“Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by: Ibrahim Elsayed
Overview What is the cloud? New threats in cloud computing Research questions Experiment Explore cloud infrastructure. Determine co-residency. Achieve co-residency. Exploit information. What can we do? Conclusion
Cloud Computing What is the cloud? The new infrastructure for hosting data and deploying software and services. Benefits Cost Savings Scalability Flexibility
Cloud Computing On-demand computing outsourcing Examples: Amazon’s EC2 (Elastic Compute Cloud) Microsoft’s Azure Service Platform Rackspace’s Mosso New Threats: Trust relationship between customer and cloud provider Multi-tenancy (security threat)
Multi-tenancy Your instance is placed on the same server with other customers
Research Motivation Explore the threats of multi-tenancy in cloud computing Provide experimental results of the impact of these threats using a real cloud service provider (Amazon EC2) as a case study
Research Questions Can one determine where in the cloud infrastructure an instance is located? Can one easily determine if two instances are co-resident on the same physical machine? Can an adversary launch instances that will be co-resident with other user’s instances? Can an adversary exploit cross-VM information leakage once co-resident?
AMAZON ELASTIC COMPUTE CLOUD - EC2 Scalable, pay-as-you-go compute capacity in the cloud Customers can run different operating systems within a virtual machine Different regions and availability zones
Attack The attack considered requires two main steps: 1- Placement Place a malicious VM on the same physical machine as that of the victim 2- Extraction extract confidential information from the victim via a side channel attack
Attacker Not affiliated with the provider (third-party user) Can run many instances at the same time Can create multiple accounts Up to 20 instances per account
Cloud Cartography Try to learn about how Amazon places instance in order to carry out the attack Each instance assigned internal and external IP address Review addresses assigned to a large number of launched instances
Determining Co-Residence Co-resident: instances running on same machine Network-based co-residence checks: Matching (host domain) Dom0 IP address Small packet round-trip times 10 RTTs 1st always slow Use last 9 Numerically close internal IP address (within 7)
Achieving co-residency Two main techniques are presented to become co-resident with another user: Brute Force launch many instances over a relatively long period of time. Abusing Placement Locality Target recently launched attacks.
Brute-Force Placement Launch many instances within a time frame If co-resident, successful placement Else, terminate probe instance Of 1686 target victims co-residence achieved with 141 victim servers ( 8.4% coverage of targets). Max 20 simultaneous instance for one account. Allows reasonable success rate when used to target large target sets
Placement Locality Recall that one of the main features of cloud computing is to only run servers when needed. This suggests that servers are often run on instances, terminated when not needed, and later run again. The key idea is to catch the time at which the victim turns on (relaunches) his instance.
EC2 Placement Policy Placement locality Sequential placement locality Two instance run sequentially are often assigned to the same machine (one starts after one terminated). Parallel placement locality Two instance from distinct accounts run roughly at the same time are often assigned to the same machine.
Placement Locality Attack recently launched instances (temporal locality). Monitor a server’s state (e.g., via network probing). Launch lots of instances right after the launch of victim’s instance. Experiment Single victim instance is launched Attacker launches 20 instances within 5 minutes (in appropriate zone and type) Perform co-residence check
Placement Locality Experiments achieved an 40% coverage of targets.
Exploiting co-residence CPU contains small and fast memory cache shared by all instances .
Exploiting co-residence CPU contains small and fast memory cache shared by all instances . If the attacker accesses the memory, it is served from the cache
Exploiting co-residence CPU contains small and fast memory cache shared by all instances . If the attacker accesses the memory, it is served from the cache if the victim accesses the memory, the cache fills up and the attacker notices a slow-down
Exploiting co-residence Time-shared cache allows an attacker to measure when other instances are experiencing computational load Web traffic monitoring
Exploiting co-residence Also, the attacker can deduce the memory access patterns of the victim Example: if the victim is performing RSA or AES decryption, the access patterns are determined by the secret key Attacker can steal AES secret key in 65 milliseconds
Keystroke timing attack Cache load measurements used to mount a keystroke attack The goal is to measure the time between keystrokes made by a victim typing a password Report a keystroke when the probing measurement is between 3.1 μs and 9 μs (upper threshold filters out unrelated activity) Inter-keystroke times if properly measures can be used to perform recovery of the password
Inhibiting Side-Channel Attacks Blinding techniques Cache wiping, random delay insertion, adjust machine’s perception of time But, are these effective? Usually, impractical and application specific May not be possible to PLUG all side-channels Only way: AVOID co-residence
Research Questions - Answered Can one determine where in the cloud infrastructure an instance is located? - Yes. Can one easily determine if two instances are co-resident on the same physical machine? Can an adversary launch instances that will be co-resident with other user’s instances? Can an adversary exploit cross-VM information leakage once co-resident? - Sort of.
Summary New risks from cloud computing exposed Shared physical infrastructure may and most likely will cause problems Practical attack performed Suggested countermeasure
Resources https://cse.sc.edu/~huangct/CSCE813F15/CCS09_cloudsec.pdf https://eprint.iacr.org/2005/271.pdf http://rump2009.cr.yp.to/8d9cebc9ad358331fcde611bf45f735d.pdf http://zoo.cs.yale.edu/classes/cs722/2011/esyta_cloud.pdf