Module: Cloud Computing Security Professor Trent Jaeger Penn State - - PowerPoint PPT Presentation

module cloud computing security
SMART_READER_LITE
LIVE PREVIEW

Module: Cloud Computing Security Professor Trent Jaeger Penn State - - PowerPoint PPT Presentation

Oct 15, 2023 230 likes •899 views

slide-1
SLIDE 1

฀฀฀฀ ฀

  • ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Module: Cloud Computing Security

Professor Trent Jaeger Penn State University

1

1

slide-2
SLIDE 2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-1

slide-3
SLIDE 3

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-2

slide-4
SLIDE 4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-3

slide-5
SLIDE 5

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-4

slide-6
SLIDE 6

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-5

slide-7
SLIDE 7

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-6

slide-8
SLIDE 8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-7

slide-9
SLIDE 9

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-8

slide-10
SLIDE 10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-9

slide-11
SLIDE 11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

2-10

slide-12
SLIDE 12

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

Why not use it?

2-11

slide-13
SLIDE 13

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

What’s Happening in There?

3

3

slide-14
SLIDE 14

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4

4-1

slide-15
SLIDE 15

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4

4-2

slide-16
SLIDE 16

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4

4-3

slide-17
SLIDE 17

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Reasons to Doubt

  • History has shown they are vulnerable to attack
  • SLAs, audits, and armed guards offer few guarantees
  • Insiders can subvert even hardened systems

5

Data Loss Incidents ‘06 ‘07 ‘08 ‘09 ‘10 ‘11

903 678 695 986 770 641

Incident Attack Vector External 54%

Unknown 7%

Insider 16% Accidental 23%

Credit: The Open Security Foundation datalossdb.org

5

slide-18
SLIDE 18

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloudy Future

  • New problem or new solution?
  • New challenges brought on by the cloud (plus old ones)
  • Utility could provide a foundation for solving such challenges

6

6

slide-19
SLIDE 19

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

  • Cloud vendor provides managed computing

resources for rent by customers

  • What do you want to rent?
  • (Virtualized) Hosts (Infrastructure as a Service)
  • Rent cycles: Amazon EC2, Rackspace Cloud Servers, OpenStack
  • Environment (Platform as a Service)
  • Rent instances: Microsoft Azure, Google App Engine
  • Programs (Software as a Service)
  • Rent services: Salesforce, Google Docs
  • Other variations can be rented

7

7

slide-20
SLIDE 20

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

8

8

slide-21
SLIDE 21

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

IaaS Platform: OpenStack

9

Client

Scheduler Network Controller Cloud Database Message Queue Volume Store Image Store

Cloud API

Cloud Customer

Cloud Node

Instances

Cloud Vendor

9

slide-22
SLIDE 22

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

How to Build an IaaS Cloud?

  • Vendors obtain hardware resources for
  • Various cloud services: API, Messages, Storage, Network, ...
  • Compute nodes for running customer workloads
  • Install your hardware
  • Need to choose software configurations specific for services

and compute nodes

  • Start your hosts
  • Join the cloud - services and available compute nodes
  • Now your cloud is running
  • Have fun! Customers are ready to use your services and nodes

10

10

slide-23
SLIDE 23

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

How to Use an IaaS Cloud?

  • Customers choose an OS distribution
  • These are published by the cloud vendor and others
  • Obtain cloud storage necessary to store these and your data
  • Configure your instance (VM)
  • Prior to starting - enable you to login and others to access the

instance’s services

  • Start your instance
  • Boots the chosen OS distribution with the configurations
  • Now your instance is running
  • Have fun! Login via SSH or ready for your clients

11

11

slide-24
SLIDE 24

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client

Service

12-1

slide-25
SLIDE 25

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

Cloud Platform

12-2

slide-26
SLIDE 26

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

12-3

slide-27
SLIDE 27

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM

12-4

slide-28
SLIDE 28

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM

12-5

slide-29
SLIDE 29

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM

12-6

slide-30
SLIDE 30

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM

12-7

slide-31
SLIDE 31

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM VM VM

12-8

slide-32
SLIDE 32

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

12

Client Cloud Node Cloud Node Cloud Node Cloud Node

VM VM VM

12-9

slide-33
SLIDE 33

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What Could Go Wrong?

  • What do customers depend on from the cloud?
  • Trust Model
  • Are those parties worthy of our trust?
  • Who are potential adversaries in the cloud?
  • Threat Model
  • Are customers protected from their threats?
  • What would be ideal from a security standpoint?
  • Ideal Security Model
  • How many trusted parties and how many threats?

13

13

slide-34
SLIDE 34

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Published Instances

14

!"#$%&'((& )*#+,&

  • .&/#012$+,&

3.&405*6076*,& 8.&$5,& 9.&($:"45;& <.&405*6076*,&

!"#$%&'()* +,-&".()*

!),/%0()*

=05*60/,>3'?=>3& =05*60/,>-'?=>-& '?=>3& '?=>-&

Consumers use published instances Who do you trust? What are threats?

14

slide-35
SLIDE 35

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

SSH Study [AmazonIA]

15

  • Publisher left an SSH user authentication key in

their AMI

  • Fortunately, Amazon agreed that this is a violation
  • Unfortunately, it was not an isolated problem
  • 30% of 1100 AMIs checked contained such a key
  • Also, pre-configured AMIs had SSH host keys
  • Thus, all instances use the same host key pair
  • Implications?

15

slide-36
SLIDE 36

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Security Configuration

  • Zillions of security-relevant configurations for instances
  • Do you have the right code and data installed?
  • Are you running the expected code?
  • Discretionary access control
  • Firewalls
  • Mandatory access control
  • SELinux, AppArmor, TrustedBSD, Trusted Solaris, MIC
  • Application policies (e.g., Database, Apache)
  • Pluggable Authentication Modules (PAM)
  • Application configuration files
  • Plus new configuration tasks for the cloud - e.g., storage

16

16

slide-37
SLIDE 37

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Service Vulnerabilities

  • Vulnerabilities have been found in cloud services
  • E.g., OpenStack identity service, web interface, and API service
  • Adversaries who compromise such services may launch

a variety of attacks

  • E.g., Key Injection Attack

17

API Service Compute Service Database API Service

nova keypair-add mykey nova boot --key-name mykey

mykey : ssh-rsa ABC mykey : ssh-rsa ABC ssh-rsa ABC ssh-rsa DEF

Step 1 Step 2

17

slide-38
SLIDE 38

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Insiders

  • Although the vendor may have a good reputation, not every

employee may

18

Trust me with your code & data Cloud Provider Client You have to trust us as well Cloud operators

18

slide-39
SLIDE 39

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Insider Threats

  • May trust the cloud vendor company
  • But, do you trust all its employees?
  • Insiders can control platform
  • Determine what software runs consumers’ code
  • Insiders can monitor execution
  • Log instance operation from remote
  • Insiders may have physical access
  • Can monitor hardware, access physical memory, and

tamper secure co-processors

19

19

slide-40
SLIDE 40

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Co-Hosting Threats

  • An instance co-hosted on the same physical

platform could launch attacks against your instance

  • Co-hosted instances share resources
  • Computer
  • CPU, Cache, Memory, Network, etc.
  • Shared resources may be used as side channels to

learn information about resource or impact its behavior

20

20

slide-41
SLIDE 41

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Setup
  • Victims
  • One or more VMs with public interface
  • Beneficiary
  • VM whose performance we want to

improve (contend over target resource)

  • Helper
  • Mounts attack using public interface

21

Helper& VM# VM# Vic&m# Beneficiary#

21

slide-42
SLIDE 42

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Resource contention over the CPU
  • Schedule beneficiary more frequently
  • Attack: shift resource usage via public interface
  • Helper can choose requests to send to victim
  • Approach lower scheduling priority
  • Make victim appear CPU-bound

22

RFA$intensi*es$–$*me$in$ms$per&second& 196%$slowdown$ 86%$slowdown$ 60%$ Performance$ Improvement$

22

slide-43
SLIDE 43

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Preventing Vulnerabilities

  • How would you prevent these threats?
  • Misconfigured instances
  • Compromised cloud services
  • Insiders
  • Side channels

23

23

slide-44
SLIDE 44

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

24

Service Client

24-1

slide-45
SLIDE 45

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!

24

Service Client

24-2

slide-46
SLIDE 46

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data

24

Service Client

24-3

slide-47
SLIDE 47

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data

24

Service Client

24-4

slide-48
SLIDE 48

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program), Verify

24

Service Client

24-5

slide-49
SLIDE 49

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program), Verify

24

Service

Data

Client

24-6

slide-50
SLIDE 50

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program), Verify

24

Service

Data

Client

24-7

slide-51
SLIDE 51

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program), Verify

24

Service Client

24-8

slide-52
SLIDE 52

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program), Verify

24

Service Client

Depends on heavy crypto - homomorphic encryption

24-9

slide-53
SLIDE 53

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

25

25-1

slide-54
SLIDE 54

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

25

25-2

slide-55
SLIDE 55

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance

25

25-3

slide-56
SLIDE 56

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance
  • History: PCP (2007) = 72 trillion years, GGP (2010) = 37

centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms for verification)

25

25-4

slide-57
SLIDE 57

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance
  • History: PCP (2007) = 72 trillion years, GGP (2010) = 37

centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms for verification)

  • Encoding in “quadratic programs”; signature depends only on

security constant

25

25-5

slide-58
SLIDE 58

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance
  • History: PCP (2007) = 72 trillion years, GGP (2010) = 37

centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms for verification)

  • Encoding in “quadratic programs”; signature depends only on

security constant

  • Idea behind quadratic arithmetic programs: each multiplication

gate is a “small expression”. Construct polynomials that encode the equations, such that if the evaluation is correct, then D(z) / P(z). Then the protocol just checks divisibility randomly

25

25-6

slide-59
SLIDE 59

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance
  • History: PCP (2007) = 72 trillion years, GGP (2010) = 37

centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms for verification)

  • Encoding in “quadratic programs”; signature depends only on

security constant

  • Idea behind quadratic arithmetic programs: each multiplication

gate is a “small expression”. Construct polynomials that encode the equations, such that if the evaluation is correct, then D(z) / P(z). Then the protocol just checks divisibility randomly

  • Beats local C execution (for verification)

25

25-7

slide-60
SLIDE 60

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Excalibur

  • Policy-sealed data [USENIX Sec 2012b]
  • Do not release my data to the cloud until that cloud satisfies

my requirements

  • Customer-chosen policy
  • How to ensure that only nodes that satisfy customer-

chosen policy get data?

  • Attribute-based encryption
  • Encrypt data using ABE description of load-time configuration
  • A verifiable monitor is trusted to delegate correct credentials

to nodes (using hardware-based attestations - e.g., via TPM)

26

26

slide-61
SLIDE 61

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Excalibur Approach

27

4/19/13 Nuno Santos 13

! Check node

configurations

! Monitor attests

nodes in background

! Scalable policy

enforcement

! CP-ABE

  • perations at

client-side lib

Monitor

Customer

Policy-Sealed Data

+

seal unseal attest & send credential Datacenter

From Nuno Santos’ slides

27

slide-62
SLIDE 62

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Runtime Monitoring

  • Excalibur does not address runtime issues with instance
  • Customers may want to ensure that clients of their services
  • nly receive communications from satisfactory instances
  • Customer may want to take remediative actions

28

28

slide-63
SLIDE 63

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]

29

Why do these problems arise?

Hardware Hypervisor

Management$ VM$(dom0)$

Work" VM" Work" VM" Work" VM"

Slides courtesy of Vinod Ganapathy

29

slide-64
SLIDE 64

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]

30

Hardware Hypervisor

Management$ VM$

Client’s$VMs$

30

slide-65
SLIDE 65

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]
  • UDom0 boots customer-defined Service VMs

31

Hardware SSC Hypervisor

SDom0$

Work$ VM$ Work$ VM$

UDom0$ Client’s$metaBdomain$

Service$ VM$

Equipped$with$a$Trusted$Plaiorm$Module$(TPM)$chip$

31

slide-66
SLIDE 66

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Take Away

  • Cloud computing is here to stay
  • In some form
  • May be a solution or a problem or both
  • Introduces new types of vulnerabilities into systems we

ran on data centers - which had vulnerabilities to begin with

  • Ultimately, have to improve service providers’ jobs
  • Make it easy to ensure that systems perform as expected
  • Two possible methods
  • Verifiable computation and instance monitoring

32

32