CSE543 Computer and Network Security Module: Cloud Computing - - PowerPoint PPT Presentation

cse543 computer and network security module cloud
SMART_READER_LITE
LIVE PREVIEW

CSE543 Computer and Network Security Module: Cloud Computing - - PowerPoint PPT Presentation

Nov 26, 2022 346 likes •998 views

slide-1
SLIDE 1

฀฀฀฀ ฀

  • ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

CSE543 Computer and Network Security Module: Cloud Computing

Professor Trent Jaeger

1

Friday, November 30, 12

slide-2
SLIDE 2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-3
SLIDE 3

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-4
SLIDE 4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-5
SLIDE 5

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-6
SLIDE 6

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-7
SLIDE 7

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-8
SLIDE 8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-9
SLIDE 9

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-10
SLIDE 10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-11
SLIDE 11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2 Friday, November 30, 12

slide-12
SLIDE 12

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

Why not use it?

Friday, November 30, 12

slide-13
SLIDE 13

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

What’s Happening in There?

3 Friday, November 30, 12

slide-14
SLIDE 14

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4 Friday, November 30, 12

slide-15
SLIDE 15

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4 Friday, November 30, 12

slide-16
SLIDE 16

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4 Friday, November 30, 12

slide-17
SLIDE 17

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Reasons to Doubt

  • History has shown they are vulnerable to attack
  • SLAs, audits, and armed guards offer few guarantees
  • Insiders can subvert even hardened systems

5

‘06 ‘07 ‘08 ‘09 ‘10 ‘11

903 678 695 986 770 641

Data Loss Incidents External 54%

Unknown 7%

Insider 16% Accidental 23%

Incident Attack Vector

Credit: The Open Security Foundation datalossdb.org

Friday, November 30, 12

slide-18
SLIDE 18

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

  • Cloud vendor provides computing resources for

rent by customers

  • What do you want to rent?
  • Hosts (Infrastructure as a Service)
  • Rent cycles: Amazon EC2, Rackspace Cloud Servers
  • Environment (Platform as a Service)
  • Rent instances: Microsoft Azure, Google App Engine
  • Programs (Software as a Service)
  • Rent services: Salesforce, Google Docs
  • Other variations can be rented

6

Friday, November 30, 12

slide-19
SLIDE 19

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

7

Friday, November 30, 12

slide-20
SLIDE 20

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

IaaS Cloud Example

8

Client

Scheduler Network Controller Cloud Database Message Queue Volume Store Image Store

Cloud API

Cloud Customer

Cloud Node

Instances

Friday, November 30, 12

slide-21
SLIDE 21

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Multiple Stakeholders

9

Cloud Node Cloud Instance (VM) Client Data

Clients Service Providers Cloud Administrators

Is my platform secure? Are my services running correctly? Are my data protected?

Friday, November 30, 12

slide-22
SLIDE 22

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Service

Friday, November 30, 12

slide-23
SLIDE 23

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

Cloud Platform

Friday, November 30, 12

slide-24
SLIDE 24

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

Friday, November 30, 12

slide-25
SLIDE 25

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM

Friday, November 30, 12

slide-26
SLIDE 26

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM

Friday, November 30, 12

slide-27
SLIDE 27

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM

Friday, November 30, 12

slide-28
SLIDE 28

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM

Friday, November 30, 12

slide-29
SLIDE 29

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM VM VM

Friday, November 30, 12

slide-30
SLIDE 30

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

10

Client

Cloud Node Cloud Node Cloud Node Cloud Node

VM VM VM

Friday, November 30, 12

slide-31
SLIDE 31

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Insider Threats

  • May trust the cloud vendor company
  • But, do you trust all its employees?
  • Insiders can control platform
  • Determine what software runs consumers’ code
  • Insiders can monitor execution
  • Log instance operation from remote
  • Insiders may have physical access
  • Can monitor hardware, access physical memory, and

tamper secure co-processors

11

Friday, November 30, 12

slide-32
SLIDE 32

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Insider’s Physical Access

12

Friday, November 30, 12

slide-33
SLIDE 33

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

13

Server

Friday, November 30, 12

slide-34
SLIDE 34

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

Friday, November 30, 12

slide-35
SLIDE 35

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

PKI

Friday, November 30, 12

slide-36
SLIDE 36

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

PKI

Friday, November 30, 12

slide-37
SLIDE 37

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

Friday, November 30, 12

slide-38
SLIDE 38

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

Friday, November 30, 12

slide-39
SLIDE 39

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server

Friday, November 30, 12

slide-40
SLIDE 40

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes

13

Server Cloud Node

Friday, November 30, 12

slide-41
SLIDE 41

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Nodes

  • Clouds manages node provisioning
  • Administers PKI for machine identities
  • Network installs a master disk image and customizes
  • Node is essentially a static hosting utility
  • Should not require persistent changes at runtime
  • Should only allow inputs to well protected interfaces

13

Server Cloud Node

Friday, November 30, 12

slide-42
SLIDE 42

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

Friday, November 30, 12

slide-43
SLIDE 43

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

Friday, November 30, 12

slide-44
SLIDE 44

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

Friday, November 30, 12

slide-45
SLIDE 45

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

Friday, November 30, 12

slide-46
SLIDE 46

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

Quote(Installer,Image,FS,AIK)

Friday, November 30, 12

slide-47
SLIDE 47

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root of Trust for Installation

  • Root of Trust for Installation (ROTI) [ACSAC 2007]
  • Binds the filesystem to a known installer (origin)
  • Prevent persistent changes across reboots
  • Detect system reboot and reverify

14

ROTI Proof

Friday, November 30, 12

slide-48
SLIDE 48

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

netROTI [IEEE S&P 2011]

15

  • Need to measure entire installation process
  • Network installation receives untrusted inputs
  • Bootstrap installation from a measured launch environment

Friday, November 30, 12

slide-49
SLIDE 49

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

netROTI [IEEE S&P 2011]

15

Preinstall Phase

Configure boot options Initialize RTM

Gather Phase

Gather installer client Initialize installer environment Measure installer Download disk image Measure disk image

Bootstrap Phase Download Phase Configure Phase

Customize disk image Measure filesystem

Proof Phase

Generate ROTI Proof

netROTI Proof: Sig( MLE, Installer, Image, FS, AIK)

  • Need to measure entire installation process
  • Network installation receives untrusted inputs
  • Bootstrap installation from a measured launch environment

Friday, November 30, 12

slide-50
SLIDE 50

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

netROTI [IEEE S&P 2011]

15

  • Need to measure entire installation process
  • Network installation receives untrusted inputs
  • Bootstrap installation from a measured launch environment

Friday, November 30, 12

slide-51
SLIDE 51

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Evaluation

  • netROTI installed 10 Eucalyptus node controllers

16

Friday, November 30, 12

slide-52
SLIDE 52

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Evaluation

  • netROTI installed 10 Eucalyptus node controllers

16

Friday, November 30, 12

slide-53
SLIDE 53

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Evaluation

  • netROTI installed 10 Eucalyptus node controllers

16

Friday, November 30, 12

slide-54
SLIDE 54

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Evaluation

  • netROTI installed 10 Eucalyptus node controllers

16

Friday, November 30, 12

slide-55
SLIDE 55

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Evaluation

  • netROTI installed 10 Eucalyptus node controllers

16

Friday, November 30, 12

slide-56
SLIDE 56

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Instance Threats

  • Publisher of a pre-configured instance (AMI) may be

malicious or error-prone

  • Publishers determine the software
  • Instance could contain malware
  • Publishers may configure security policies
  • Could be insufficient to block adversaries
  • Publishers may run scans to detect problems
  • Malware detection may not find all malware, presuming

they are used correctly

17

Friday, November 30, 12

slide-57
SLIDE 57

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Instance Initialization

18

!"#$%&'()

!"#$"%&'(' )*+,-,./'012"/'!"34567! ,6%&869"-,.!

*+,) :;5$<'*22'=&5>"'

  • !.)

,/)

?@='

*+,-,.' A5;$B"':521' *C'?@=-D89E"<! 0C'=F-D89E"<! G"D',6&">H89"' *+,-,.'

=F'=&5>83"' ,6%&869"-,.*+,-,.' Figure 2: VM instantiation in Amazon AWS. The Consumer chooses the image (AMI-ID), resources (Type), and availability zone (Region) for her VM on the Web Interface of the AWS Cloud App Store. Depending on the type of the AMI, the VM is instantiated (Instance-IDAMI-ID) either as (A) EBS-backed or (B) S3-backed.

Friday, November 30, 12

slide-58
SLIDE 58

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

SSH Study

19

  • Publisher left an SSH user authentication key in

their AMI

  • Fortunately, Amazon agreed that this is a violation
  • Unfortunately, it was not an isolated problem
  • 30% of 1100 AMIs checked contained such a key
  • Also, pre-configured AMIs had SSH public host keys
  • Thus, all instances use the same host key pair
  • Implications?

Friday, November 30, 12

slide-59
SLIDE 59

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Co-Hosting Threats

  • An instance co-hosted on the same physical

platform could launch attacks against your instance

  • Co-hosted instances share resources
  • Computer
  • CPU, Cache, Memory, Network, etc.
  • Shared resources may be used as side channels to

learn information about resource or impact its behavior

20

Friday, November 30, 12

slide-60
SLIDE 60

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Side Channels

  • Watch use of shared resource to learn secret value
  • Common case is the processor caches
  • Approach
  • Adversary tries to evict victim’s instructions/data from the

cache

  • To learn which instructions/data victim is using
  • Adversary has some means to observe a delay in the victim’s

processing

  • This works surprisingly well
  • Power usage is another useful side channel

21

Friday, November 30, 12

slide-61
SLIDE 61

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Setup
  • Victims
  • One or more

VMs with public interface

  • Beneficiary
  • VM whose performance we want to

improve (contend over target resource)

  • Helper
  • Mounts attack using interface

22

Helper& VM# VM# Vic&m# Beneficiary#

Friday, November 30, 12

slide-62
SLIDE 62

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Side Channel is Cache
  • Suppose victim hosts static and dynamic web pages
  • Attack: shift resource usage via public interface
  • Normally, victim is scheduled and pollutes the cache
  • Approach lower scheduling priority
  • Make more CPU-bound

23

RFA$intensi*es$–$*me$in$ms$per&second& 196%$slowdown$ 86%$slowdown$ 60%$ Performance$ Improvement$ Friday, November 30, 12

slide-63
SLIDE 63

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Take Away

  • Cloud computing is established
  • In several manifestations -- IaaS, PaaS,

SaaS, ...

  • Running your jobs in a cloud

introduces some security challenges

  • Beware of insiders
  • Beware of pre-configured instances
  • Beware of co-hosted instances
  • We are just beginning to understand

the issues

24

Friday, November 30, 12