i heard it through the firewall exploiting cloud
play

I Heard It through the Firewall: Exploiting Cloud Management - PowerPoint PPT Presentation

Jan 31, 2024 •371 likes •874 views

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage Channel Hyunwook Baek , Eric Eide, Robert Ricci, Jacobus Van der Merwe University of Utah 1 Motivation Information leakage in cloud has

  1. I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage Channel Hyunwook Baek , Eric Eide, Robert Ricci, Jacobus Van der Merwe University of Utah 1

  2. Motivation ▪ Information leakage in cloud has concerned cloud users from the beginning of cloud computing. ▪ Existing cloud information leakage channels: – Cache [Ristenpart et al. 2009, Liu et al. 2015] – Memory [Zhang et al. 2011, Meltdown, Spectre] – Network device [Bates et al. 2012] → Hardware-level Shared Resources ▪ How about Software-level Shared Resources? 2

  3. Motivation User1 User2 3

  4. Motivation The two users’ requests shared: Processes - - Threads - Variables - Queues - Execution paths - ... 4

  5. Goal ▪ Demonstrating exploitability of software-level shared resources as an information leakage channel ▪ Especially, focusing on Shared Execution Paths (i.e., cross-tenant batch-processing) ▪ Using OpenStack Network Management Service (similar mechanism can be applied to other systems) 5

  6. Background: polling_interval def rpc_loop(self): while True: start = now() # update OVS changes # update Iptables changes # update conntrack changes elapsed = now() – start # job_done if elapsed < polling_interval: sleep(polling_interval – elapsed) 6

  7. Background: polling_interval polling_interval (2 sec) rpc_loop() rpc_loop() rpc_loop() elapsed sleep() #job_done #job_done 7

  8. Basic Idea ▪ The rpc_loop() polling_interval (2 sec) is shared by requests of VMs running in the host. rpc_loop() rpc_loop() rpc_loop() ▪ The total size of elapsed sleep() the load of requests ∝ elapsed . x #job_done loop_count_and_wait() 8

  9. Basic Idea ▪ Observing elapsed times to distinguish infrastructure level events – Side Channel loop_count_and_wait() 9

  10. Basic Idea ▪ Manipulating elapsed times to send messages – Covert Channel loop_count_and_wait() 10

  11. Problem ▪ Cloud users (and VMs) cannot directly observe the elapsed times X ▪ Something ≈ elapsed and observable by users? → Virtual Firewall Epoch loop_count_and_wait() 11

  12. Epoch rpc_loop() rpc_loop() rpc_loop() Epoch Epoch iptables_restore iptables_restore iptables_restore 12

  13. Epoch elapsed elapsed rpc_loop() rpc_loop() rpc_loop() Epoch Epoch iptables_restore iptables_restore iptables_restore ▪ Epoch ≈ max(elapsed, polling_interval) 13

  14. Epoch No security group is changed, so this loop does not execute iptables_restore a rpc_loop() rpc_loop() rpc_loop() Epoch iptables_restore ▪ Epoch ≠ elapsed iptables_restore if there is no change on the iptables. 14

  15. Solution ▪ Observing Epochs to distinguish infrastructure level events – Side Channel Epochs loop_count_and_wait() 15

  16. Solution ▪ Manipulating Epochs to send messages – Covert Channel Epochs loop_count_and_wait() 16

  17. Epoch ▪ To monitor Epochs: 1. The virtual firewall should be updated in every RPC loop iteration so that the Iptables is also updated. 2. The update result should be observable by the attacker. 3. The update request should have small impact on the elapsed to minimize noise. 17

  18. Epoch ▪ To manipulate Epochs: x 1. There should be a request that can make a clearly distinguishable impact on elapsed . 2. The request should be processed at the targeted RPC loop iteration. 18

  19. Impact of Requests: One-time Impact ▪ Property 0) Some requests bring the same result but their load sizes are different 19

  20. Impact of Requests: One-time Impact ▪ Property 1) Some requests introduce nearly no additional load ▪ Useful for monitoring Epochs 20

  21. Impact of Requests: One-time Impact ▪ Property 1) Some requests introduce nearly no additional load ▪ Useful for monitoring Epochs 21

  22. Impact of Requests: One-time Impact ▪ Property 2) Some other requests introduce clearly distinguishable additional load ▪ Useful for manipulating Epochs 22

  23. Impact of Requests: Long-term Impact ▪ Property 3) Some requests may permanently increase the loads of other requests . ▪ Useful for manipulating Epochs 23

  24. Epoch Patterns rpc_loop() rpc_loop() rpc_loop() Total Total Sleep elapsed elapsed Before After Before After Epoch Epoch iptables_restore iptables_restore iptables_restore 24

  25. Monitoring Epoch: U PDATE +P ROBE Update: add a new rule to its virtual firewall. E.g., Allow ICMP type:8 code:4 ingress Request Sender Probe Probe Monitor Sender 25

  26. Monitoring Epoch: U PDATE +P ROBE Request Sender Probe Probe Monitor Sender ICMP type:8 code:4 ingress Probe: generate a series of probe packets 26

  27. Monitoring Epoch: U PDATE +P ROBE 27

  28. Continuous Monitoring ▪ Iterative U PDATE +P ROBE method – Monitoring modules are independent ▪ Reactive U PDATE +P ROBE method – The number of requests: 1 / epoch ▪ n -Reactive U PDATE +P ROBE method – can dynamically adjust the number of requests 28

  29. Practical Epoch Monitor ▪ EpochMonitor – A stand-alone architecture for epoch monitoring. – Can easily support any of the previously introduced methods 29

  30. Deployment: Boomerang Packets • Layer 3 Boomerang with Single Interfaces srcMAC: VM-MAC dstMAC: Router-MAC srcIP: VM-IP dstIP: VM-IP srcMAC: Router-MAC dstMAC: VM-MAC srcIP: VM-IP 30 dstIP: VM-IP

  31. Single-node Covert Channel ▪ Covert Channel – Both VMs keep monitoring the epochs using EpochMonitor. – SVM also reactively send message to RVM by manipulating the duration of epochs. – E.g., to send 0 : do nothing …… to send 1 : attach/detach SG 31

  32. Single-node Covert Channel – Evaluation 0 1 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 H E L L O ▪ Error rate: 0 ▪ Bandwidth: 0.21 bps 32

  33. Multi-node Covert Channel ▪ Covert Channel – SVM send message by sending the same message for n seconds. – This can be done by manipulating the duration of epoch of medium VMs, using the long-term impacting requests. 33

  34. Multi-node Covert Channel – Evaluation 0 1 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 H E L L O ▪ Error rate: 0 ▪ Bandwidth: 0.1 bps 34

  35. Infrastructure Event Snooper ▪ Snooping on the host level events ▪ Any network-related requests can leave their mark on Epoch ▪ The attacker keep monitoring Epochs and extract event information 35

  36. Infrastructure Event Snooper C T C T C T C T C T C T C T C T 1 Interface 2 Interfaces 3 Interfaces 4 Interfaces ▪ VM creation / termination ▪ # of virtual interfaces per VM 36

  37. Infrastructure Event Snooper ▪ Continuously monitor Epochs ▪ Classify events using LSTM Model ▪ Output: – If any VM was created / terminated during an Epoch – The number of virtual NIC attached to the VM 37

  38. Infrastructure Event Snooper – Evaluation ▪ Training Data – Two types of Host Machines – Four types of VMs each of which has different # of virtual NIC – Two types of events: VM creation / VM termination – 100 data points for each class – 75% for training, 25% for validation 38

  39. Infrastructure Event Snooper – Evaluation ▪ Test Data – For each different type of Host Machine – Created and terminated 100 VMs in a random order – Each VM was configured to have random number of virtual NIC between 1 and 4 – 478 labeled data points 39

  40. Infrastructure Event Snooper – Evaluation ▪ Accuracy: 83.1% 40

  41. Infrastructure Event Snooper – Evaluation ▪ Accuracy: 83.1% ▪ Accuracy ignoring vNIC: 93.3% 41

  42. Evaluation – EpochMonitor ▪ Root Mean Square Error – 1.54 milliseconds ▪ Maximum Error – 25.5 milliseconds – Sufficient for distinguishing different requests (differences are larger than 100 milliseconds) 42

  43. Mitigation – Refactoring ▪ Don’t use Cross-tenant Batch ... req_batch = aggregate_requests () ... update_something ( req_batch ) # observable event ... 43

  44. Mitigation ▪ Increasing Polling Interval – Pros: simple and may work for some cases – Cons: increases the system delay by order of seconds ▪ Introducing Random Delay – The same as above... 44

  45. Mitigation ▪ Rate Limiting (Request Delaying) – Request pattern is different from Dos-style attack • e.g., 0.5 request per second – If combined with a tailored policy, may effectively mitigate the probing. • e.g., if avg(# of requests for VM1 per sec) > 1 and std(# of requests for VM1 per sec) < 0.1 : delay future requests by 5 seconds 45

  46. Conclusion ▪ Showed software-level shared resources can be exploited as an information leakage channel. ▪ Designed covert / side channels exploiting shared execution paths. ▪ Demonstrated attacks using OpenStack Network Management Service. 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 &gt; L2 ) network at network at security

1.07k views • 67 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
For personal use only Firstwave Cloud Technology Limited (FCT) FY19 Results FCTs Cloud

For personal use only Firstwave Cloud Technology Limited (FCT) FY19 Results FCTs Cloud

For personal use only Firstwave Cloud Technology Limited (FCT) FY19 Results FCTs Cloud Content Security Platform (CCSP) is a unique SaaS email, web &amp; firewall security services orchestration platform for Telco / Service Providers that

883 views • 25 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
Easiest Way Of Firewall www.berqnet.com Reached More Than 500 Partner In All Turkey. Launched

Easiest Way Of Firewall www.berqnet.com Reached More Than 500 Partner In All Turkey. Launched

Easiest Way Of Firewall www.berqnet.com Reached More Than 500 Partner In All Turkey. Launched Its First Product Cloud Based Partner Family Portal Launched. bq25 I bq50 I bq100 2013 2017 2019 2015 2018 The bq200 ve bq300 USOM Logo

453 views • 16 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Solution Overview 2020 be seen be heard bAlert Personal Safety &amp; Mass Notification Solution

Solution Overview 2020 be seen be heard bAlert Personal Safety &amp; Mass Notification Solution

Solution Overview 2020 be seen be heard bAlert Personal Safety &amp; Mass Notification Solution Cloud Based Deployed with no additional hardware Accessed from any internet-enabled device be seen - be heard - bAlert Mobile Safety

315 views • 12 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
So, What Actually is a Cloud? Dan Stanzione Deputy Director, TACC UT-Austin Originally from

So, What Actually is a Cloud? Dan Stanzione Deputy Director, TACC UT-Austin Originally from

So, What Actually is a Cloud? Dan Stanzione Deputy Director, TACC UT-Austin Originally from Arizona State Cloud Computing Course, Spring 2009 (Jointly taught by Stanzione, Santanam, and Sannier) 1 Youve heard about what clouds can *do*,

947 views • 75 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and Exploitation Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen The Netherlands http://www.cs.ru.nl/~{woj,erikpoll}/

818 views • 42 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate remembers five years after he or she is out of school. If you want to know more about something... Ask me Man pages, manuals, papers, books

451 views • 18 slides
Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

567 views • 43 slides
Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazires Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's

1.16k views • 66 slides
The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 6 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 Week 6 1 / 32 The session Outline The session 1 Finite

848 views • 49 slides
Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios,

Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios,

Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios, Bernardo Palenciano* ! NICS Lab University of Mlaga ! http://www.nics.uma.es ! *Dpto. de Infraestructura de TTI ! ! RECSI 2014, Alicante,

618 views • 19 slides
Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob Briscoe , BT IETF-69 tsvwg Jul 2007 initial draft Layered Encapsulation of Congestion Notification initial draft:

350 views • 10 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides

More recommend