Hey, You, Get Off of My Cloud Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart et al. Edward Wu
Structure High Level Picture/Motivation Thread Model Approach Mitigations Pros/Cons What's New/Not New in Cloud Security? Acknowledgement: slides/thoughts borrowed from Prof. Ragib Hasan's lecture notes and UIUC Security Reading Group's reviews
Conference & Authors CCS 09 Influential, cited by 226 papers in 2 years (Google Scholar) Media coverage: MIT Technology Review, Network World, Network World (2), Computer World, Data Center Knowledge, IT Business Edge, Cloudsecurity.org, Infoworld First work on cloud cartography Attack launched against commercially available ”real” cloud (Amazon EC2) Claims up to 40% success in co-residence with target VM
High Level Picture Traditional system security mostly means keeping bad guys out. The attacker needs to either compromise the auth/access control system, or impersonate existing users. But clouds allow co-tenancy: Multiple independent users share the same physical infrastructure. An attacker can legitimately be in the same physical machine as the target
Challenges for the attacker How to find out WHERE the target is located How to CO-LOCATE with the target in the same physical machine How to GATHER INFORMATION about the target
Approach Map the cloud infrastructure to find where the target is located Use various heuristics to determine co-residence of two VMs Launch probe VMs trying to be co-residence with target VMs Exploit cross-VM leakage to gather information about the target
Threat Model Attacker Model Cloud infrastructure provider is trustworthy Cloud insiders are trustworthy Attacker is a malicious third party who can legitimately use cloud provider's service Assets Confidentiality aware services run on cloud Availability of services run on cloud
Threat Model Attacker Model Cloud infrastructure provider is trustworthy Cloud insiders are trustworthy Attacker is a malicious third party who can legitimately use cloud provider's service Assets Confidentiality aware services run on cloud Availability of services run on clou
The Amazon EC2 Xen hypervisor, called Domain0, is used to manage guest images, physical resource provisioning, and access control rights. Dom0 routes packages and reports itself as a first hop. Consists of 2 regions (United States and Europe), each have 3 availability zones, 5 Linux instance types. (outdated!) Instances have a one-to-one mapping of internal IP addresses and external IP addresses, which are static
Mapping the Cloud Plot of internal IPs against zones Result: Different availability zones correspond to different statically defined internal IP address ranges.
Mapping the Cloud Plot of internal IPs in Zone 3 against instance types Result: Same instance types correspond loosely with similar IP address range regions.
Determine Co-residence Network-based co-resident checks: instances are likely co-resident if they have: matching Dom0 IP address small packet round-trip times numerically close internal IP addresses (within 7) Verified via a hard-disk-based covert channel Conclusion of test: Effective false positive rate of ZERO for the co-resident checks.
Probe VM Placement Strategy 1: Brute-forcing placement a success rate of 8.4% Strategy 2: Abusing Placement Locality Attacker knows when the target instances will be launched Inference avaliability zone and instance type from its IP Instance flooding immediately following launch of instance by launch many instances simultaneously. Achieves a success rate of 40%
Information Leakage Co-Residency affords the ability to: Denial of Service Estimate victim's work load Cache Network Traffic Extract cryptographic keys via cache-based side channels. Other cross-VM attacks
Mitigations Mapping: Use a randomized scheme to allocate IP addresses Block some scanning tools/activities (nmap,traceroute) Co-residence checks: Prevent identification of dom0/hypervisor
Mitigations Co-location: Not allow co-residence at all: Beneficial for cloud users Not efficient for cloud providers N-tier trust model? Information leakage: Prevent cache load attacks?
Amazon's response Amazon downplays report highlighting vulnerabilities in its cloud service "The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment." "As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice." http://www.techworld.com.au/article/324189/amazon_ downplays_report_highlighting_vulnerabilities_its_clo ud_service
Pros Shows preliminary work in side channel attacks in VMs. Demonstrates the practicality of their attacks on Amazon EC2. Covers precise attack model. Simple tools are used to launch attack which are easily available to any attacker. Covers potential measures to take to inhibit such attacks.
Cons Are the side channels really effective? How much an attacker can leverage the information leaked out using this scheme. If the target is on a full system it is not attackable by using this scheme.
What is not New? What’s New About Cloud Computing Security?Yanpei Chen, Vern Paxson, Randy H. Katz Argued that few cloud computing security issues are fundamentally new or fundamentally intractable. Remember the good old time-sharing systems such as Multics, National CCS?
What is not New? Phishing, downtime, data loss, password weaknesses, and compromised hosts running botnets Most research continues on web security, data outsourcing and assurance, and virtual machines Servers in cloud computing currently operate as (in)securely as servers in traditional enterprise datacenters Zeus running its C&C server on EC2 in 2009
What's New in Cloud Security? Unexpected side channels (passively observing information) and covert channels Reputation fate-sharing: spam filter blacklist, police raid, server crash
Novelties in the cloud threat model Data and software are not the only assets worth protecting, activity patterns also need to be protected. Need to accommodate a longer trust chain. (incentives for companies to specialize) Competitive businesses can operate within the same cloud computing ecosystem. Mutual auditability, between cloud users and providers Potentially inaccurate mental models of cloud computing as an always-available service, leads to false sense of security (EC2 Crash)