1 / 24

Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds

Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart et al. Edward Wu. Structure. High Level Picture/Motivation Thread Model Approach Mitigations Pros/Cons What's New/Not New in Cloud Security?

huslu
Download Presentation

Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart et al. Edward Wu

  2. Structure • High Level Picture/Motivation • Thread Model • Approach • Mitigations • Pros/Cons • What's New/Not New in Cloud Security? • Acknowledgement: slides/thoughts borrowed from Prof. Ragib Hasan's lecture notes and UIUC Security Reading Group's reviews

  3. Conference & Authors • CCS 09 • Influential, cited by 226 papers in 2 years (Google Scholar) • Media coverage:MIT Technology Review, Network World, Network World (2), Computer World, Data Center Knowledge, IT Business Edge, Cloudsecurity.org, Infoworld • First work on cloud cartography • Attack launched against commercially available ”real” cloud (Amazon EC2) • Claims up to 40% success in co-residence with target VM

  4. High Level Picture • Traditional system security mostly means keeping bad guys out. • The attacker needs to either compromise the auth/access control system, or impersonate existing users. • But clouds allow co-tenancy: • Multiple independent users share the same physical infrastructure. • An attacker can legitimately be in the same physical machine as the target

  5. Challenges for the attacker • How to find out WHERE the target is located • How to CO-LOCATE with the target in the same physical machine • How to GATHER INFORMATION about the target

  6. Approach • Map the cloud infrastructure to find where the target is located • Use various heuristics to determine co-residence of two VMs • Launch probe VMs trying to be co-residence with target VMs • Exploit cross-VM leakage to gather information about the target

  7. Threat Model • Attacker Model • Cloud infrastructure provider is trustworthy • Cloud insiders are trustworthy • Attacker is a malicious third party who can legitimately use cloud provider's service • Assets • Confidentiality aware services run on cloud • Availability of services run on cloud

  8. Threat Model • Attacker Model • Cloud infrastructure provider is trustworthy • Cloud insiders are trustworthy • Attacker is a malicious third party who can legitimately use cloud provider's service • Assets • Confidentiality aware services run on cloud • Availability of services run on clou

  9. The Amazon EC2 • Xen hypervisor, called Domain0, is used to manage guest images, physical resource provisioning, and access control rights. • Dom0 routes packages and reports itself as a first hop. • Consists of 2 regions (United States and Europe), each have 3 availability zones, 5 Linux instance types. (outdated!) • Instances have a one-to-one mapping of internal IP addresses and external IP addresses, which are static

  10. Mapping the Cloud • Plot of internal IPs against zones • Result: Different availability zones correspond to different statically defined internal IP address ranges.

  11. Mapping the Cloud • Plot of internal IPs in Zone 3 against instance types • Result: Same instance types correspond loosely with similar IP address range regions.

  12. Determine Co-residence • Network-based co-resident checks: instances are likely co-resident if they have: • matching Dom0 IP address • small packet round-trip times • numerically close internal IP addresses (within 7) • Verified via a hard-disk-based covert channel • Conclusion of test: Effective false positive rate of ZERO for the co-resident checks.

  13. Probe VM Placement • Strategy 1: Brute-forcing placement • a success rate of 8.4% • Strategy 2: Abusing Placement Locality • Attacker knows when the target instances will be launched • Inference avaliability zone and instance type from its IP • Instance flooding immediately following launch of instance by launch many instances simultaneously. • Achieves a success rate of 40%

  14. Information Leakage • Co-Residency affords the ability to: • Denial of Service • Estimate victim's work load • Cache • Network Traffic • Extract cryptographic keys via cache-based side channels. • Other cross-VM attacks

  15. Mitigations • Mapping: • Use a randomized scheme to allocate IP addresses • Block some scanning tools/activities (nmap,traceroute) • Co-residence checks: • Prevent identification of dom0/hypervisor

  16. Mitigations • Co-location: • Not allow co-residence at all: • Beneficial for cloud users • Not efficient for cloud providers • N-tier trust model? • Information leakage: • Prevent cache load attacks?

  17. Amazon's response • Amazon downplays report highlighting vulnerabilities in its cloud service • "The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment." • "As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice." • http://www.techworld.com.au/article/324189/amazon_downplays_report_highlighting_vulnerabilities_its_cloud_service

  18. Pros • Shows preliminary work in side channel attacks in VMs. • Demonstrates the practicality of their attacks on Amazon EC2. • Covers precise attack model. • Simple tools are used to launch attack which are easily available to any attacker. • Covers potential measures to take to inhibit such attacks.

  19. Cons • Are the side channels really effective? • How much an attacker can leverage the information leaked out using this scheme. • If the target is on a full system it is not attackable by using this scheme.

  20. What is not New? • What’s New About Cloud Computing Security?Yanpei Chen, Vern Paxson, Randy H. Katz • Argued that few cloud computing security issues are fundamentally new or fundamentally intractable. • Remember the good old time-sharing systems such as Multics, National CCS?

  21. What is not New? • Phishing, downtime, data loss, password weaknesses, and compromised hosts running botnets • Most research continues on web security, data outsourcing and assurance, and virtual machines • Servers in cloud computing currently operate as (in)securely as servers in traditional enterprise datacenters • Zeus running its C&C server on EC2 in 2009

  22. What's New in Cloud Security? • Unexpected side channels (passively observing information) and covert channels • Reputation fate-sharing: spam filter blacklist, police raid, server crash

  23. Novelties in the cloud threat model • Data and software are not the only assets worth protecting, activity patterns also need to be protected. • Need to accommodate a longer trust chain. (incentives for companies to specialize) • Competitive businesses can operate within the same cloud computing ecosystem. • Mutual auditability, between cloud users and providers • Potentially inaccurate mental models of cloud computing as an always-available service, leads to false sense of security (EC2 Crash)

More Related