Distributed System Lab.1 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart ¤, Eran Tromer, Hovav.

Slides:

Advertisements

Similar presentations

An Improved TCP for transaction communications on Sensor Networks Tao Yu Tsinghua University 2/8/

Advertisements

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

1 Peripheral Component Interconnect (PCI). 2 PCI based System.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.

AMES-Cloud: A Framework of Adaptive Mobile Video Streaming and Efficient Social Video Sharing in the Clouds 作者:Xiaofei Wang, MinChen, Ted Taekyoung Kwon,

1 Sizing the Streaming Media Cluster Solution for a Given Workload Lucy Cherkasova and Wenting Tang HPLabs.

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

Executional Architecture

UNIX System Programming Installing OpenSolaris. 2/86 Contents How to setup a virtual machine guest How to install OpenSolaris as a guest How to update.

KAIST Computer Architecture Lab. The Effect of Multi-core on HPC Applications in Virtualized Systems Jaeung Han¹, Jeongseob Ahn¹, Changdae Kim¹, Youngjin.

Addition 1’s to 20.

Traversing symmetric NAT with predictable port allocation function SIN 2014 Dušan Klinec, Vashek Matyáš Faculty of Informatics, Masaryk University.

Lecture 5: Cloud Security: what’s new? Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang,

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Hey You, Get Off My Cloud: Exploring information Leakage in third party compute clouds T.Ristenpart, Eran Tromer, Hovav Shacham and Steven Savage ACM CCS.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Hey, You, Get Off of My Cloud

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

By Christopher Moran, Nicoara Talpes 1.  Solution is addressed to VMs that are web servers  Web servers should not have confidential information anyway.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds by Thomas Ristenpart et al. defended by Ning Xia & Najim Yaqubie.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart Eran Tromer Hovav Shacham Stefan Savage.

Authors: Thomas Ristenpart, et at.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Written by Thomas Ristenpart Eran Tromer Hovav Shacham Stehan.

Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and Hovav Shacham.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Web Server Administration Chapter 10 Securing the Web Environment.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

CIS 450 – Network Security Chapter 3 – Information Gathering.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.

Transmission Control Protocol TCP. Transport layer function.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Thomas Ristenpart,Eran Tromer, Horav Shahcham and Stefan Savage

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Cloud security Tom Ristenpart CS Software-as-a-service Infrastructure-as-a- service Cloud providers Cloud computing NIST: Cloud computing is a model.

HEY, YOU, GET OFF OF MY CLOUD: EXPLORING INFORMATION LEAKAGE IN THIRD-PARTY COMPUTE CLOUDS Eran Tromer MIT Hovav Shacham UCSD Stefan Savage UCSD ACM CCS.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

A paper by Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security,

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

References: “Hey, You, Get Off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” by Thomas Ristenpart, Eran Tromer – UC San Diego;

Hey, You, Get Off of My Cloud Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by Daniel De Graaf.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Thomas Ristenpart , Eran Tromer, Hovav Shacham ,Stefan Savage CCS’09

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Mapping/Topology attacks on Virtual Machines

An Introduction To ARP Spoofing & Other Attacks

Port Scanning James Tate II

Hey, You, Get Off of My Cloud

Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,

Net 221D : Computer Networks Fundamentals

* Essential Network Security Book Slides.

Monkey See, Monkey Do A Tool for TCP Tracing and Replaying

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Exploring Information Leakage in Third-Party Compute Clouds

Presentation transcript:

Distributed System Lab.1 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart ¤, Eran Tromer, Hovav Shacham ¤, and Stefan Savage ¤ ¤ Dept. of Computer Science and Engineering University of California, San Diego, USA Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology, Cambridge, USA

Distributed System Lab.2 Outline Introduction Treat Model & EC2 Network Probing Cloud Cartography Determining Co-Residence Exploiting Placement EC2 Cross-VM Information Leakage Conclusion & Future References

Distributed System Lab.3 Introduction Third-party cloud computing represents the promise to out-sourcing as applied to computation. The use of virtualization allows third-party cloud providers to maximize the utilization by a shared physical infrastructure. New vulnerabilities: It is possible to map the internal cloud infrastructure. We explore how such placement can then be used to extract information.

Distributed System Lab.4 Threat Model We consider the provider and its infrastructure to be trusted. Adversaries are non-provider-affiliated malicious parties. Victims are users running confidentiality- requiring services in the cloud. Two kinds of attackers: Those who are interested in being able to attack some known hosted service. Those focused on attacking a particular victim service.

Distributed System Lab.5 The EC2 Service To run Linux, FreeBSD, OpenSolaris and Windows as guest operating system. Those VMs are provided by a version of the Xen hypervisor. EC2 does not appear to currently support live migration of instances. Each user account is limited to 20 concurrently running instances.

Distributed System Lab.6 Amazon s EC2 Two regions at U.S. and one at Europe. Three availability zones for each region. availability zones are meant to specify infrastructures with distinct and independent failure modes. There are five Linux instance types: m1.small, c1.medium, m1.large, m1.xlarge, and c1.xlarge. Each instance is given Internet connectivity: External IPv4 address and domain name. Internal RFC 1918 private address and domain name.

Distributed System Lab.7 Network Probing We use nmap to perform TCP connect probes To complete a 3-way hand-shake. We use hping to perform TCP SYN traceroutes. To send TCP SYN packets with increasing TTLs until no ACK is received. We only targeted ports 80 or 443. We used wget to retrieve web pages, but at most 1024 bytes. Two types of probes: External probes: It originates form a system outside EC2 to EC2 s instance. Internal probes: It originates from an EC2 instance to another. We use DNS resolution queries To determine the external name of an instance. To determine the internal IP address of an instance associated with some public IP address.

Distributed System Lab.8 Cloud Cartography (1) map the EC2 service to understand: Where potential targets are located in the cloud. The instance creation parameters needed to attempt establishing co-residence instance. The hypothesis: Different availability zones are likely to correspond to different internal IP address ranges. Two data sets: One created by enumerating public EC2-based web servers using external probes and translating responsive public IPs to internal IPs. Another created by launching a number of EC2 instances of varying types and surveying the resulting IP assigned.

Distributed System Lab.9 Cloud Cartography (2) Surveying public servers on EC2 We performed: a TCP connect probe on port 80, a follow-up wget on port 80, and a TCP port 443 scan. Via an appropriate DNS lookup from within EC2, we translated each public IP into an internal EC2 address. One of the goals is to enable identification of the instance type and availability zone of these potential targets. Instance placement parameters To launch instances by a single account, or two accounts. The samples from each zone are assigned IP addresses from disjoint portions of the internal address space. A fuller map of EC2

Distributed System Lab.10 Instance placement parameters

Distributed System Lab.11 Determining Co-Residence Instances are likely co-resident if they have Matching Dom0 IP address, Instance owner: the first hop on any route from it. Uncontrolled instance: the last hop of a TCP SYN tranceroute to it. Small packet round-trip times, The first reported RTT in any probes was almost an order of magnitude slower than subsequent probes. Numerically close internal IP addresses The same Dom0 IP will be shared by instances with a contiguous sequence of internal IP address. Veracity of the co-residence checks If two instances can successfully transmit via the covert channel then they are co-resident, otherwise not. A hard-disk-based covert channel (under our control). A TCP SYN traceroute to an open port on the target, and sees if there is only a single hop.

Distributed System Lab.12 Exploiting Placement in EC2 (1) To say the attacker is successful if he achieves good coverage (co-residence with a notable fraction of the target set) A single account was never seen to have two instances running on the same physical machine. Strong placement locality: Two instances run sequentially are often assigned to the same machine.

Distributed System Lab.13 Exploiting Placement in EC2 (2) Brute-forcing placement To run numerous instances over a long period of time and see how many targets are co-residence. Abusing placement locality We assume an attacker can launch instances soon after the launch of a target victim. The attacker engages in instance flooding. This suggests servers are often run on instances, terminated when not need, and later run again. Patching placement vulnerabilities Let users request placement of their VMs on machines that can only be populated by VMs from their accounts.

Distributed System Lab.14 Cross-VM Information Leakage (1) Measuring cache usage Load measurement: 1. Prime: Read BUFFER at offsets of cache line size. 2. Trigger: Busy-loop until CPU s cycle counter jumps by a large value. 3. Probe: Measure the time for reading BUFFER at offsets of cache line size. Cache-based covert channel Sender: To transmit 0 for idle, and frantically accesses memory for 1. Receiver: To access memory and observes the access latencies. High latencies = the sender is evicting the receiver s data form cache.

Distributed System Lab.15 Cross-VM Information Leakage (2) Load-based co-residence detection An adversary can actively cause load variation due to a publicly-accessible service on the target.

Distributed System Lab.16 Cross-VM Information Leakage (3) Estimating traffic rates Two m1.small instances 1000 cache load measurements in one instances 20 users (jmeter) Web page is 3 Mb

Distributed System Lab.17 Cross-VM Information Leakage (4) Keystroke timing attack The adversary s goal is to measure the time between keystrokes made by a victim typing a password. We utilize the Prime+Trigger+Probe load measurement technique to detect activity spikes in an otherwise idle machine. The same attack could be carried over to EC2, except that this technique applies only to VMs that timeshare a core.

Distributed System Lab.18 Conclusion & Future We argue that fundamental risks arise from sharing physical infrastructure between distrustful users. Future Cloud providers may obfuscate both the internal structure of their services and the placement policy. One may focus on the side-channel vulnerabilities and employ blinding techniques. We believe that the best solution is simply expose the risk and placement decisions directly to users.

Distributed System Lab.19 References [1] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In CCS, 2009.

Distributed System Lab.20 Q & A Thank you!