Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan Lecture 2 02/07/2010
Download ReportTranscript Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan Lecture 2 02/07/2010
2/07/2010
Security
and
Privacy Cloud Computing
in
Ragib Hasan
Johns Hopkins University en.600.412 Spring 2011 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan
Lecture 2
02/07/2010 1
Attack Modeling, and Novel Attack Surfaces
Goal
1. Learn the cloud computing threat model by examining the assets, vulnerabilities, entry points, and actors in a cloud 2. Examine a novel topology attack on cloud 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 2
Assignment for next class
• Review : Thomas Ristenpart et al., Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds, proc. ACM CCS 2009.
• Format : – Summary : A brief overview of the paper, 1 paragraph (5 / 6 sentences) – Pros : 3 or more issues – Cons : 3 or more issues – Possible improvements : Any possible suggestions to improve the work • • Due : 2.59 pm 2/14/2010 Submission : By email to [email protected] (text only, no attachments please) (Please use the subject line: Review Assignment 1) 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 3
Threat Model
A threat mode l helps in analyzing a security problem, design mitigation strategies, and evaluate solutions
Steps:
– Identify attackers, assets, threats and other components – Rank the threats – Choose mitigation strategies – Build solutions based on the strategies 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 4
2/07/2010
Threat Model
Basic components
•
Attacker modeling
– – Choose what attacker to consider Attacker motivation and capabilities • Assets / Attacker Goals • Vulnerabilities / threats en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 5
Recall: Cloud Computing Stack
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 6
Recall: Cloud Architecture
Client SaaS / PaaS Provider
2/07/2010 Cloud Provider (IaaS) en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 7
Attackers
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 8
Who is the attacker?
Insider?
• Malicious employees at client • Malicious employees at Cloud provider • Cloud provider itself 2/07/2010 Outsider?
• Intruders • Network attackers?
en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 9
Attacker Capability: Malicious Insiders
• At client – Learn passwords/authentication information – Gain control of the VMs • At cloud provider – Log client communication 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 10
Attacker Capability: Cloud Provider
• What?
– Can read unencrypted data – Can possibly peek into VMs, or make copies of VMs – Can monitor network communication, application patterns 11 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan
Attacker motivation: Cloud Provider
• Why?
– Gain information about client data – Gain information on client behavior – Sell the information or use itself • • Why not?
– Cheaper to be honest?
Why? (again) – Third party clouds?
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 12
Attacker Capability: Outside attacker
• What?
– Listen to network traffic (passive) – Insert malicious traffic (active) – Probe cloud structure (active) – Launch DoS 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 13
Assets
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 14
2/07/2010
Threat Model
Basic components
• Attacker modeling – – Choose what attacker to consider Attacker motivation and capabilities •
Assets / Attacker Goals
• Vulnerabilities / threats en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 15
Attacker goals: Outside attackers
• Intrusion • Network analysis • Man in the middle • Cartography 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 16
Assets (Attacker goals)
• Confidentiality: – Data stored in the cloud – Configuration of VMs running on the cloud – Identity of the cloud users – Location of the VMs running client code 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 17
Assets (Attacker goals)
• Integrity – Data stored in the cloud – Computations performed on the cloud 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 18
Assets (Attacker goals)
• Availability – Cloud infrastructure – SaaS / PaaS 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 19
Threats
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 20
Organizing the threats using STRIDE
• • • • • •
S
poofing identity
T
ampering with data
R
epudiation
I
nformation disclosure
D
enial of service
E
levation of privilege 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 21
Threat type
Spoofing identity Tampering with data Repudiation
Typical threats
Mitigation technique
• Authentication • Protect secrets • Do not store secrets • Authorization • Hashes • Message authentication codes • Digital signatures • Tamper-resistant protocols • Digital signatures • Timestamps • Audit trails [STRIDE] 22 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan
Typical threats (contd.)
Threat type
Information disclosure Denial of service Elevation of privilege 2/07/2010
Mitigation technique
• Authorization • Privacy-enhanced protocols • Encryption • Protect secrets • Do not store secrets • Authentication • Authorization • Filtering • Throttling • Quality of service • Run with least privilege [STRIDE] 23 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan
Summary
• A threat model helps in designing appropriate defenses against particular attackers • Your solution and security countermeasures will depend on the particular threat model you want to address 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 24
Mapping/topology Attacks
Lecture Goal
• Learn about mapping attacks • Discuss different techniques and mitigation strategies • Analyze the practicality and impact Reading: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds , Ristenpart et al., CCS 2009 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 25
Why Cloud Computing brings new threats?
Traditional system security mostly means keeping bad guys out The attacker needs to either compromise the auth/access control system, or impersonate existing users 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 26
Why Cloud Computing brings new threats?
But clouds allow co-tenancy : Multiple independent users share the same physical infrastructure So, an attacker can legitimately be in the same physical machine as the target en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 27 2/07/2010
Challenges for the attacker
How to find out
where
target is located the How to be target in the same (physical) machine
co-located
with the How to gather information about the target 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 28
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds , Ristenpart et al., CCS 2009 • • • First work on cloud cartography Attack launched against commercially available “real” cloud (Amazon EC2) Claims up to 40% success in co-residence with target VM 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 29
Strategy
• • • • Map the cloud infrastructure to find where the target is located Use various heuristics residency of two VMs to determine co Launch probe VMs with target VMs trying to be co-resident Exploit cross-VM leakage to gather info about target 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 30
Threat model
Attacker model – Cloud infrastructure provider is trustworthy – Cloud insiders are trustworthy – Attacker is a malicious third party who can legitimately the cloud provider as a client
Assets
– Confidentiality aware services run on cloud – Availability of services run on cloud 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 31
Tools of the trade
• Nmap, hping, wget for network probing • Amazon EC2’s own DNS to map dns names to IPs 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 32
Sidenote: EC2 configuration
EC2 uses
Xen
, with up to 8 instances per physical machine Dom0 is the first instance on the machine, connected to physical adapter 2/07/2010 All other instances route to external world via dom0 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan [Figures from Xen Wiki] 33
Task 1: Mapping the cloud
Different availability zones use different IP regions.
Each instance has one internal IP and one external IP. Both are static.
For example: External IP: 75.101.210.100 External Name: ec2-75-101-210-100.computer-1.amazonaws.com Internal IP: 10.252.146.52 Internal Name: domU-12-31-38-00-8D-C6.computer-1.internal Reverse engineering the VM placement schemes provides useful heuristics about EC2’s strategy 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 34
Task 1: Mapping the Cloud
Finding: same instance type within the same zone = similar IP regions Reverse engineered mapping decision heuristic: A /24 inherits any included sampled instance type.
A /24 containing a Dom0 IP address only contains Dom0 IP address.
All /24’s between two consecutive Dom0 /24’s inherit the former’s associated type.
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 35
Task #2: Determining co-residence
• Co-residence: Check to determine if a given VM is placed in the same physical machine as another VM • Network based check: – Match Dom0 IP addresses, check packet RTT, close IP addresses (within 7, since each machine has 8 VMs at most) – – Traceroute provides Dom0 of target No false positives found during experiments 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 36
Task #3: Making a probe VM co-resident with target VM
Brute force scheme
– Idea: figure out target’s availability zone and type – Launch many probe instances in the same area – Success rate: 8.4% 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 37
Task #3: Making a probe VM co-resident with target VM
Smarter strategy: utilize locality
– Idea: VM instances launched right after target are likely to be co-resident with the target – Paper claims 40% success rate 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 38
Task #3: Making a probe VM co-resident with target VM 2/07/2010 Window of opportunity is quite large, measured in days en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 39
Task #4: Gather leaked information
Now that the VM is co-resident with target, what can it do?
– Gather information via side channels – Perform DoS 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 40
Task 4.1: Gathering information
If VM’s are separated and secure, the best the attacker can do is to gather information – Measure latency of cache loads – Use that to determine • Co-residence • Traffic rates • Keystroke timing 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 41
Mitigation strategies #1: Mapping
• Use a randomized scheme to allocate IP addresses • Block some tools (nmap, traceroute) 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 42
Mitigation strategies #2: Co-residence checks
• Prevent traceroute (i.e., prevent identification of dom0) 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 43
Mitigation strategies #3: Co-location
• Not allow co-residence at all – Beneficial for cloud user – Not efficient for cloud provider 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 44
Mitigation strategies #4: Information leakage
• Prevent cache load attacks?
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 45
Discussion
• How is the problem different from other attacks?
• What’s so special about clouds?
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 46
Discussion
Cons – Are the side channels *really* effective?
2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 47
Further Reading
Frank Swiderski and Window Snyder , “Threat Modeling “, Microsoft Press, 2004 The STRIDE Threat Model
Amazon downplays report highlighting vulnerabilities in its cloud service
Hypothetical example described in report much harder to pull off in reality, company says TechWorld, Oct 29, 2009. http://bit.ly/dvxEZp 2/07/2010 en.600.412 Spring 2011 Lecture 2 | JHU | Ragib Hasan 48