CSE543 Computer and Network Security Module: Cloud Computing

Similar documents
Module: Cloud Computing Security

What is Cloud Computing? Why call it Cloud Computing?

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

Last time. Today. IaaS Providers. Amazon Web Services, overview

Cloud Security Overview

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Cloud Computing. Adam Barker

NCTA Cloud Architecture

Cloud Models and Platforms

Software as a Service (SaaS) and Platform as a Service (PaaS) (ENCS 691K Chapter 1)

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Cloud Computing and Amazon Web Services

Assignment # 1 (Cloud Computing Security)

Oracle Applications and Cloud Computing - Future Direction

Amazon Web Services Demo Tech Exchange. Slides:

Introduction to Cloud computing. Viet Tran

If you do NOT use applications based on Amazon Web Services raise your hand.

Virtualization & Cloud Computing (2W-VnCC)

Cloud computing security

An Introduction to Cloud Computing Concepts

CLOUD COMPUTING. When It's smarter to rent than to buy

Amazon Web Services Primer. William Strickland COP 6938 Fall 2012 University of Central Florida


Software Execution Protection in the Cloud

Security Issues In Cloud Computing And Their Solutions

Private Cloud in Educational Institutions: An Implementation using UEC

Control your corner of the cloud.

Amazon Web Services Student Tutorial

Cloud-Security: Show-Stopper or Enabling Technology?

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

Cloud computing - Architecting in the cloud

Private Distributed Cloud Deployment in a Limited Networking Environment

Cloud Computing. Technologies and Types

THE EUCALYPTUS OPEN-SOURCE PRIVATE CLOUD

2) Xen Hypervisor 3) UEC

Cloud Computing for Education Workshop

Geoff Raines Cloud Engineer

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

SURFsara HPC Cloud Workshop

Stephen Coty Director, Threat Research

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Threat Modeling Cloud Applications

idash Infrastructure to Host Sensitive Data: HIPAA Cloud Storage and Compute

CLOUD COMPUTING & WINDOWS AZURE

Virtual Machine Instance Scheduling in IaaS Clouds

Cloud computing: benefits, risks and recommendations for information security

McAfee Public Cloud Server Security Suite

Comparison of Open Source Cloud System for Small and Medium Sized Enterprises

Using SUSE Studio to Build and Deploy Applications on Amazon EC2. Guide. Solution Guide Cloud Computing.

Attacks from the Inside

Amazon EC2 XenApp Scalability Analysis

Cloud Security:Threats & Mitgations

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 1, March, 2013 ISSN:

Networks and Services

CLOUD COMPUTING SECURITY CONCERNS

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Putchong Uthayopas, Kasetsart University

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

What is Cloud Computing? Tackling the Challenges of Big Data. Tackling The Challenges of Big Data. Matei Zaharia. Matei Zaharia. Big Data Collection

How To Use Arcgis For Free On A Gdb (For A Gis Server) For A Small Business

Data Centers and Cloud Computing

Designing Virtual Labs Using Cloud Computing

ArcGIS for Server: In the Cloud

Part 1: Price Comparison Among The 10 Top Iaas Providers

Keywords: Virtualization, resource management, repositories, cloud infrastructure

4 SCS Deployment Infrastructure on Cloud Infrastructures

Cloud Computing Now and the Future Development of the IaaS

How to Grow and Transform your Security Program into the Cloud

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Public Cloud Offerings and Private Cloud Options. Week 2 Lecture 4. M. Ali Babar

Cloud Computing Training

Architectural Implications of Cloud Computing

Unleash the IaaS Cloud About VMware vcloud Director and more VMUG.BE June 1 st 2012

A Gentle Introduction to Cloud Computing

Iaas for Private and Public Cloud using Openstack

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

MyCloudLab: An Interactive Web-based Management System for Cloud Computing Administration

9/26/2011. What is Virtualization? What are the different types of virtualization.

Cloud Computing INTRODUCTION

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Deployment of Private, Hybrid & Public Clouds with OpenNebula

Cloud 101. Mike Gangl, Caltech/JPL, 2015 California Institute of Technology. Government sponsorship acknowledged

Cloud Computing: Making the right choices

Transcription:

CSE543 Computer and Network Security Module: Computing Professor Trent Jaeger 1

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2

Computing Is Here Why not use it? Systems and Internet Infrastructure Security (SIIS) Laboratory 2

What s Happening in There? Systems and Internet Infrastructure Security (SIIS) Laboratory 3

From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

From Data Center to Systems and Internet Infrastructure Security (SIIS) Laboratory 4

Reasons to Doubt History has shown they are vulnerable to attack SLAs, audits, and armed guards offer few guarantees Insiders can subvert even hardened systems Data Loss Incidents Incident Attack Vector 986 903 770 695 641 678 06 07 08 09 10 11 External 54% Accidental 23% Insider 16% Unknown 7% Credit: The Open Security Foundation datalossdb.org 5

What is Computing? vendor provides computing resources for rent by customers What do you want to rent? Hosts (Infrastructure as a Service) Rent cycles: Amazon EC2, Rackspace Servers Environment (Platform as a Service) Rent instances: Microsoft Azure, Google App Engine Programs (Software as a Service) Rent services: Salesforce, Google Docs Other variations can be rented 6

What is Computing? 7

IaaS Example Customer Client API Database Instances Message Queue Network Controller Scheduler Image Store Volume Store Systems and Internet Infrastructure Security (SIIS) Laboratory 8

Multiple Stakeholders Are my data protected? Client Data Clients Are my services running correctly? Service Providers Instance (VM) Is my platform secure? Administrators Systems and Internet Infrastructure Security (SIIS) Laboratory 9

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client Service 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client Platform 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting VM VM VM Client VM 10

Complexity environment challenges Opaque, Complex, Dynamic Insiders, Instances, Co-hosting Client VM VM VM VM 10

Insider Threats May trust the cloud vendor company But, do you trust all its employees? Insiders can control platform Determine what software runs consumers code Insiders can monitor execution Log instance operation from remote Insiders may have physical access Can monitor hardware, access physical memory, and tamper secure co-processors 11

Insider s Physical Access 12

s Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes PKI Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes PKI Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes Server 13

s s manages node provisioning Administers PKI for machine identities Network installs a master disk image and customizes is essentially a static hosting utility Should not require persistent changes at runtime Should only allow inputs to well protected interfaces Server 13

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify 14

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify Quote(Installer,Image,FS,AIK) 14

Root of Trust for Installation Root of Trust for Installation (ROTI) [ACSAC 2007] Binds the filesystem to a known installer (origin) Prevent persistent changes across reboots Detect system reboot and reverify ROTI Proof 14

netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment 15

netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment Preinstall Phase Gather Phase Bootstrap Phase Download Phase Configure Phase Proof Phase Configure boot options Gather installer client Initialize installer environment Download disk image Customize disk image Generate ROTI Proof Initialize RTM Measure installer Measure disk image Measure filesystem netroti Proof: Sig( MLE, Installer, Image, FS, AIK) 15

netroti [IEEE S&P 2011] Need to measure entire installation process Network installation receives untrusted inputs Bootstrap installation from a measured launch environment 15

Evaluation netroti installed 10 Eucalyptus node controllers 16

Evaluation netroti installed 10 Eucalyptus node controllers 16

Evaluation netroti installed 10 Eucalyptus node controllers 16

Evaluation netroti installed 10 Eucalyptus node controllers 16

Evaluation netroti installed 10 Eucalyptus node controllers 16

Instance Threats Publisher of a pre-configured instance (AMI) may be malicious or error-prone Publishers determine the software Instance could contain malware Publishers may configure security policies Could be insufficient to block adversaries Publishers may run scans to detect problems Malware detection may not find all malware, presuming they are used correctly 17

Instance Initialization *+,) :;5$<'*22'=&5>"' G"D',6&">H89"' -!.),/)!"#$"%&'(' )*+,-,./'012"/'!"34567!?@=' *C'?@=-D89E"<! A5;$B"':521' *+,-,.' 0C'=F-D89E"<! =F'=&5>83"'!"#$%&'(),6%&869"-,.! *+,-,.',6%&869"-,. *+,-,.' Figure 2: VM instantiation in Amazon AWS. The Consumer chooses the image (AMI-ID), resources (Type), and availability zone (Region) for her VM on the Web Interface of the AWS App Store. Depending on the type of the AMI, the VM is instantiated (Instance-ID AMI-ID ) either as (A) EBS-backed or (B) S3-backed. directly by Amazon or by third party publishers. Users can take these public AMIs to create their own AMIs which are either kept for themselves (private AMIs), made accessible to a group of users (shared AMIs), or made publicly available for every user of EC2 (public AMIs) as shown in Fig. 1. AMIs are further distinguished by the storage type they are based on either S3 or EBS as described next. S3-backed AMIs. S3-backed AMIs are stored on the highly available Simple Storage Service (S3) [7]. As shown in Fig. 2, S3-backed AMIs are instantiated by first copying the instance is assigned an external IPv4 address for Internet connectivity and an internal address for communication with other EC2 instances. The user is only charged for data tra c with the Internet over the external address. 3.2 Authentication in AWS AWS uses di erent authentication mechanisms to provide authenticated access to the AWS account and to running instances as described next. 18

SSH Study Publisher left an SSH user authentication key in their AMI Fortunately, Amazon agreed that this is a violation Unfortunately, it was not an isolated problem 30% of 1100 AMIs checked contained such a key Also, pre-configured AMIs had SSH public host keys Thus, all instances use the same host key pair Implications? 19

Co-Hosting Threats An instance co-hosted on the same physical platform could launch attacks against your instance Co-hosted instances share resources Computer CPU, Cache, Memory, Network, etc. Shared resources may be used as side channels to learn information about resource or impact its behavior 20

Side Channels Watch use of shared resource to learn secret value Common case is the processor caches Approach Adversary tries to evict victim s instructions/data from the cache To learn which instructions/data victim is using Adversary has some means to observe a delay in the victim s processing This works surprisingly well Power usage is another useful side channel 21

Resource Freeing Attacks Setup Victims One or more VMs with public interface Beneficiary VM whose performance we want to improve (contend over target resource) Vic&m# VM# VM# Beneficiary# Helper Mounts attack using interface Helper& 22

Resource Freeing Attacks Side Channel is Cache Suppose victim hosts static and dynamic web pages Attack: shift resource usage via public interface Normally, victim is scheduled and pollutes the cache Approach lower scheduling priority Make more CPU-bound RFA$intensi*es$ $*me$in$ms$per&second& 60%$ Performance$ Improvement$ 196%$slowdown$ 86%$slowdown$ 23

Take Away computing is established In several manifestations -- IaaS, PaaS, SaaS,... Running your jobs in a cloud introduces some security challenges Beware of insiders Beware of pre-configured instances Beware of co-hosted instances We are just beginning to understand the issues 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information