CSE543 Computer and Network Security Module: Cloud Computing

Transcription

1 CSE543 Computer and Network Security Module: Computing Professor Trent Jaeger 1

2 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

3 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

4 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

5 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

6 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

7 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

8 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

9 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

10 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

11 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

12 Computing Is Here Why not use it? Systems and Internet Infrastructure Security (SIIS) Laboratory 2

13 What s Happening in There? Systems and Internet Infrastructure Security (SIIS) Laboratory 3

14 From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

15 From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

16 From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

17 Reasons to Doubt History has shown they are vulnerable to attack SLAs, audits, and armed guards offer few guarantees Insiders can subvert even hardened systems Data Loss Incidents Incident Attack Vector External 54% Accidental 23% Insider 16% Unknown 7% Credit: The Open Security Foundation datalossdb.org 5

18 What is Computing? vendor provides computing resources for rent by customers What do you want to rent? Hosts (Infrastructure as a Service) Rent cycles: Amazon EC2, Rackspace Servers Environment (Platform as a Service) Rent instances: Microsoft Azure, Google App Engine Programs (Software as a Service) Rent services: Salesforce, Google Docs Other variations can be rented 6

19 What is Computing? 7

20 IaaS Example Customer Client API Database Instances Message Queue Network Controller Scheduler Image Store Volume Store Systems and Internet Infrastructure Security (SIIS) Laboratory 8

21 Multiple Stakeholders Are my data protected? Client Data Clients Are my services running correctly? Service Providers Instance (VM) Is my platform secure? Administrators Systems and Internet Infrastructure Security (SIIS) Laboratory 9

22 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client Service 10

23 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client Platform 10

24 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client 10

25 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM 10

26 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM 10

27 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM 10

28 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM 10

29 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting VM VM VM Client VM 10

30 Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM VM VM 10

31 Insider Threats May trust the cloud vendor company But, do you trust all its employees? Insiders can control platform Determine what software runs consumers code Insiders can monitor execution Log instance operation from remote Insiders may have physical access Can monitor hardware, access physical memory, and tamper secure co-processors 11

32 Insider s Physical Access 12

33 s Server 13

34 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

35 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes PKI Server 13

36 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes PKI Server 13

37 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

38 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

39 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

40 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

41 s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes is essentially a static hosting utility Should not require persistent changes at runtime Should only allow inputs to well protected interfaces Server 13

42 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

43 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

44 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

45 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

46 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify Quote(Installer,Image,FS,AIK) 14

47 Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify ROTI Proof 14

48 netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment 15

49 netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment Preinstall Phase Gather Phase Bootstrap Phase Download Phase Configure Phase Proof Phase Configure boot options Gather installer client Initialize installer environment Download disk image Customize disk image Generate ROTI Proof Initialize RTM Measure installer Measure disk image Measure filesystem netroti Proof: Sig( MLE, Installer, Image, FS, AIK) 15

50 netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment 15

51 Evaluation netroti installed 10 Eucalyptus node controllers 16

52 Evaluation netroti installed 10 Eucalyptus node controllers 16

53 Evaluation netroti installed 10 Eucalyptus node controllers 16

54 Evaluation netroti installed 10 Eucalyptus node controllers 16

55 Evaluation netroti installed 10 Eucalyptus node controllers 16

56 Instance Threats Publisher of a pre-configured instance (AMI) may be malicious or error-prone Publishers determine the software Instance could contain malware Publishers may configure security policies Could be insufficient to block adversaries Publishers may run scans to detect problems Malware detection may not find all malware, presuming they are used correctly 17

57 Instance Initialization *+,) :;5$<'*22'=&5>"' G"D',6&">H89"' -!.),/)!"#$"%&'(' A5;$B"':521' *+,-,.' 0C'=F-D89E"<! =F'=&5>83"'!"#$%&'(),6%&869"-,.! *+,-,.',6%&869"-,. *+,-,.' Figure 2: VM instantiation in Amazon AWS. The Consumer chooses the image (AMI-ID), resources (Type), and availability zone (Region) for her VM on the Web Interface of the AWS App Store. Depending on the type of the AMI, the VM is instantiated (Instance-ID AMI-ID ) either as (A) EBS-backed or (B) S3-backed. directly by Amazon or by third party publishers. Users can take these public AMIs to create their own AMIs which are either kept for themselves (private AMIs), made accessible to a group of users (shared AMIs), or made publicly available for every user of EC2 (public AMIs) as shown in Fig. 1. AMIs are further distinguished by the storage type they are based on either S3 or EBS as described next. S3-backed AMIs. S3-backed AMIs are stored on the highly available Simple Storage Service (S3) [7]. As shown in Fig. 2, S3-backed AMIs are instantiated by first copying the instance is assigned an external IPv4 address for Internet connectivity and an internal address for communication with other EC2 instances. The user is only charged for data tra c with the Internet over the external address. 3.2 Authentication in AWS AWS uses di erent authentication mechanisms to provide authenticated access to the AWS account and to running instances as described next. 18

58 SSH Study Publisher left an SSH user authentication key in their AMI Fortunately, Amazon agreed that this is a violation Unfortunately, it was not an isolated problem 30% of 1100 AMIs checked contained such a key Also, pre-configured AMIs had SSH public host keys Thus, all instances use the same host key pair Implications? 19

59 Co-Hosting Threats An instance co-hosted on the same physical platform could launch attacks against your instance Co-hosted instances share resources Computer CPU, Cache, Memory, Network, etc. Shared resources may be used as side channels to learn information about resource or impact its behavior 20

60 Side Channels Watch use of shared resource to learn secret value Common case is the processor caches Approach Adversary tries to evict victim s instructions/data from the cache To learn which instructions/data victim is using Adversary has some means to observe a delay in the victim s processing This works surprisingly well Power usage is another useful side channel 21

61 Resource Freeing Attacks Setup Victims One or more VMs with public interface Beneficiary VM whose performance we want to improve (contend over target resource) Vic&m# VM# VM# Beneficiary# Helper Mounts attack using interface Helper& 22

62 Resource Freeing Attacks Side Channel is Cache Suppose victim hosts static and dynamic web pages Attack: shift resource usage via public interface Normally, victim is scheduled and pollutes the cache Approach lower scheduling priority Make more CPU-bound RFA$intensi*es$ $*me$in$ms$per&second& 60%$ Performance$ Improvement$ 196%$slowdown$ 86%$slowdown$ 23

63 Take Away computing is established In several manifestations -- IaaS, PaaS, SaaS,... Running your jobs in a cloud introduces some security challenges Beware of insiders Beware of pre-configured instances Beware of co-hosted instances We are just beginning to understand the issues 24