Security in Cloud

homelybrrrInternet και Εφαρμογές Web

4 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

81 εμφανίσεις

Srinivasan Narayanamurthy

Vineet Pandey

Security in Cloud

University Day

Student Workshop

dt.

March 07, 2013

Outline of the talk


Cloud computing


problem with the deployment models


Threats


Attacks


Recent news and techniques


For the break
-
out session

Characteristics Service & Deployment Models

End Users

Software as

a Service (
SaaS
)

Platform as

a Service (
P
aaS
)

Infrastructure as

a Service (
IaaS
)

Physical Infrastructure


Only
basic OS
-
level
protections


E
asily
bypassed by a
malware


Tenants
rent
VMs


Isolation
provided by the
Hypervisor



Private


Partner


Community


Hybrid


Public


Threats

Abuse &

Nefarious use

Insecure

APIs

Malicious

Insiders

Shared

Technology

Vuln
.

Data loss

/leakage

Account,

Service,

Traffic Hijacking

Unknown

Risk Profile


Password and key cracking


DDoS


Launching dynamic attack points


Hosting malicious data


Botnet command and control


Building rainbow tables


CAPTCHA
solving


Could expose more functionality

than
intended


Policy could be circumvented


Credentials may need to be passed



is the interface secure?


Particularly poignant for
cloud


Little risk of detection


System administrator
qual.
and

vetting
process
differ


Underlying architecture (CPU cache, GPU, etc.)

not intended
to offer strong isolation properties


Virtualization hypervisor used to mediate
access

between
guest OS and physical resources


Exploits exist (Blue Pill, Red Pill)


Data is outside the owner’s control


Data can be deleted or decoupled (lost)


Encryption keys can be lost


Unauthorized parties may gain access


Caused
by


Insufficient
authN
,
authZ
,
and access controls


Persistence and
remanance


Poor disposal procedures


Poor data center
reliability


Exploits phishing attacks,

fraud
, or software vulnerabilities


Credential reuse


Unknown Risk Profile


Is the cloud maintained
?


Companies do not disclose


Is
the infrastructure up to
date

(patches & firmware)


Does
the combination of different

service
providers create previously

unseen
vulnerabilities?

Source: Cloud Security Alliance, 2010
https
://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Past Attacks


Blue Pill, Red Pill (Joanna
Rutkowska
, Black Hat 2006)


Blue Pill


rootkit based on x86
virtualization


Red Pill


detect
the presence of a virtual machine


Cloudburst (2009
-
10)


Enables guest VM to attack its host


US
-
CERT VU#649219 (
CloudBurst
)


SYSRET 64
-
bit operating system privilege escalation
vulnerability on Intel CPU hardware


Attacks demonstrated


MIT (
Ristenpart

et al.) demonstrated
cross
-
tenant
attacks*


Amazon EC2


Proof of attacker VM collocation


Side channels in shared hardware (L2 cache)


DoS


Wordpress

Outage June 2010**


100s
of tenants (CNN
,…)
down in
multi
-
tenant environment
.


Uncoordinated change
in
database


Amazon, Apple, T
-
Systems availability issues during 2012

*
Ristenpart
, T.,
Tromer
, E.,
Shacham
, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third
-
party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Nov
9

13). ACM Press, New York, 2009,
199

212

** http
://smoothspan.wordpress.com/2010/06/11/wordpress
-
and
-
the
-
dark
-
side
-
of
-
multitenancy/


Threats

Abuse &

Nefarious use

Insecure

APIs

Malicious

Insiders

Shared

Technology

Vuln
.

Data loss

/leakage

Account,

Service,

Traffic Hijacking

Unknown

Risk Profile


Beyond encryption (
RSAConf

2013)


Zeus botnet


Secure REST API with

OAuth

&
OIdentity


CryptDB


35% IT Sabotage


18% theft of intellectual property


40% fraud


TPM &
vTPM


Crypto shredding


Federated identity management


Key management by the tenant


Side channels by Buffer Overflow


Multiple cloud provisioning

(
Rightscale
)

For the Break
-
out Session

Guarantees Required


Security


Encryption (PDP)


Integrity
checking (
PoR
)


Freshness guarantee


Availability


Reliability &
Correctness (
PoW
)


Beyond RAID
-
5 & RAID
-
6

Cloud computing

Cloud computing is a model for enabling
convenient,
on
-
demand network access
to a
shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and
services) that can be

rapidly provisioned

and
released with
minimal management effort
or
service provider
interaction




Source
:
NIST

(http://www.csrc.nist.gov/groups/SNS/cloud
-
computing/index.html)

Characteristics Service & Deployment Models

End Users

Software as

a Service (
SaaS
)

Platform as

a Service (
P
aaS
)

Infrastructure as

a Service (
IaaS
)

Physical Infrastructure

-

Application as a service

-

Online CRM (
Salesforce

CRM
),

word
processing (Google Docs
), etc.

-

Run
-
time environments

-

Lifecycle management Software

-

Google App Engine, Force.com, Azure

-

Compute resource as a service

-

Hardware & OS abstractions

-

Amazon EC2, S3



Private


Partner


Community


Hybrid


Public