Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Published byAustin Reynolds Modified over 9 years ago

Similar presentations

Presentation on theme: "Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing."— Presentation transcript:

1 Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing

2 Attacks and Attack Surfaces Goal: – Examine attack surfaces in a cloud – Learn about novel attacks on clouds Recommended reading (no reviews) Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

3 Announcements Review Assignment #1 will be posted to course website this afternoon – Due: Tuesday, September 10, 12.29 pm Please send reviews to ragib AT cis.uab.edu – Send review in plain text, in the email body (no attachments please) Review format: Summary (5-6 sentences), Pros (3 or more points), Cons (3 or more points), Ideas for improvement 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

4 Announcement Term Project – Must be a project related to cloud security – Form 2-member groups for the project – Project kickstart meeting: 9/5/2013, 12.30 pm- 1.30 pm Some sample project ideas will be provided Feel free to come up with your own ideas – Amazon has donated compute time on the EC2 Cloud for this course 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

5 Due dates Project team formation: 9/5 Project ideas: Due by 9/12 Project progress meetings (Every 2 weeks, Sep-Nov) Project demo: Early December 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

6 Project Deliverables Project Report: – A brief, 10-12 page writeup on the project and experiments Project Demo: – (If possible and relevant) 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

7 Traditional systems security vs Cloud Computing Security Securing a traditional system Securing a cloud 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

8 Traditional systems security vs Cloud Computing Security Securing a house Securing a motel Owner and user are often the same entity Owner and users are almost invariably distinct entities Analogy 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

9 Traditional systems security vs Cloud Computing Security Securing a house Securing a motel Biggest user concerns Securing perimeter Checking for intruders Securing assets Biggest user concern Securing room against (the bad guy in next room | hotel owner) 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

10 Attack Surfaces An attack surface is a vulnerability in a system that malicious users may utilize 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

11 Clouds extend the attack surface How? – By requiring users to communicate with the cloud over a public / insecure network – By sharing the infrastructure among multiple users 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

12 Analyzing Attack Surfaces in Clouds 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013 Figure from: Gruschka et al., Attack Surfaces: A Taxonomy for Attacks on Cloud Services. Cloud attack surfaces can be modeled using a 3 entity model (user, service, cloud)

13 Attack Surface: 1 Service interface exposed towards clients Possible attacks: Common attacks in client- server architectures – E.g., Buffer overflow, SQL injection, privilege escalation 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

14 Attack Surface: 2 User exposed to the service Common attacks – E.g., SSL certificate spoofing, phishing 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

15 Attack Surface: 3 Cloud resources/interfaces exposed to service Attacks run by service on cloud infrastructure – E.g., Resource exhaustion, DoS 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

16 Attack Surface: 4 Service interface exposed to cloud Privacy attack Data integrity attack Data confidentiality attack 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

17 Attack Surface: 5 Cloud interface exposed to users Attacks on cloud control 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

18 Attack Surface: 6 User exposed to cloud How much the cloud can learn about a user? 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

19 Attacking a cloud Question: Given enough resources, how would you attack a cloud? 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

20 Attacking a cloud Options: – From outside Launch denial of service attacks Probe cloud from outside – From inside Exhaust resources internally Probe cloud and/or other 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

21 Novel attacks on clouds Question: Can you attack a cloud or other users, without violating any law? Answer: Yes!! By launching side channel attacks, while not violating Acceptable User Policy. 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

22 Utilizing Side Channels A Side Channel is a passive attack in which attacker gains information about target through indirect observations. Examples? 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013

23 9/3/2013Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013 Further Reading Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010

Download ppt "Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing."

Similar presentations

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.

Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 1 08/16/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 1 08/16/2011 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
Hey, You, Get Off of My Cloud

Hey, You, Get Off of My Cloud
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Similar presentations

Ads by Google