Hey, You, Get Off of My Cloud: Exploring Information Leakage in

advertisement
Hey, You, Get Off of My Cloud:
Exploring Information Leakage in
Third-Party Compute Clouds
Written by
Thomas Ristenpart
Eran Tromer
Hovav Shacham
Stehan Savage
Presented by
Jeremy Weinstein
Outline
Introduction
Motivation
System specifications
Experiments




Explore cloud infrastructure.
Determine co-residency.
Achieve co-residency.
Exploit information.
Legal, Ethical, and Contractual implications
Conclusion
Contributions
Weaknesses
References
Questions?
Introduction
Cloud computing is an networked
computing system in which hardware with
extra resources can be used by other
users.
Resource examples:


Clock cycles
Disk space
Introduction
Sample Architecture
Introduction
Who is this useful for?
Consumers


Need more computing resources than they have
available.
Temporary need which does not justify purchasing
hardware.
Seller


Has more resources than they need.
Can make revenue selling or renting to clients.
Motivation
Computing systems such as this have
many well documented security flaws.
New infrastructure “expands the attack
surface of the victim.”
One client can access information from
another if they are on the same physical
machine.
System specifications
Experiments were preformed on Amazon’s EC2 (Elastic
Compute Cloud).
Client space was purchased.

This took the form of one or more Virtual Machines (VM).
Most experiments were done on m1.small instance type.
The following specifications were split across all active
clients on this particular cloud.





32-bit architecture
Single virtual core equivalent to 1.0-1.2 GHz 2007 Opteron
processor.
1.7 GB memory
160 GB disk space.
$0.10 per hour fee.
Experiments
The goal is to determine the viability of
attaining restricted data from another
client.
Targeted ports 80 and 443 only (http and
https).
The experiments use network probing to
attain relevant information.
Probes
External Probe:

Probe originates outside the EC2 server and
targets a user in the EC2 server.
Internal Probe:

Probe originates inside the EC2 server and
targets a user in the EC2 server.
External probing is contractually illegal by
Amazon’s Terms of Use Policy.
Exploring the cloud infrastructure
Clients on the EC2 server were assigned
an IP address with 16-24 prefix bits shared
with other clients’ IPs, depending on
instance type.
Probing other addresses with WHOIS
determined which areas of the network
were being utilized by users.
Cloud Cartography
Determining co-residency
To be co-resident you need:



Matching dom0 addresses (same hardware)
Small round-trip packet time or
Similar IP addresses
Using multiple accounts in arbitrary locations,
they checked these factors to determine coresidency.
Having the actual values of one’s own account
determined a nil false positive rate.
Achieving co-residency
Two techniques are presented to become coresident with another user
Brute Force


Arbitrarily probe a target zone over a long period of
time.
Experiments achieved an 8.4% coverage of targets.
Placement Locality


Attack recently launched instances (temporal locality).
Reports achieving co-residence 40% of the time.
Achieving co-residency
Exploiting information
Knowing about the cloud your account is
on gives you key information about other
users

E.G. computational load.
The slower your memory access, the more
resources a co-resident user is using.
One proposed method of using this
information is as a pseudo key logger,
determining the time between keystrokes.
Extracting information
1) Allocate memory
2) Sleep briefly to rank high on the scheduler
3) Prime: Read the memory to be sure its fully
cached
4) Trigger: Loop until CPU’s cycle increases by
a large amount (indicates other user access)
5) Probe: Analyze differences between reads.
Legal, Ethical, and Contractual
implications
Project was government funded.
Computer Fraud and Abuse Act
Probes checked public ports only
Skirted around definitions such as
“access” and “authorization”
A malicious hacker would not be
constrained by these issues
Prevention
A hacker can be slowed or stopped by
trying to prevent internal probing, or
reducing the information a client has.
Doing so would limit vulnerability of clients.
Hackers would be prevented from seeing
private information about the provider such
as server infrastructure.
Conclusion
Using these techniques a hacker can gain
access a cloud client.
As a client




Probe the network
Learn its mapping
Attempt to gain co-residence with another
client
Gain private information from the co-resident
Contributions
Thorough analysis of every step required
to exploit this technique.
Techniques yielded good results.

Indicated the importance of this work.
Made recommendations for further work.
Weaknesses
Omitted outlier results from their
conclusions.
Walked a fine line of unethical research.
Many graphs seemed busy and unhelpful.
One experiment implied a very low
number of test cases.
References
[1] Ristenpart T, Trhomer E, Scacham H,
Savage S. “Hey, You, Get Off of My
Cloud: Exploring Information Leakage in
Third-Party Compute Clouds.” 2009.
[2] Cloud Computing.
www.en.wikipedia.org/wiki/Cloud_Computi
ng. March 2010.
Questions?
Download