1. Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011 http://res.sys-con.com/story/dec09/1225058/Cloud%20security%20226.jpg

2.  “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. - The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

3.  On-Demand service  Pay only for actual usage  Shared resources  Rapid elasticity  Virtualization  Advanced Security "Cloud Security and Privacy'',O'Reilly

4.  Insecure programming interfaces or APIs  Threat from inside employees  Data Protection  Identity and access management  Shared Technology issues  Hypervisor security  Cross-side channel attacks between VMs

5. http://vzxen.com/images/xen-hypervisor.png

6.  Virtual machines share the physical memory, CPU cycles, network buffers, DRAM of the physical machine  Attack on Amazon EC2 web services: Researchers from MIT and University of California explained in their paper “Hey,You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds”

7.  Attacks takes place in two steps: 1. Placement of attacker virtual machine on the same physical machine. 2. Exploiting the shared resources.  CPU cache leakage attack  Measure load of the other virtual web server  Extract AES and RSA keys.  Keystrokes timing analysis  Extract user passwords from SSH terminal.

8.  D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES”.  D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel”.  D. Page, “Defending against cache-based side- channel attacks”.  D. Page, “Partitioned cache architecture as a side-channel defense mechanism”.  E. Tromer, D. A. Osvik, and A. Shamir, "Efficient cache attacks on AES, and countermeasures

9.  Dawn Xiaodong Song, David Wagner, Xuqing Tian, ``Timing Analysis of Keystrokes and Timing Attacks on SSH'‘.  Cloud service providers: “Securing Microsoft's Cloud Infrastructure", Microsoft Global Foundation Services. “Amazon Web Services: Overview of Security Processes"

10.  Dividing the security mechanism in 2 components.  Customized operating system image.  A light weight process running on each of the virtual machines.  Collect security logs or any malicious behavior from each of the virtual machines and send it for analysis to dedicated machine.

11.  Analysis part will be performed at dedicated machine/s.  Analysis of the security logs in real time.  Looking for the same cache memory access pattern!  Routing all the web server traffic through these dedicated machines.  Real time fixing of any tampering on VMs.  Wiping out cache only when attack pattern is detected by the dedicated machine.

12.  Hypervisor security.  Security mechanism to protect against keystroke based timing attacks.

13. http://blog.llnw.com/wp-content/uploads/2010/04/cloud-question.png

14.  Thomas Ristenpart, Eran Tromer, Hovav Shacham and Stefan Savage ``Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds’’.  Tim Mather, Subra Kumaraswamy, Shahed Latif, ``Cloud Security and Privacy'',O'Reilly publication.  D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES”,  D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel”,  D. Page, “Defending against cache-based side-channel attacks.  D. Page, “Partitioned cache architecture as a side-channel defense mechanism”.  E. Tromer, D. A. Osvik, and A. Shamir, "Efficient cache attacks on AES, and countermeasures“.  Dawn Xiaodong Song, David Wagner, Xuqing Tian, ``Timing Analysis of Keystrokes and Timing Attacks on SSH”.