220 likes | 325 Views
Lecture 4 : Cloud Computing Security: a first look. Xiaowei Yang (Duke University). Cloud Computing: the good. Elasticity O n demand scaling The illustration of infinite resources Pay-as-you go No up-front cost Pay what you need: no risk for under or over provisioning.
E N D
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Cloud Computing: the good • Elasticity • On demand scaling • The illustration of infinite resources • Pay-as-you go • No up-front cost • Pay what you need: no risk for under or over provisioning
Cloud Computing: the bad • Placing your valuable code/data on a third party infrastructure • A rogue cloud admin • How do you verify what you get? • Your VMs may co-reside in the same physical machines/network as your adversaries’ • Information leaking • Denial of service attacks • More discuss in the next lecture
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart, EranTromer, HovavShacham, Stefan Savage
Overview of the attack • Placement • Placing eavesdropping VMs to co-reside with targeted VMs • Extraction • Extracting confidential information via cross-VM side channels • RSA or AES secret keys
Threat model • Trusted cloud provider • A requirement for using third-party resources for now • Attackers are non-provider-affiliated malicious cloud users • Victims are other cloud users that have sensitive information
Case study: EC2 • Three availability zones for fault tolerance • Geography • Hardware isolation • Five types of instances • m1.small, c1.medium, m1.large, m1.xlarge, c1.xlarge • a total of 15 combinations
IP addresses of instances • An instance may have a public IP • 75.101.210.100 • A public IP corresponds to a DNS name • ec2-75-101-210-100.compute-1.amazonaws.com • Internal DNS queries return an internal IP and DNS names • 10.252.146.52 • domU-12-31-38-00-8D-C6.compute-1.internal
Virtualization structure • Dom0 manages guest images, physical resource provisioning, and access control rights • EC2: Dom0 routes packets for guest images • Last hop in traceroute Guest1 Guest2 Dom0 Zen Hypervisor
Network probing • External probing from outside EC2 • Internal probing from an instance inside
Cloud Cartography • Hypothesis • Same availability zone shares IP prefixes • VMs on the same physical machines share IP prefixes • Evaluation • Mapping EC2 public service to internal IPs • Creating test instances
Determining placement parameters • Launch instances for each of the 15 availability/instance type combination • Obtain their internal IP addresses
Instance type and accounts • 100 instances for the same zone • From a different account • Stick to the same
Derive IP address allocation rules • Heuristics to label /24 prefixes with both availability zone and instance type: • All IPs from a /16 are from the same availability zone. • A /24 inherits any included sampled instance type. If there are multiple instances with distinct types, then we label the /24 with each distinct type (i.e., it is ambiguous). • A /24 containing a Dom0 IP address only contains Dom0 IP addresses. We associate to this /24 the type of the Dom0’s associated instance • All /24’s between two consecutive Dom0 /24’s inherit the former’s associated type.
Achieving Co-Residence • Bruce-force • Launching many instances • Co-residence with 141 victim servers out of 1686 targeted servers • Sets of 20 • Varied time intervals • 1785 probe instances
Abusing placement locality • Timing correlation • Instance flooding • Launch many instances soon after victim servers are launched • 40% success out of 20 probes
Question • How to determine when a victim instance is launched?
Extraction • Many low level techniques • Cache usage • Load-based co-residence detection • Estimating traffic rates • Keystroke time attack
Summary • A first look at cloud security problems • Co-residence can be harmful • Next: more case studies and overview of security problems