Prevent traceroute (i.e., prevent identification of dom0)

2/07/2010


Mitigation strategies #3: Co-location

• Not allow co-residence at all– Beneficial for cloud user– Not efficient for cloud provider

2/07/2010


Mitigation strategies #4: Information leakage

• Prevent cache load attacks?

2/07/2010


Discussion

• How is the problem different from other attacks?

• What’s so special about clouds?

2/07/2010


Discussion

Cons– Are the side channels *really* effective?

2/07/2010

en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 482/07/2010

Further Reading

Frank Swiderski and Window Snyder , “Threat Modeling “, Microsoft Press, 2004

The STRIDE Threat Model

Amazon downplays report highlighting vulnerabilities in its cloud serviceHypothetical example described in report much harder to pull off in reality, company saysTechWorld, Oct 29, 2009. http://bit.ly/dvxEZp

http://msdn.microsoft.com/en-us/library/ee823878(CS.20).aspx

http://bit.ly/dvxEZp

Documents

Security and Privacy in Cloud Computing