4 Third-party cloud computing On-demand computing outsouring, share third-party infrastructure Amanzon s EC2 Microsoft s Azure Rackspace s Mosso
5 risk from cloud provider new trust realtionship customers must trust their cloud provider to respect the privacy of their data and the integrity of their computations.
6 threat from VM placement Threat multiplex the virtual machines of different customer upon the same physical hardware.
7 threat from VM placement Threat multiplex the virtual machines of different customer upon the same physical hardware. The adversary may be able to place the malicious instance on the same physical machine where the victim instance reside through legal process. Then lunch certain cross-vm attacks
8 steps Two steps Placement: adversary arranging to place their malicious VM on the same physical machine as that of a target customer
9 steps Two steps Placement: adversary arranging to place their malicious VM on the same physical machine as that of a target customer extraction: extract confidential information via a cross-vm attack.
10 Terminology terminology Instance: a running os image co-resident: instances that are running on the same physical machine
11 Research questions Qeuestions where an instance is located? how to determine if two instances are co-resident how to launch instance that will be co-resident with other user s instance how to exploit cross-vm information leakage once co-resident.
13 Amazon EC2 service Virtual machine monitor:xen run linux, freebsd, opensolaris and Windows as guest A privileged virtual machine call Dom0 is configured to route packets for guest images and report itself as a hop in trceroutes Credit:[Figure from Thomas s pape, CCS 2009]
14 more about Amazon EC2 service configuration parameter contain 3 availability zones" with separate power and network connectivity 5 instance type:m1.small, c1.medium, m1.large, m1.xlarge, c1.xlarge.
15 more about Amazon EC2 service Instance information external ipv4 address and domain name, internal address and domain name. within the cloud, both domain names resolved to internal IP address.
16 Goal Goal understand where potential target are located in the cloud and the instance creation parameters need to attempt establishing co-residence of an adversarial instance.
17 Cloud Cartography Hypothesis different availability zones likely to correspond to different internal IP address ranges and may be true for instance types as well. Thus mapping the use of the EC2 internal address allows an adversary to determine which IP address correspond to which creation parameters.
18 Empirical measurement study Two Data sets launching a number of EC2 instance of varying types and surveying the resulting IP address assigned. enumerating public EC2-based web servers and translate public IP to internal IP
19 Instance placement parameters Experiment 1 iteratively launching 20 instances for each of the 15 availability zone/instance type pairs.
20 Instance placement parameters Experiment 1 iteratively launching 20 instances for each of the 15 availability zone/instance type pairs. Credit:[Figure from Thomas s pape, CCS 2009]
21 Instance placement parameters Experiment 1 iteratively launching 20 instances for each of the 15 availability zone/instance type pairs. Credit:[Figure from Thomas s pape, CCS 2009] different availability zones use different IP regions.
22 Instance placement parameters Experiment 2 launching 100 instances(20 of each type) in zone 3 for two account A and B.
23 Instance placement parameters Experiment 2 launching 100 instances(20 of each type) in zone 3 for two account A and B. Credit:[Figure from Thomas s pape, CCS 2009]
24 Instance placement parameters Experiment 2 launching 100 instances(20 of each type) in zone 3 for two account A and B. Credit:[Figure from Thomas s pape, CCS 2009] The same instance type within the same zone use similar IP regions even for different accounts
25 Enumerate public EC2-based web servers Experiment 1 utilize WHOIS queries, identify 4 distinct IP address prefix associate with EC2 2 perform a tcp connect probe on port 80, result in responsive IPs. 3 perform a tcp port 443 scan, result in 8375 responsive IPs. 4 translate the public address into an internal EC2 address, result in potential target.
26 map of EC2-based web server Goal map the potential target into a instance type and availability zone. The data we have? 4499 sample instances, which has 997 unique internal IPs and 611 unique Dom0 IPs associated with these instances.
27 map of EC2-based web server mapping algorithms All IP from a /16 are from the same availability zone. A /24 inherit any included sampled instance type. A /24 containing a Dom0 IP address, we associate this /24 address the type of the Dom0 s associated instance All /24 s between consecutive Dom0 /24 s inherit the former s associated type.
29 Dectecting co-residence co-residence checking algorithms Internal IP address are close.(within 7)
30 Dectecting co-residence co-residence checking algorithms Internal IP address are close.(within 7) obtain and compare xen Dom0 address. sending TCP SYN and set TTL small: VM->Dom0->VM
31 Dectecting co-residence co-residence checking algorithms Internal IP address are close.(within 7) obtain and compare xen Dom0 address. sending TCP SYN and set TTL small: VM->Dom0->VM network latency: small packet round-trip times.
32 Observations On EC2, VMs can be co-resident only if they have identical creation parameters(region, availability zone, instance type) cloud-internal IP address assigned to VMs are strongly correlated with their creation parameters. use EC2 s DNS service to map public IP address to private internal address.
33 Achieving co-residence Overall strategy Derive target s creation parameters Create similar VMs unitl co-residence is detected.
34 Achieving co-residence Improvement exploiting EC2 s sequential assignment strategy trigger new creation of new VMs by the victim by inducing load(eg. RightScale)
35 Experiment probing 1 A single victim instance was launched 2 20 probe instances were launched by another account 3 co-residence checks were performed.
36 Result Credit:[Figure from Thomas s pape, CCS 2009]
38 What is side-channel attack side-channel attack cross-vm information leakage due to sharing of physical resources.like cpu s data caches, memory bus, network access.
39 cache attacks example cpu contains small, fast memory cache shared by all applications.
40 cache attacks example cpu contains small, fast memory cache shared by all applications. if only attacker access memory, it is served from the fast cache.
41 cache attacks example cpu contains small, fast memory cache shared by all applications. if only attacker access memory, it is served from the fast cache. if victim also access memory, the cache fills up and attacker notices a slow-down.
42 cache attacks example cpu contains small, fast memory cache shared by all applications. if only attacker access memory, it is served from the fast cache. if victim also access memory, the cache fills up and attacker notices a slow-down. from this, attacker can deduce the memory access pattens of victim
43 Measuring cache usage Prime+Trigger+Probe techinque allocate buffer B, enough to fill significant portion of caches Prime: Read B at cache line size to ensure it is cache Trigger: busy loops until the cpu s cycle increase by a large value. Probe: Measure the time it take to read B.
44 Estimating traffic rates performance cache load measurement, and sent http requests at different rates. Credit:[Figure from Thomas s pape, CCS 2009]
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (T. Ristenpart, Eran Tromer, Hovav Schacham and Stefan Savage CCS 2009) Evripidis Paraskevas (ECE Dept. UMD) 04/09/2014
HEY, YOU, GET OFF OF MY CLOUD: EXPLORING INFORMATION LEAKAGE IN THIRD-PARTY COMPUTE CLOUDS T. Ristenpart, H. Shacham, S. Savage UC San Diego E. Tromer MIT CPCS 722: Advanced Systems Seminar Ewa Syta GET
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart Eran Tromer Hovav Shacham Stefan Savage Dept. of Computer Science and Engineering University
Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Announcements Take- home final versus in- class Homework
royal holloway The Threat of Coexisting With an Unknown Tenant in a Public Cloud An examination of the vulnerabilities of the cloud, with a focus on the issues of attackers ability to load malicious programs
Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Announcements No office hour today Extra TA office hour
About PaaS Security Donghoon Kim Henry E. Schaffer Mladen A. Vouk North Carolina State University, USA May 21, 2015 @ ICACON 2015 Outline Introduction Background Contribution PaaS Vulnerabilities and Countermeasures
Network performance in virtual infrastructures A closer look at Amazon EC2 Alexandru-Dorin GIURGIU University of Amsterdam System and Network Engineering Master 03 February 2010 Coordinators: Paola Grosso
A Measurement Study on Co-residence Threat inside the Cloud Zhang Xu, College of William and Mary; Haining Wang, University of Delaware; Zhenyu Wu, NEC Laboratories America https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/xu
Creating Value Delivering Solutions Technology and Cost Considerations for Cloud Deployment: Amazon Elastic Compute Cloud (EC2) Case Study Chris Zajac, NJDOT Bud Luo, Ph.D., Michael Baker Jr., Inc. Overview
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
Cloud Computing Adam Barker 1 Overview Introduction to Cloud computing Enabling technologies Different types of cloud: IaaS, PaaS and SaaS Cloud terminology Interacting with a cloud: management consoles
ing Without a for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton) 1 Public Cloud Infrastructure Cloud providers offer computing resources
Secure Cloud Computing with a Virtualized Network Infrastructure Fang Hao, T.V. Lakshman, Sarit Mukherjee, Haoyu Song Bell Labs Cloud Security: All or Nothing? Amazon EC2 Government Cloud Shared computing,
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
CSE543 Computer and Network Security Module: Computing Professor Trent Jaeger 1 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2 Computing Is Here Systems and Internet
Sorce: Security of IO Resources in Cloud Storage Environment for Third Party Services P.Murugesan 1, A.Vegi Fernando 2, J.Raj Thilak 3 1 (PG scholar, department of CSE, SCAD college of engg and tech,cheranmahadevi..)
WINDOWS AZURE NETWORKING The easiest way to connect to Windows Azure applications and data is through an ordinary Internet connection. But this simple solution isn t always the best approach. Windows Azure
On the Prevention of Cache-Based Side-Channel Attacks in a Cloud Environment by Michael Godfrey A thesis submitted to the School of Computing in conformity with the requirements for the degree of Master
IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version 6.3.1 Fix Pack 2 Reference IBM Tivoli Composite Application Manager for Microsoft Applications:
Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Threats, vulnerabilities, and enemies Goal Learn the cloud computing threat model
Cloud Infrastructure Using Opensource with Ubuntu Server 10.04 Enterprise Cloud (Eucalyptus) OSCON (Note: Special thanks to Jim Beasley, my lead Cloud Ninja, for putting this document together!) Introduction
Providing Flexible Security as a Service Model for Cloud Infrastructure Dr. M. Newlin Rajkumar, P. Banu Priya, Dr. V. Venkatesakumar Abstract Security-as-a-Service model for cloud systems enable application
Virtualization and Cloud Computing Zhenyu Wu, Zhang Xu, Haining Wang William and Mary Now affiliated with NEC Laboratories America Inc. Server Virtualization Consolidates workload Simplifies resource management
FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security
Virtualization & Cloud Computing (2W-VnCC) DETAILS OF THE SYLLABUS: Basics of Networking Types of Networking Networking Tools Basics of IP Addressing Subnet Mask & Subnetting MAC Address Ports : Physical
Amazon Web Services Hands-On Virtual Private Computing 1 Overview Amazon s Virtual Private Cloud (VPC) allows you to launch AWS resources in a virtual network that you define. You can define an environment
A Generic Auto-Provisioning Framework for Cloud Databases Jennie Rogers 1, Olga Papaemmanouil 2 and Ugur Cetintemel 1 1 Brown University, 2 Brandeis University Instance Type Introduction Use Infrastructure-as-a-Service
DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing Slide 1 Slide 3 A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.
Improving Cloud Survivability through Dependency based Virtual Machine Placement Min Li, Yulong Zhang, Kun Bai 2, Wanyu Zang, Meng Yu, and Xubin He 3 Computer Science, Virginia Commonwealth University,
Smartronix Inc. Assured Services Commercial Price List Smartronix, Inc. 12120 Sunset Hills Road Suite #600, Reston, VA 20190 703-435-3322 firstname.lastname@example.org www.smartronix.com Table of Contents
Contents Scope of this Document... 2 Product Overview... 2 Virtual Data Centre and VDC Dedicated Infrastructure... 2 Service Levels... 3 Severity and Support Response Times... 4 On-boarding... 5 Incident
Small is Better: Avoiding Latency Traps in Virtualized DataCenters SOCC 2013 Yunjing Xu, Michael Bailey, Brian Noble, Farnam Jahanian University of Michigan 1 Outline Introduction Related Work Source of
Amazon Web Services Primer William Strickland COP 6938 Fall 2012 University of Central Florida AWS Overview Amazon Web Services (AWS) is a collection of varying remote computing provided by Amazon.com.
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN Applicable Version: 10.6.2 onwards Overview Virtual host implementation is based on the Destination NAT concept. Virtual
Security and Privacy in Public Clouds David Lie Department of Electrical and Computer Engineering University of Toronto 1 Cloud Computing Cloud computing can (and is) applied to almost everything today.
Cloud Computing and E-Commerce Cloud Computing turns Computing Power into a Virtual Good for E-Commerrce is Implementation Partner of 4FriendsOnly.com Internet Technologies AG VirtualGoods, Koblenz, September
Performance tuning Xen Roger Pau Monné email@example.com Madrid 8th of November, 2013 Xen Architecture Control Domain NetBSD or Linux device model (qemu) Hardware Drivers toolstack netback blkback Paravirtualized
Amazon Elastic Compute Cloud Getting Started Guide My experience Prepare Cell Phone Credit Card Register & Activate Pricing(Singapore) Region Amazon EC2 running Linux(SUSE Linux Windows Windows with SQL
Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies Kurt Klemperer, Principal System Performance Engineer firstname.lastname@example.org Agenda Session Length:
Veeam Task Manager for Hyper-V Version 1.0 User Guide July, 2014 2014 Veeam Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may be
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
EECS 489 Winter 2010 Midterm Exam Name: This is an open-book, open-resources exam. Explain or show your work for each question. Your grade will be severely deducted if you don t show your work, even if
Xen Live Migration Matúš Harvan Networks and Distributed Systems Seminar, 24 April 2006 Matúš Harvan Xen Live Migration 1 Outline 1 Xen Overview 2 Live migration General Memory, Network, Storage Migration
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauery, Ian Pratt, Andrew Warfield University of Cambridge Computer Laboratory, SOSP
Hypervisor-Based Systems for Malware Detection and Prevention Yoshihiro Oyama ( 大 山 恵 弘 ) The University of Electro-Communications ( 電 気 通 信 大 学 ), Tokyo, Japan This Talk I introduce two hypervisor-based
StACC: St Andrews Cloud Computing Co laboratory A Performance Comparison of Clouds Amazon EC2 and Ubuntu Enterprise Cloud Jonathan S Ward StACC (pronounced like 'stack') is a research collaboration launched
Développement logiciel pour le Cloud (TLC) 7. Infrastructure-as-a-Service Guillaume Pierre Université de Rennes 1 Fall 2012 http://www.globule.org/~gpierre/ Développement logiciel pour le Cloud (TLC) 1
A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS *Dr Umesh Sehgal, #Shalini Guleria *Associate Professor,ARNI School of Computer Science,Arni University,KathagarhUmeshsehgalind@gmail.com
Virtualization System Vulnerability Discovery Framework Speaker: Qinghao Tang Title:360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization
Improving the Security of Commodity Hypervisors for Cloud Computing Anh Nguyen 1, Himanshu Raj, Shravan Rayanchu 2, Stefan Saroiu, and Alec Wolman 1 UIUC, 2 U. of Wisconsin, and MSR Today s cloud computing
VIEWABILL Cloud Security and Operational Architecture featuring RUBY ON RAILS VAB_CloudSecurity V1 : May 2014 Overview The Viewabill.com cloud is a highly-secure, scalable and redundant solution that enables
Privacy, Security and Cloud Giuseppe Di Luna July 2, 2012 Giuseppe Di Luna 2012 1 July 2, 2012 Giuseppe Di Luna 2012 2 July 2, 2012 Giuseppe Di Luna 2012 3 Security Concerns: Data leakage Data handling
Operating Systems Virtualization mechanisms René Serral-Gracià Xavier Martorell-Bofill 1 1 Universitat Politècnica de Catalunya (UPC) May 26, 2014 Contents 1 Introduction 2 Hardware Virtualization mechanisms
the Availability Digest Redundant Load Balancing for High Availability July 2013 A large data center can comprise hundreds or thousands of servers. These servers must not only be interconnected, but they
Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service
Fingerprinting Large Data Sets through Memory De-duplication Technique in Virtual Machines Rodney Owens Department of SIS UNC Charlotte Charlotte, NC 28223 Email: email@example.com Weichao Wang Department
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:firstname.lastname@example.org Abstract Denial of Service is a well known term in network security world as
SPACK FIREWALL RESTRICTION WITH SECURITY IN CLOUD OVER THE VIRTUAL ENVIRONMENT V. Devi PG Scholar, Department of CSE, Indira Institute of Engineering & Technology, India. J. Chenni Kumaran Associate Professor,
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,
Information Security Training Importance of Information Security Training There is only one way to keep your product plans safe and that is by having a trained, aware and a conscientious workforce. - Kevin
Network Performance Between Geo-Isolated Data Centers Testing Trans-Atlantic and Intra-European Network Performance between Cloud Service Providers Published on 4/1/2015 Network Performance Between Geo-Isolated
78 A Study on Detection of Hacking and Malware Codes in Bare Metal Hypervisor for Virtualized Internal Environment of Cloud Service Jung-oh Park Dept. of Information Communications, DONGYANG MIRAE University,
Public Cloud Offerings and Private Cloud Options Week 2 Lecture 4 M. Ali Babar Lecture Outline Public and private clouds Some key public cloud providers (More details in the lab) Private clouds Main Aspects
DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites
Data Centers and Cloud Computing CS377 Guest Lecture Tian Guo 1 Data Centers and Cloud Computing Intro. to Data centers Virtualization Basics Intro. to Cloud Computing Case Study: Amazon EC2 2 Data Centers
Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors Benoit Boissinot E.N.S Lyon directed by Christine Morin IRISA/INRIA Rennes Liviu Iftode Rutgers University Phenix
5. Implementation Implementation of the trust model requires first preparing a test bed. It is a cloud computing environment that is required as the first step towards the implementation. Various tools
MS Exchange Server Acceleration Maximizing Users in a Virtualized Environment with Flash-Powered Consolidation Allon Cohen, PhD OCZ Technology Group Introduction Microsoft (MS) Exchange Server is one of
Presentation of Diagnosing performance overheads in the Xen virtual machine environment September 26, 2005 Framework Using to fix the Network Anomaly Xen Network Performance Test Using Outline 1 Introduction
Monitoring commercial cloud service providers July Author: Lassi Kojo Supervisor: Stefan Lüders CERN openlab Summer Student Report Abstract There is a growing tendency by individuals to sign-up for public
CIT 668: System Architecture Cloud Security Topics 1. The Same Old Security Problems 2. Virtualization Security 3. New Security Issues and Threat Model 4. Data Security 5. Amazon Cloud Security Data Loss
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
YOUR QUALITY PARTNER FOR SOFTWARE SOLUTIONS IT & COMMUNICATION MANAGED SERVICES CATALOGUE Server & Application Support Network Support Cloud & Virtualisation Communication System IT Support Server & Application
Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources
Tutorial: Using HortonWorks Sandbox 2.3 on Amazon Web Services Sayed Hadi Hashemi Last update: August 28, 2015 1 Overview Welcome Before diving into Cloud Applications, we need to set up the environment
1 3.1 IaaS Definition IaaS: Infrastructure as a Service Through the internet, provide IT server, storage, computing power and other infrastructure capacity to the end users and the service fee based on