240 likes | 422 Views
Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart et al. Edward Wu. Structure. High Level Picture/Motivation Thread Model Approach Mitigations Pros/Cons What's New/Not New in Cloud Security?
E N D
Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart et al. Edward Wu
Structure • High Level Picture/Motivation • Thread Model • Approach • Mitigations • Pros/Cons • What's New/Not New in Cloud Security? • Acknowledgement: slides/thoughts borrowed from Prof. Ragib Hasan's lecture notes and UIUC Security Reading Group's reviews
Conference & Authors • CCS 09 • Influential, cited by 226 papers in 2 years (Google Scholar) • Media coverage:MIT Technology Review, Network World, Network World (2), Computer World, Data Center Knowledge, IT Business Edge, Cloudsecurity.org, Infoworld • First work on cloud cartography • Attack launched against commercially available ”real” cloud (Amazon EC2) • Claims up to 40% success in co-residence with target VM
High Level Picture • Traditional system security mostly means keeping bad guys out. • The attacker needs to either compromise the auth/access control system, or impersonate existing users. • But clouds allow co-tenancy: • Multiple independent users share the same physical infrastructure. • An attacker can legitimately be in the same physical machine as the target
Challenges for the attacker • How to find out WHERE the target is located • How to CO-LOCATE with the target in the same physical machine • How to GATHER INFORMATION about the target
Approach • Map the cloud infrastructure to find where the target is located • Use various heuristics to determine co-residence of two VMs • Launch probe VMs trying to be co-residence with target VMs • Exploit cross-VM leakage to gather information about the target
Threat Model • Attacker Model • Cloud infrastructure provider is trustworthy • Cloud insiders are trustworthy • Attacker is a malicious third party who can legitimately use cloud provider's service • Assets • Confidentiality aware services run on cloud • Availability of services run on cloud
Threat Model • Attacker Model • Cloud infrastructure provider is trustworthy • Cloud insiders are trustworthy • Attacker is a malicious third party who can legitimately use cloud provider's service • Assets • Confidentiality aware services run on cloud • Availability of services run on clou
The Amazon EC2 • Xen hypervisor, called Domain0, is used to manage guest images, physical resource provisioning, and access control rights. • Dom0 routes packages and reports itself as a first hop. • Consists of 2 regions (United States and Europe), each have 3 availability zones, 5 Linux instance types. (outdated!) • Instances have a one-to-one mapping of internal IP addresses and external IP addresses, which are static
Mapping the Cloud • Plot of internal IPs against zones • Result: Different availability zones correspond to different statically defined internal IP address ranges.
Mapping the Cloud • Plot of internal IPs in Zone 3 against instance types • Result: Same instance types correspond loosely with similar IP address range regions.
Determine Co-residence • Network-based co-resident checks: instances are likely co-resident if they have: • matching Dom0 IP address • small packet round-trip times • numerically close internal IP addresses (within 7) • Verified via a hard-disk-based covert channel • Conclusion of test: Effective false positive rate of ZERO for the co-resident checks.
Probe VM Placement • Strategy 1: Brute-forcing placement • a success rate of 8.4% • Strategy 2: Abusing Placement Locality • Attacker knows when the target instances will be launched • Inference avaliability zone and instance type from its IP • Instance flooding immediately following launch of instance by launch many instances simultaneously. • Achieves a success rate of 40%
Information Leakage • Co-Residency affords the ability to: • Denial of Service • Estimate victim's work load • Cache • Network Traffic • Extract cryptographic keys via cache-based side channels. • Other cross-VM attacks
Mitigations • Mapping: • Use a randomized scheme to allocate IP addresses • Block some scanning tools/activities (nmap,traceroute) • Co-residence checks: • Prevent identification of dom0/hypervisor
Mitigations • Co-location: • Not allow co-residence at all: • Beneficial for cloud users • Not efficient for cloud providers • N-tier trust model? • Information leakage: • Prevent cache load attacks?
Amazon's response • Amazon downplays report highlighting vulnerabilities in its cloud service • "The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment." • "As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice." • http://www.techworld.com.au/article/324189/amazon_downplays_report_highlighting_vulnerabilities_its_cloud_service
Pros • Shows preliminary work in side channel attacks in VMs. • Demonstrates the practicality of their attacks on Amazon EC2. • Covers precise attack model. • Simple tools are used to launch attack which are easily available to any attacker. • Covers potential measures to take to inhibit such attacks.
Cons • Are the side channels really effective? • How much an attacker can leverage the information leaked out using this scheme. • If the target is on a full system it is not attackable by using this scheme.
What is not New? • What’s New About Cloud Computing Security?Yanpei Chen, Vern Paxson, Randy H. Katz • Argued that few cloud computing security issues are fundamentally new or fundamentally intractable. • Remember the good old time-sharing systems such as Multics, National CCS?
What is not New? • Phishing, downtime, data loss, password weaknesses, and compromised hosts running botnets • Most research continues on web security, data outsourcing and assurance, and virtual machines • Servers in cloud computing currently operate as (in)securely as servers in traditional enterprise datacenters • Zeus running its C&C server on EC2 in 2009
What's New in Cloud Security? • Unexpected side channels (passively observing information) and covert channels • Reputation fate-sharing: spam filter blacklist, police raid, server crash
Novelties in the cloud threat model • Data and software are not the only assets worth protecting, activity patterns also need to be protected. • Need to accommodate a longer trust chain. (incentives for companies to specialize) • Competitive businesses can operate within the same cloud computing ecosystem. • Mutual auditability, between cloud users and providers • Potentially inaccurate mental models of cloud computing as an always-available service, leads to false sense of security (EC2 Crash)