DACSA: A Decoupled Architecture for Cloud Security Analysis

Similar documents

DACSA: A Decoupled Architecture for Cloud Security Analysis

HPSA Agent Characterization

CloudSim: A Toolkit for Modeling and Simulation of Cloud Computing Environments and Evaluation of Resource Provisioning Algorithms

Managing Security of Virtual Machine Images in a Cloud Environment

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Hyper-V vs ESX at the datacenter

Sheepdog: distributed storage system for QEMU

RCL: Software Prototype

CS 695 Topics in Virtualization and Cloud Computing. Introduction

CS 695 Topics in Virtualization and Cloud Computing and Storage Systems. Introduction

Stratusphere Solutions

Using Linux as Hypervisor with KVM

Red Hat enterprise virtualization 3.0 feature comparison

COS 318: Operating Systems. Virtual Machine Monitors

Enabling Technologies for Distributed and Cloud Computing

Enabling Technologies for Distributed Computing

Dell Virtualization Solution for Microsoft SQL Server 2012 using PowerEdge R820

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Cloud n Service Presentation. NTT Communications Corporation Cloud Services

RED HAT ENTERPRISE VIRTUALIZATION

Monitoring Elastic Cloud Services

JUNIPER NETWORKS FIREFLY HOST FIREWALL PERFORMANCE

Vocera Voice 4.3 and 4.4 Server Sizing Matrix

Microsoft Exchange Solutions on VMware

Product: Order Delivery Tracking

On- Prem MongoDB- as- a- Service Powered by the CumuLogic DBaaS Platform

Nessus Agents. October 2015

A Hybrid Approach To Live Migration Of Virtual Machines

Cloud Sure - Virtual Machines

SERVER 101 COMPUTE MEMORY DISK NETWORK

Virtual Machine Synchronization for High Availability Clusters

Efficient Data Management Support for Virtualized Service Providers

McAfee MOVE AntiVirus Multi-Platform 3.5.0

The Benefits of Virtualizing

VMware vsphere: Install, Configure, Manage [V5.0]

VMware vsphere: [V5.5] Admin Training

Performance Testing of a Cloud Service

Load and Performance Testing

Redefining Microsoft SQL Server Data Management. PAS Specification

Maximizing SQL Server Virtualization Performance

Technology and Cost Considerations for Cloud Deployment: Amazon Elastic Compute Cloud (EC2) Case Study

Pricing Guide. Service Overview

Banker Malware Protection Test Report

PARALLELS CLOUD SERVER

How To Set Up A Shared Insight Cache Server On A Pc Or Macbook With A Virtual Environment On A Virtual Computer (For A Virtual) (For Pc Or Ipa) ( For Macbook) (Or Macbook). (For Macbook

Handling Multimedia Under Desktop Virtualization for Knowledge Workers

Panoramica su Cloud Computing targata Red Hat AIPSI Meeting 2010

Two Great Ways to Protect Your Virtual Machines From Malware

When Desktops Go Virtual

Cloud Server. Parallels. An Introduction to Operating System Virtualization and Parallels Cloud Server. White Paper.

ORACLE VIRTUAL DESKTOP INFRASTRUCTURE

Virtualization Guide. McAfee Vulnerability Manager Virtualization

Virtualization. Dr. Yingwu Zhu

Virtual Switching Without a Hypervisor for a More Secure Cloud

DNA. White Paper. DNA White paper Version: 1.08 Release Date: 1 st July, 2015 Expiry Date: 31 st December, Ian Silvester DNA Manager.

Network Virtualization Model - Planet Lab

RED HAT ENTERPRISE VIRTUALIZATION 3.0

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

Philips IntelliSpace Critical Care and Anesthesia on VMware vsphere 5.1

LESSON 13 VIRTUALIZATION AND CLOUD COMPUTING

Symantec AntiVirus Enterprise Edition

MaxDeploy Ready. Hyper- Converged Virtualization Solution. With SanDisk Fusion iomemory products

Top 5 Reasons to choose Microsoft Windows Server 2008 R2 SP1 Hyper-V over VMware vsphere 5

Intelligent Laptop Virtualization No compromises for IT or end users. VMware Mirage

Dell Compellent Storage Center SAN & VMware View 1,000 Desktop Reference Architecture. Dell Compellent Product Specialist Team

VDI Optimization Real World Learnings. Russ Fellows, Evaluator Group

Simplified Private Cloud Management

ACANO SOLUTION VIRTUALIZED DEPLOYMENTS. White Paper. Simon Evans, Acano Chief Scientist

SQL Server Virtualization

A Comparison of VMware and {Virtual Server}

Cloud Computing with xcat on z/vm 6.3

A cloud-based architecture to crowdsource mobile app privacy leaks

Public Cloud on Ubuntu OpenStack From POC to Production MAKE IT RAIN

Cloud&backed,Internet,of,Things, Security,and,Dependability,

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

SAN TECHNICAL - DETAILS/ SPECIFICATIONS

Cisco Intercloud Fabric for Business

Virtual Desktops Security Test Report

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

DIABLO TECHNOLOGIES MEMORY CHANNEL STORAGE AND VMWARE VIRTUAL SAN : VDI ACCELERATION

IOmark-VM. DotHill AssuredSAN Pro Test Report: VM a Test Report Date: 16, August

PES. Batch virtualization and Cloud computing. Part 1: Batch virtualization. Batch virtualization and Cloud computing

IOS110. Virtualization 5/27/2014 1

The Art of Virtualization with Free Software

The first agentless Security, Virtual Firewall, Anti- Malware and Compliance Solution built for Windows Server 2012 Hyper-V

Contents UNIFIED COMPUTING DATA SHEET. Virtual Data Centre Support.

Mirroring Smartphones For Good: A Feasibility Study

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

IOmark- VDI. Nimbus Data Gemini Test Report: VDI a Test Report Date: 6, September

Paragon Protect & Restore

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

Comparing Free Virtualization Products

Symantec Endpoint Protection Datasheet

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

The Value of Physical Memory for Incident Response

Microsoft Private Cloud Fast Track

Table of Contents. Server Virtualization Peer Review cameron : modified, cameron

VMware Virtualization and Software Development

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Transcription:

DACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng Ning NC State Ahmed Azab Samsung Ltd Xialoan Zhang Google Inc

Cloud Provider Landscape

Cloud Provider Landscape Steal Degrade Infect Degrade

Cloud Provider Landscape Steal Degrade How to ask security centric questions? Infect Degrade

Unique Features of Cloud Diverse Components and Applications Single Platform Owner Geographically Dispersed

Cloud Infrastructure as a Security Testbed Security Attributes

How to Create a Datasource? Network Monitoring Flow analysis Encrypted network data In-Guest VM Monitoring Virus Scanners / Security Software Application Firewalls Resource Intensive Software Management Host Based Out of VM Monitoring Peer into VM - VMWatcher Record and Replay - Revirt Scalability

How to Create a Datasource? Network Monitoring Flow analysis Encrypted network data In-Guest VM Monitoring Virus Scanners / Security Software Application Firewalls Resource Intensive Software Management Host Based Out of VM Monitoring Peer into VM - VMWatcher Record and Replay - Revirt Scalability Decouple analysis from attribute acquisition

Decoupled Architecture for Analysis Sensor Sensor Sensor Security Attributes

DACSA Sensor Context Acquisition Sensor Context Acquisition Sensor Context Acquisition Context Carver Security Attributes Analysis Tools DACSA Components

DACSA Goals Limit impact to client VMs and hosts Enable analysis on supporting infrastructure Transparent to clients Test for security violations ToS Bots/C&C Malicious software development

Context Acquisition Fast Memory Snapshots Logical memory copy of guest memory COW Limit impact to guest and host Reliable copies Pause guest Flush Asynchronous I/O

Carving Memory Apply memory forensic techniques Extract security centric information Open ports, registry keys, processes, API hooks Hashes of executable pages Forensic tools Volatility Work directly on memory Interpose file I/O

Analysis Clustering of system features Blacksheep Bianchi et al. Memory based virus scanning Memory only malware Security Audit PCI Requirements

Implementation Host Ubuntu 12.04 64-bit Guests Windows 7 SP1 64-bit KVM/QEMU Fork QEMU process Shared library for interposing File I/O Volatility Custom tool for parsing memory Analysis Window 7 GS register to walk internal data structures Scan viruses in memory

Evaluation Platform IBM System X server Xeon E5450 Quad-core Guests 1GB Ram Impact to Guest Impact to Host Correctly identify infected processes

Impact to Guest 1-15 VMs, snapshot VMs, carve process list Pause time Flush Async I/O, Fork QEMU Process, Resume VM ~.2112 seconds / standard deviation.07359 sec Reduction in system performance Run Novabench in snapshotted VM Measure CPU Ops/Sec and Memory Ops/Sec 0-6% CPU, 0-3% Memory

Impact to Host 1-15 VMs, snapshot VMs, carve process list Increased CPU and Memory Utilization ~3% CPU Negligible Memory overhead Write Working Set 100-300 MB per minute

Carving Process Memory Infected VM with Cerberus RAT iexplore.exe host process Carved process memory Scanned memory with ClamAV Identified infected process

Related Work Live VM Migration (Clark et al.) Migrations takes upwards of 90 seconds Performance degradation upto 20% Fast VM Cloning (Sun et al.) COW based by write protecting pages Technical challenges of cloning

Conclusion DACSA turns clouds into a platform for security analysis VMs lightweight sensors Minimal impact to VM and host operations Apply large scale analysis Future Work Deploy to Virtual Computing Lab at NC State Memory Scanning as a Service

Questions? Thanks Reviewers insightful comments Eric Eide for shepherding jjgionta@ncsu.edu