Rohit Kugaonkar CMSC 601 Spring 2011 May 9 2011

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 4 χρόνια και 5 μέρες)

84 εμφανίσεις

Rohit
Kugaonkar

CMSC 601 Spring 2011

May 9
th

2011

http://res.sys
-
con.com/story/dec09/1225058/Cloud%20security%20226.jpg


“Cloud computing is a model for enabling
ubiquitous, convenient, on
-
demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction”.


-

The NIST Definition of Cloud Computing

http://csrc.nist.gov/publications/drafts/800
-
145/Draft
-
SP
-
800
-
145_cloud
-
definition.pdf


On
-
Demand service


Pay only for actual
usage


Shared resources


Rapid elasticity


Virtualization


Advanced Security

"Cloud Security and Privacy'',O'Reilly


Insecure programming interfaces or APIs


Threat from inside employees


Data Protection


Identity and access management


Shared Technology issues


Hypervisor security


Cross
-
side channel attacks between VMs





http://vzxen.com/images/xen
-
hypervisor.png


Virtual machines share the physical memory,
CPU cycles, network buffers, DRAM of the
physical machine


Attack on Amazon EC2 web services:
Researchers from MIT and University of
California explained in their paper “
Hey,You
,
Get Off of My Cloud: Exploring Information
Leakage in Third
-
Party Compute Clouds”






Attacks takes place in two steps:

1.
Placement of attacker virtual machine on the same
physical machine.

2.
Exploiting the shared resources.



CPU cache leakage attack


Measure load of the other virtual web server


Extract AES and RSA keys.


Keystrokes timing analysis


Extract user passwords from SSH terminal.




D. A.
Osvik
, A. Shamir, and E.
Tromer
, “Cache
attacks and countermeasures: the case of AES”.


D. Page, “Theoretical use of cache memory as a
cryptanalytic side
-
channel”.


D. Page, “Defending against cache
-
based side
-
channel attacks”.


D. Page, “Partitioned cache architecture as a
side
-
channel defense mechanism”.


E.
Tromer
, D. A.
Osvik
, and A. Shamir,
"Efficient cache attacks on AES, and
countermeasures


Dawn
Xiaodong

Song, David Wagner,
Xuqing

Tian
, ``Timing Analysis of Keystrokes and Timing
Attacks on SSH'‘.



Cloud service providers:



“Securing Microsoft's Cloud Infrastructure",

Microsoft Global Foundation Services.




“Amazon Web Services: Overview of



Security Processes"










Dividing the security mechanism in 2
components.


Customized operating system image.


A light weight process running on each of the
virtual machines.


Collect security logs or any malicious behavior
from each of the virtual machines and send it
for analysis to dedicated machine.









Analysis part will be performed at dedicated
machine/s.




Analysis of the security logs in real time.


Looking for the same cache memory access
pattern!


Routing all the web server traffic through these
dedicated machines.


Real time fixing of any tampering on VMs.


Wiping out cache only when attack pattern is
detected by the dedicated machine.









Hypervisor security.


Security mechanism to protect against
keystroke based timing attacks.








http://blog.llnw.com/wp
-
content/uploads/2010/04/cloud
-
question.png


Thomas
Ristenpart

,
Eran

Tromer

,
Hovav

Shacham

and Stefan
Savage ``Hey, you, get off of my cloud: exploring information
leakage in third
-
party compute clouds’’.


Tim Mather,
Subra

Kumaraswamy
,
Shahed

Latif
, ``Cloud Security
and
Privacy'',O'Reilly

publication.


D. A.
Osvik
, A. Shamir, and E.
Tromer
, “Cache attacks and
countermeasures: the case of AES”,



D. Page, “Theoretical use of cache memory as a cryptanalytic
side
-
channel”,



D. Page, “Defending against cache
-
based side
-
channel attacks.


D. Page, “Partitioned cache architecture as a side
-
channel defense
mechanism”.


E.
Tromer
, D. A.
Osvik
, and A. Shamir, "Efficient cache attacks on
AES, and countermeasures“.


Dawn
Xiaodong

Song, David Wagner,
Xuqing

Tian
, ``Timing
Analysis of Keystrokes and
Timing Attacks on SSH”.