Ragib Hasan
University of Alabama at Birmingham
CS 491/691/791 Fall 2013
Lecture 3
09/03/2013

Goal:
– Examine attack surfaces in a cloud
– Learn about novel attacks on clouds
Recommended reading (no reviews)
Gruschka and Jensen, “Attack Surfaces: A Taxonomy for
Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Review Assignment #1 will be posted to course website this afternoon
– Due: Tuesday, September 10, 12.29 pm
• Please send reviews to ragib AT cis.uab.edu
– Send review in plain text, in the email body (no attachments please)
• Review format: Summary (5-6 sentences), Pros (3 or more points), Cons (3 or more points), Ideas for improvement
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Term Project
– Must be a project related to cloud security
– Form 2-member groups for the project
– Project kickstart meeting: 9/5/2013, 12.30 pm-
1.30 pm
• Some sample project ideas will be provided
• Feel free to come up with your own ideas
– Amazon has donated compute time on the EC2
Cloud for this course
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Project team formation: 9/5
• Project ideas: Due by 9/12
• Project progress meetings (Every 2 weeks,
Sep-Nov)
• Project demo: Early December
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Project Report:
– A brief, 10-12 page writeup on the project and experiments
• Project Demo:
– (If possible and relevant)
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Traditional systems security vs
Cloud Computing Security
9/3/2013
Securing a traditional system
Securing a cloud
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Traditional systems security vs
Cloud Computing Security
Analogy
9/3/2013
Securing a house Securing a motel
Owner and user are often the same entity
Owner and users are almost invariably distinct entities
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Traditional systems security vs
Cloud Computing Security
9/3/2013
Securing a house Securing a motel
Biggest user concerns
Securing perimeter
Biggest user concern
Securing room against
Checking for intruders (the bad guy in next
Securing assets room | hotel owner)
Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

An attack surface is a vulnerability in a system that malicious users may utilize
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• How?
– By requiring users to communicate with the cloud over a public / insecure network
– By sharing the infrastructure among multiple users
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Analyzing Attack Surfaces in Clouds
Cloud attack surfaces can be modeled using a 3 entity model
(user, service, cloud)
Figure 1. The cloud computing triangle and the six attack surfaces
Figure from: Gruschka et al., Attack Surfaces: A Taxonomy for Attacks on Cloud
(API depending on the service model type, IaaS, PaaS, attacks, triggering the cloud provider to provide more
Services.
resources or end up in a Denial-of-Service, or attacks
In the same way, a service instance provides its service on the cloud system hypervisor (see Section 3.2).
to a user with a dedicated interface (e.g. website, SSH connection, Web Service, ...). Thus, with 3 participants, there are 6 such interfaces to consider (as shown in
Figure 1). For the remainder of this paper, we will
The other way around, the attack surface of a service instance against the cloud system (d) is a very sensitive one. It incorporates all kinds of attacks a cloud provider can perform against a service running on it.
refer to these interfaces as being the attack surfaces.
2.1. Attack Sur faces
This may start with availability reductions (i.e. shut down service instances), but may also cover privacyrelated attacks (scanning a service instance’s data in process) or even malicious interference (e.g. tampering data in process, injecting additional operations to ser-
The first and most prominent attack surface is that of a service instance towards a user (a). This is nothing else than the common server-to-client interface, thus enabling (and being vulnerable to) all kinds of attacks vice instance executions; everything a rootkit [5] can do). To the author’s consideration, this is by far the most critical kind of attack surface, as its exploitation is that are possible in common client-server-architectures as well. This involves things like buffer ov erflow attacks, SQL injection, or privilege escalation.
rather easy (once being the cloud provider) and attack impacts are tremendous.
In the same way, the attack surface the service user provides towards the service (b) is nothing else than
The fifth attack surface of interest is that of the cloud system towards the user (e). This is a little bit hard to define since both usually do not have a real touching point; in common scenarios there always the common environment a client program provides to a server, e.g. browser-based attacks for an HTMLbased service like SSL certificate spoofing [4], attacks on browser caches, or Phishing attacks on mail clients.
exists a service in between. However, the cloud system has to provide an interface for controlling its services.
That interface, which we call cloud control , provides
The interface between a service instance and a cloud system (c) is a little bit more complex. Here, the cloud customers with the ability to add new services, require more service instances, delete service instances etc. As this is not a service instance in the sense separation of service instance and cloud provider can be tricky, but in general the cloud system’s attack surface to the service instance covers all attacks that of Figure 1, it is discussed here as a separate attack surface, with attack threats being merely similar to the a service instance can run against its hosting cloud system. An example would be resource exhaustion ones a common cloud service has to face from a user.
The last attack surface is the one provided by
277

• Service interface exposed towards clients
• Possible attacks: Common attacks in clientserver architectures
– E.g., Buffer overflow, SQL injection, privilege escalation
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• User exposed to the service
• Common attacks
– E.g., SSL certificate spoofing, phishing
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Cloud resources/interfaces exposed to service
• Attacks run by service on cloud infrastructure
– E.g., Resource exhaustion, DoS
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Service interface exposed to cloud
• Privacy attack
• Data integrity attack
• Data confidentiality attack
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Cloud interface exposed to users
• Attacks on cloud control
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• User exposed to cloud
• How much the cloud can learn about a user?
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Question:
Given enough resources, how would you attack a cloud?
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Options:
– From outside
• Launch denial of service attacks
• Probe cloud from outside
– From inside
• Exhaust resources internally
• Probe cloud and/or other
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• Question: Can you attack a cloud or other users, without violating any law?
• Answer: Yes!! By launching side channel attacks, while not violating Acceptable User
Policy.
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

• A Side Channel is a passive attack in which attacker gains information about target through indirect observations.
• Examples?
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

Further Reading
Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd
International Conference on Cloud Computing, 2010
9/3/2013 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013