24-GetOffMyCloud

advertisement
Hey, You, Get Off of My Cloud
Exploring Information Leakage in ThirdParty Compute Clouds
By Thomas Ristenpart et al.
Edward Wu
Structure

High Level Picture/Motivation

Thread Model

Approach

Mitigations

Pros/Cons

What's New/Not New in Cloud Security?

Acknowledgement: slides/thoughts borrowed from
Prof. Ragib Hasan's lecture notes and UIUC Security
Reading Group's reviews
Conference & Authors



CCS 09
Influential, cited by 226 papers in 2 years (Google
Scholar)
Media coverage:
MIT Technology Review, Network World, Network World (2),
Computer World, Data Center Knowledge, IT Business
Edge, Cloudsecurity.org, Infoworld



First work on cloud cartography
Attack launched against commercially available ”real” cloud
(Amazon EC2)
Claims up to 40% success in co-residence with target VM
High Level Picture
Traditional system security mostly means keeping
bad guys out.

The attacker needs to either compromise the
auth/access control system, or impersonate existing
users.

But clouds allow co-tenancy:



Multiple independent users share the same physical
infrastructure.
An attacker can legitimately be in the same physical
machine as the target
Challenges for the attacker



How to find out WHERE the target is located
How to CO-LOCATE with the target in the same
physical machine
How to GATHER INFORMATION about the target
Approach




Map the cloud infrastructure to find where the target
is located
Use various heuristics to determine co-residence of
two VMs
Launch probe VMs trying to be co-residence with
target VMs
Exploit cross-VM leakage to gather information about
the target
Threat Model
Attacker Model


Cloud infrastructure provider is trustworthy

Cloud insiders are trustworthy

Attacker is a malicious third party who can
legitimately use cloud provider's service
Assets



Confidentiality aware services run on cloud
Availability of services run on cloud
Threat Model
Attacker Model


Cloud infrastructure provider is trustworthy

Cloud insiders are trustworthy

Attacker is a malicious third party who can
legitimately use cloud provider's service
Assets



Confidentiality aware services run on cloud
Availability of services run on clou
The Amazon EC2




Xen hypervisor, called Domain0, is used to manage guest
images, physical resource provisioning, and access
control rights.
Dom0 routes packages and reports itself as a first hop.
Consists of 2 regions (United States and Europe), each
have 3 availability zones, 5 Linux instance types.
(outdated!)
Instances have a one-to-one mapping of internal IP
addresses and external IP addresses, which are static
Mapping the Cloud


Plot of internal IPs against zones
Result: Different availability zones correspond to different
statically defined internal IP address ranges.
Mapping the Cloud


Plot of internal IPs in Zone 3 against instance types
Result: Same instance types correspond loosely with
similar IP address range regions.
Determine Co-residence



Network-based co-resident checks: instances
are likely co-resident if they have:

matching Dom0 IP address

small packet round-trip times

numerically close internal IP addresses (within 7)
Verified via a hard-disk-based covert channel
Conclusion of test: Effective false positive rate
of ZERO for the co-resident checks.
Probe VM Placement

Strategy 1: Brute-forcing placement


a success rate of 8.4%
Strategy 2: Abusing Placement Locality




Attacker knows when the target instances will be
launched
Inference avaliability zone and instance type from
its IP
Instance flooding immediately following launch of
instance by launch many instances simultaneously.
Achieves a success rate of 40%
Information Leakage

Co-Residency affords the ability to:

Denial of Service

Estimate victim's work load




Cache
Network Traffic
Extract cryptographic keys via cache-based side
channels.
Other cross-VM attacks
Mitigations
Mapping:



Use a randomized scheme to allocate IP
addresses
Block some scanning tools/activities
(nmap,traceroute)
Co-residence checks:


Prevent identification of dom0/hypervisor
Mitigations
Co-location:


Not allow co-residence at all:
Beneficial for cloud users

Not efficient for cloud providers

N-tier trust model?
Information leakage:



Prevent cache load attacks?
Amazon's response




Amazon downplays report highlighting vulnerabilities
in its cloud service
"The side channel techniques presented are based on
testing results from a carefully controlled lab
environment with configurations that do not match the
actual Amazon EC2 environment."
"As the researchers point out, there are a number of
factors that would make such an attack significantly
more difficult in practice."
http://www.techworld.com.au/article/324189/amazon_
downplays_report_highlighting_vulnerabilities_its_clo
ud_service
Pros





Shows preliminary work in side channel attacks
in VMs.
Demonstrates the practicality of their attacks on
Amazon EC2.
Covers precise attack model.
Simple tools are used to launch attack which
are easily available to any attacker.
Covers potential measures to take to inhibit
such attacks.
Cons



Are the side channels really effective?
How much an attacker can leverage the
information leaked out using this scheme.
If the target is on a full system it is not
attackable by using this scheme.
What is not New?



What’s New About Cloud Computing
Security?Yanpei Chen, Vern Paxson, Randy
H. Katz
Argued that few cloud computing security
issues are fundamentally new or
fundamentally intractable.
Remember the good old time-sharing
systems such as Multics, National CCS?
What is not New?




Phishing, downtime, data loss, password
weaknesses, and compromised hosts
running botnets
Most research continues on web security,
data outsourcing and assurance, and virtual
machines
Servers in cloud computing currently operate
as (in)securely as servers in traditional
enterprise datacenters
Zeus running its C&C server on EC2 in 2009
What's New in Cloud Security?


Unexpected side channels (passively
observing information) and covert channels
Reputation fate-sharing: spam filter blacklist,
police raid, server crash
Novelties in the cloud threat model





Data and software are not the only assets worth
protecting, activity patterns also need to be
protected.
Need to accommodate a longer trust chain.
(incentives for companies to specialize)
Competitive businesses can operate within the
same cloud computing ecosystem.
Mutual auditability, between cloud users and
providers
Potentially inaccurate mental models of cloud
computing as an always-available service, leads to
false sense of security (EC2 Crash)
Download