Hey, You, Get Off of My Cloud Exploring Information Leakage in ThirdParty Compute Clouds By Thomas Ristenpart et al. Edward Wu.
Download
Report
Transcript Hey, You, Get Off of My Cloud Exploring Information Leakage in ThirdParty Compute Clouds By Thomas Ristenpart et al. Edward Wu.
Hey, You, Get Off of My Cloud
Exploring Information Leakage in ThirdParty Compute Clouds
By Thomas Ristenpart et al.
Edward Wu
Structure
High Level Picture/Motivation
Thread Model
Approach
Mitigations
Pros/Cons
What's New/Not New in Cloud Security?
Acknowledgement: slides/thoughts borrowed from
Prof. Ragib Hasan's lecture notes and UIUC Security
Reading Group's reviews
Conference & Authors
CCS 09
Influential, cited by 226 papers in 2 years (Google
Scholar)
Media coverage:
MIT Technology Review, Network World, Network World (2),
Computer World, Data Center Knowledge, IT Business
Edge, Cloudsecurity.org, Infoworld
First work on cloud cartography
Attack launched against commercially available ”real” cloud
(Amazon EC2)
Claims up to 40% success in co-residence with target VM
High Level Picture
Traditional system security mostly means keeping
bad guys out.
The attacker needs to either compromise the
auth/access control system, or impersonate existing
users.
But clouds allow co-tenancy:
Multiple independent users share the same physical
infrastructure.
An attacker can legitimately be in the same physical
machine as the target
Challenges for the attacker
How to find out WHERE the target is located
How to CO-LOCATE with the target in the same
physical machine
How to GATHER INFORMATION about the target
Approach
Map the cloud infrastructure to find where the target
is located
Use various heuristics to determine co-residence of
two VMs
Launch probe VMs trying to be co-residence with
target VMs
Exploit cross-VM leakage to gather information about
the target
Threat Model
Attacker Model
Cloud infrastructure provider is trustworthy
Cloud insiders are trustworthy
Attacker is a malicious third party who can
legitimately use cloud provider's service
Assets
Confidentiality aware services run on cloud
Availability of services run on cloud
Threat Model
Attacker Model
Cloud infrastructure provider is trustworthy
Cloud insiders are trustworthy
Attacker is a malicious third party who can
legitimately use cloud provider's service
Assets
Confidentiality aware services run on cloud
Availability of services run on clou
The Amazon EC2
Xen hypervisor, called Domain0, is used to manage guest
images, physical resource provisioning, and access
control rights.
Dom0 routes packages and reports itself as a first hop.
Consists of 2 regions (United States and Europe), each
have 3 availability zones, 5 Linux instance types.
(outdated!)
Instances have a one-to-one mapping of internal IP
addresses and external IP addresses, which are static
Mapping the Cloud
Plot of internal IPs against zones
Result: Different availability zones correspond to different
statically defined internal IP address ranges.
Mapping the Cloud
Plot of internal IPs in Zone 3 against instance types
Result: Same instance types correspond loosely with
similar IP address range regions.
Determine Co-residence
Network-based co-resident checks: instances
are likely co-resident if they have:
matching Dom0 IP address
small packet round-trip times
numerically close internal IP addresses (within 7)
Verified via a hard-disk-based covert channel
Conclusion of test: Effective false positive rate
of ZERO for the co-resident checks.
Probe VM Placement
Strategy 1: Brute-forcing placement
a success rate of 8.4%
Strategy 2: Abusing Placement Locality
Attacker knows when the target instances will be
launched
Inference avaliability zone and instance type from
its IP
Instance flooding immediately following launch of
instance by launch many instances simultaneously.
Achieves a success rate of 40%
Information Leakage
Co-Residency affords the ability to:
Denial of Service
Estimate victim's work load
Cache
Network Traffic
Extract cryptographic keys via cache-based side
channels.
Other cross-VM attacks
Mitigations
Mapping:
Use a randomized scheme to allocate IP
addresses
Block some scanning tools/activities
(nmap,traceroute)
Co-residence checks:
Prevent identification of dom0/hypervisor
Mitigations
Co-location:
Not allow co-residence at all:
Beneficial for cloud users
Not efficient for cloud providers
N-tier trust model?
Information leakage:
Prevent cache load attacks?
Amazon's response
Amazon downplays report highlighting vulnerabilities
in its cloud service
"The side channel techniques presented are based on
testing results from a carefully controlled lab
environment with configurations that do not match the
actual Amazon EC2 environment."
"As the researchers point out, there are a number of
factors that would make such an attack significantly
more difficult in practice."
http://www.techworld.com.au/article/324189/amazon_
downplays_report_highlighting_vulnerabilities_its_clo
ud_service
Pros
Shows preliminary work in side channel attacks
in VMs.
Demonstrates the practicality of their attacks on
Amazon EC2.
Covers precise attack model.
Simple tools are used to launch attack which
are easily available to any attacker.
Covers potential measures to take to inhibit
such attacks.
Cons
Are the side channels really effective?
How much an attacker can leverage the
information leaked out using this scheme.
If the target is on a full system it is not
attackable by using this scheme.
What is not New?
What’s New About Cloud Computing
Security?Yanpei Chen, Vern Paxson, Randy
H. Katz
Argued that few cloud computing security
issues are fundamentally new or
fundamentally intractable.
Remember the good old time-sharing
systems such as Multics, National CCS?
What is not New?
Phishing, downtime, data loss, password
weaknesses, and compromised hosts
running botnets
Most research continues on web security,
data outsourcing and assurance, and virtual
machines
Servers in cloud computing currently operate
as (in)securely as servers in traditional
enterprise datacenters
Zeus running its C&C server on EC2 in 2009
What's New in Cloud Security?
Unexpected side channels (passively
observing information) and covert channels
Reputation fate-sharing: spam filter blacklist,
police raid, server crash
Novelties in the cloud threat model
Data and software are not the only assets worth
protecting, activity patterns also need to be
protected.
Need to accommodate a longer trust chain.
(incentives for companies to specialize)
Competitive businesses can operate within the
same cloud computing ecosystem.
Mutual auditability, between cloud users and
providers
Potentially inaccurate mental models of cloud
computing as an always-available service, leads to
false sense of security (EC2 Crash)