Module: Cloud Computing Security Professor Trent Jaeger Penn State - - PowerPoint PPT Presentation

module cloud computing security
SMART_READER_LITE
LIVE PREVIEW

Module: Cloud Computing Security Professor Trent Jaeger Penn State - - PowerPoint PPT Presentation

Apr 19, 2023 481 likes •860 views

slide-1
SLIDE 1

฀฀฀฀ ฀

  • ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Module: Cloud Computing Security

Professor Trent Jaeger Penn State University

1

slide-2
SLIDE 2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Computing Is Here

2

Why not use it?

slide-3
SLIDE 3

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

What’s Happening in There?

3

slide-4
SLIDE 4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

From Data Center to Cloud

4

slide-5
SLIDE 5

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Reasons to Doubt

  • History has shown they are vulnerable to attack
  • SLAs, audits, and armed guards offer few guarantees
  • Insiders can subvert even hardened systems

5

Data Loss Incidents ‘06 ‘07 ‘08 ‘09 ‘10 ‘11

903 678 695 986 770 641

Incident Attack Vector External 54%

Unknown 7%

Insider 16% Accidental 23%

Credit: The Open Security Foundation datalossdb.org

slide-6
SLIDE 6

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloudy Future

  • New problem or new solution?
  • New challenges brought on by the cloud (plus old ones)
  • Utility could provide a foundation for solving such challenges

6

slide-7
SLIDE 7

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

  • Cloud vendor provides managed computing

resources for rent by customers

  • What do you want to rent?
  • (Virtualized) Hosts (Infrastructure as a Service)
  • Rent cycles: Amazon EC2, Rackspace Cloud Servers, OpenStack
  • Environment (Platform as a Service)
  • Rent instances: Microsoft Azure, Google App Engine
  • Programs (Software as a Service)
  • Rent services: Salesforce, Google Docs
  • Other variations can be rented

7

slide-8
SLIDE 8

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What is Cloud Computing?

8

slide-9
SLIDE 9

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

IaaS Platform: OpenStack

9

Client

Scheduler Network Controller Cloud Database Message Queue Volume Store Image Store

Cloud API

Cloud Customer

Cloud Node

Instances

Cloud Vendor

slide-10
SLIDE 10

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

PaaS Platform: Google App

  • Platform for deploying language-specific apps
  • Java, Python, PHP

, etc.

  • Vendor provides OS and middleware
  • E.g., Web server, interpreters
  • Customers deploy their customized apps
  • You focus on custom code
  • Clients use these apps
  • Analogously to IaaS

10

slide-11
SLIDE 11

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

How to Build an IaaS Cloud?

  • Vendors obtain hardware resources for
  • Various cloud services: API, Messages, Storage, Network, ...
  • Compute nodes for running customer workloads
  • Install your hardware
  • Need to choose software configurations specific for services

and compute nodes

  • Start your hosts
  • Join the cloud - services and available compute nodes
  • Now your cloud is running
  • Have fun! Customers are ready to use your services and nodes

11

slide-12
SLIDE 12

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

How to Use an IaaS Cloud?

  • Customers choose an OS distribution
  • These are published by the cloud vendor and others
  • Obtain cloud storage necessary to store these and your data
  • Configure your instance (VM)
  • Prior to starting - enable you to login and others to access the

instance’s services

  • Start your instance
  • Boots the chosen OS distribution with the configurations
  • Now your instance is running
  • Have fun! Login via SSH or ready for your clients

12

slide-13
SLIDE 13

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

VM

Cloud Complexity

  • Cloud environment challenges
  • Opaque, Complex, Dynamic
  • Insiders, Instances, Co-hosting

13

Client

Service

Cloud Node Cloud Node Cloud Node Cloud Node

VM VM VM

Cloud Platform

slide-14
SLIDE 14

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

What Could Go Wrong?

  • What do customers depend on from the cloud?
  • Trust Model
  • Are those parties worthy of our trust?
  • Who are potential adversaries in the cloud?
  • Threat Model
  • Are customers protected from their threats?
  • What would be ideal from a security standpoint?
  • Ideal Security Model
  • How many trusted parties and how many threats?

14

slide-15
SLIDE 15

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Published Instances

15

!"#$%&'((& )*#+,&

  • .&/#012$+,&

3.&405*6076*,& 8.&$5,& 9.&($:"45;& <.&405*6076*,&

!"#$%&'()* +,-&".()*

!),/%0()*

=05*60/,>3'?=>3& =05*60/,>-'?=>-& '?=>3& '?=>-&

Consumers use published instances Who do you trust? What are threats?

slide-16
SLIDE 16

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

SSH Study [AmazonIA]

16

  • Publisher left an SSH user authentication key in

their AMI

  • Fortunately, Amazon agreed that this is a violation
  • Unfortunately, it was not an isolated problem
  • 30% of 1100 AMIs checked contained such a key
  • Also, pre-configured AMIs had SSH host keys
  • Thus, all instances use the same host key pair
  • Implications?
slide-17
SLIDE 17

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Security Configuration

  • Zillions of security-relevant configurations for instances
  • Do you have the right code and data installed?
  • Are you running the expected code?
  • Discretionary access control
  • Firewalls
  • Mandatory access control
  • SELinux, AppArmor, TrustedBSD, Trusted Solaris, MIC
  • Application policies (e.g., Database, Apache)
  • Pluggable Authentication Modules (PAM)
  • Application configuration files
  • Plus new configuration tasks for the cloud - e.g., storage

17

slide-18
SLIDE 18

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cloud Service Vulnerabilities

  • Vulnerabilities have been found in cloud services
  • E.g., OpenStack identity service, web interface, and API service
  • Adversaries who compromise such services may launch

a variety of attacks

  • E.g., Key Injection Attack

18

API Service Compute Service Database API Service

nova keypair-add mykey nova boot --key-name mykey

mykey : ssh-rsa ABC mykey : ssh-rsa ABC ssh-rsa ABC ssh-rsa DEF

Step 1 Step 2

slide-19
SLIDE 19

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Insiders

  • Although the vendor may have a good reputation, not every

employee may

19

Trust me with your code & data Cloud Provider Client You have to trust us as well Cloud operators

slide-20
SLIDE 20

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Insider Threats

  • May trust the cloud vendor company
  • But, do you trust all its employees?
  • Insiders can control platform
  • Determine what software runs consumers’ code
  • Insiders can monitor execution
  • Log instance operation from remote
  • Insiders may have physical access
  • Can monitor hardware, access physical memory, and

tamper secure co-processors

20

slide-21
SLIDE 21

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Co-Hosting Threats

  • An instance co-hosted on the same physical

platform could launch attacks against your instance

  • Co-hosted instances share resources
  • Computer
  • CPU, Cache, Memory, Network, etc.
  • Shared resources may be used as side channels to

learn information about resource or impact its behavior

21

slide-22
SLIDE 22

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Setup
  • Victims
  • One or more

VMs with public interface

  • Beneficiary
  • VM whose performance we want to

improve (contend over target resource)

  • Helper
  • Mounts attack using public interface

22

Helper& VM# VM# Vic&m# Beneficiary#

slide-23
SLIDE 23

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Resource Freeing Attacks

  • Resource contention over the CPU
  • Schedule beneficiary more frequently
  • Attack: shift resource usage via public interface
  • Helper can choose requests to send to victim
  • Approach lower scheduling priority
  • Make victim appear CPU-bound

23

RFA$intensi*es$–$*me$in$ms$per&second& 196%$slowdown$ 86%$slowdown$ 60%$ Performance$ Improvement$

slide-24
SLIDE 24

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Preventing Vulnerabilities

  • How would you prevent these threats?
  • Misconfigured instances
  • Compromised cloud services
  • Insiders
  • Side channels

24

slide-25
SLIDE 25

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Verifiable Computation

  • Your services are black boxes - to the cloud!
  • Send a program and encrypted data
  • Program computes over encrypted data
  • Scheme: KeyGen (for Program), Compute (Program),

Verify

25

Service

Data

Client

Depends on heavy crypto - homomorphic encryption

slide-26
SLIDE 26

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pinocchio [Oakland 2013]

  • New cryptographic protocol for general-purpose public verifiable

computation with support for zero-knowledge arguments

  • Big advance: Performance
  • History: PCP (2007) = 72 trillion years, GGP (2010) = 37

centuries, Pepper/Ginger (2012) = 6 oom improvement, Pinocchio = 7 oom improvement (often ~10ms for verification)

  • Encoding in “quadratic programs”; signature depends only on

security constant

  • Idea behind quadratic arithmetic programs: each multiplication

gate is a “small expression”. Construct polynomials that encode the equations, such that if the evaluation is correct, then D(z) / P(z). Then the protocol just checks divisibility randomly

  • Beats local C execution (for verification)

26

slide-27
SLIDE 27

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Service

Integrity Monitor Concept

  • Integrity monitor similar to a reference monitor
  • Mediate access to service based on integrity criteria
  • Challenges
  • Where do we measure integrity-relevant events?
  • How do we verify ongoing integrity?
  • How can we deploy this in a cloud environment?

27

Integrity Monitor

Client

Data

Service

Data

slide-28
SLIDE 28

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Excalibur

  • Policy-sealed data [USENIX Sec 2012b]
  • Do not release my data to the cloud until that cloud satisfies

my requirements

  • Customer-chosen policy
  • How to ensure that only nodes that satisfy customer-

chosen policy get data?

  • Attribute-based encryption
  • Encrypt data using ABE description of load-time configuration
  • A verifiable monitor is trusted to delegate correct credentials

to nodes (using hardware-based attestations - e.g., via TPM)

28

slide-29
SLIDE 29

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Excalibur Approach

29

4/19/13 Nuno Santos 13

! Check node

configurations

! Monitor attests

nodes in background

! Scalable policy

enforcement

! CP-ABE

  • perations at

client-side lib

Monitor

Customer

Policy-Sealed Data

+

seal unseal attest & send credential Datacenter

From Nuno Santos’ slides

slide-30
SLIDE 30

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Runtime Monitoring

  • Excalibur does not address runtime issues with instance
  • Customers may want to ensure that clients of their services
  • nly receive communications from satisfactory instances
  • Customer may want to take remediative actions

30

slide-31
SLIDE 31

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Client Cloud Node VM

Channel Mediator

Integrity Verification Proxy

(1) Register criteria (2) Verify Monitor / Node (3) Verify VM (4) Connect (5) Report Violation

Measure

Framework

Modules

Monitor VM

Integrity Verification Proxy

  • Clients specify criteria to be enforced by a channel

mediator [TRUST 2012]

  • Set of measurement modules verifies the criteria
  • Loadtime modules measure

VM components

  • VM Introspection to examine runtime criteria
  • E.g., Binaries/data loaded, enforcement disabled, policy changes,

kernel data (binary handler), etc.

31

slide-32
SLIDE 32

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Customer-Driven Monitoring

  • CV/IVP Limitation
  • IVP must be trusted by cloud vendor
  • Part of management

VM

  • What if you need to perform monitoring that the cloud

vendors will not support?

32

slide-33
SLIDE 33

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]

33

Why do these problems arise?

Hardware Hypervisor

Management$ VM$(dom0)$

Work" VM" Work" VM" Work" VM"

Slides courtesy of Vinod Ganapathy

slide-34
SLIDE 34

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]

34

Hardware Hypervisor

Management$ VM$

Client’s$VMs$

slide-35
SLIDE 35

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Self-Service Clouds

  • Customizable cloud platform stack [CCS 2012]
  • UDom0 boots customer-defined Service

VMs

35

Hardware SSC Hypervisor

SDom0$

Work$ VM$ Work$ VM$

UDom0$ Client’s$metaBdomain$

Service$ VM$

Equipped$with$a$Trusted$Plaiorm$Module$(TPM)$chip$

slide-36
SLIDE 36

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Take Away

  • Cloud computing is here to stay
  • In some form
  • May be a solution or a problem or both
  • Introduces new types of vulnerabilities into systems we

ran on data centers - which had vulnerabilities to begin with

  • Ultimately, have to improve service providers’ jobs
  • Make it easy to ensure that systems perform as expected
  • Two possible methods
  • Verifiable computation and instance monitoring

36