security evaluation on amazon web services rest api
play

Security Evaluation on Amazon Web Services REST API Authentication - PowerPoint PPT Presentation

Nov 05, 2023 •373 likes •636 views

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version 4 Khanh Hoang Huynh Jason Kerssens Supervisors: Alex Stavroulakis (KPMG) Aristide Bouix (KPMG) Introduction AWS As of 2018, AWS has a

  1. Security Evaluation on Amazon Web Services’ REST API Authentication Protocol Signature Version 4 Khanh Hoang Huynh Jason Kerssens Supervisors: Alex Stavroulakis (KPMG) Aristide Bouix (KPMG)

  2. Introduction ● AWS As of 2018, AWS has a dominant share of 47.8% in the cloud service market 1 (IaaS, PaaS) ○ ● Signature Version 4 ○ Protocol used for authentication of HTTP API requests ○ Ensures data integrity, verification of the requesting user, and protection against reuse of signed requests ● Other protocols (different functionalities) do not provide end-to-end integrity ○ OAuth 1.0/2.0, SSL/TLS and HTTP Authentication 1 https://www.ciodive.com/news/iaas-Azure-AWS-Google-Cloud-Alibaba/559716/ 2

  3. Research question Does the Signature Version 4 protocol, used when sending a request to AWS REST API endpoints, provide data integrity, verification of the requesting user, and protection against reuse of signed requests? ● How does Signatures Version 4 Protocol ensure data integrity, verification of the requesting user, and protection against reuse of signed requests? ● What kind of attacks are able to undermine data integrity, verification of the requesting user, or protection against reuse of signed requests? 3

  4. Signature Version 4 ● Signing key is derived from the secret access key ● HMAC-SHA1 or HMAC-SHA256 ● The signature created is a string in hexadecimal and has a length of 64 4 Figure 1: Signature Version 4 signing procedure

  5. Experiments ● Signature Version 4 makes use of HMAC-SHA ○ Attacks on HMAC-SHA are not feasible ● Replay Attack, Modifying Request, HTTP smuggling, and Timing Attacks ● As we look at Signature Version 4, we ignore SSL/TLS ● Attacks were first performed on our local server ● Attacks were then performed on AWS IAM and S3 services 5

  6. Used Technologies ● Python ● Escher ● Burp Python Logo source: https://www.python.org/ Emarsys Logo (Escher Creator) source: https://www.emarsys.com/ Burp Suite logo source: https://portswigger.net/ 6

  7. Replay Attack ● Protection against reuse of signed requests ● Intercept request and resend ● For how long? ● What kind of requests? Figure 2: The setup of our replay attack 7

  8. Modifying the request ● Ensurance of data integrity ● Intercept request, modify it, and send it to intended destination ● What parts of the request can be modified? Figure 3: The setup of our modifying the request 8

  9. HTTP Smuggling ● Verification of the requesting user ● Discrepancy in front-end server and back-end server Figure 4: The request flow of modern website architecture. Source: https://portswigger.net/ 9 Figure 5: Example of a HTTP request smuggling attack. Source: https://portswigger.net/

  10. HTTP Smuggling Figure 6: The setup for HTTP smuggling attacks 10

  11. Probing Timing Attack ● Verification of the requesting user ● Side-channel attack on Signature of HTTP request ● Measure execution time of request and response ● Correlation between execution time and number of valid bits ● Implementation dependent Example: ‘aaaa’ != ‘aaaa’ ‘aaaa’ != ‘aabb’ Figure 7: The setup of our Probing Timing attack 11

  12. Probing Timing Attack Experiment in detail Figure 8: Flow of how we manipulated the signature Figure 9: An example of changing one bit of the correct signature 12

  13. Results (replay attack) ● Replaying of requests possible ● Default valid for 15 mins for IAM ● X-AMZ-Expires option for S3 ● Prevented by SSL/TLS 13

  14. 14 Figure 10: HTTP Request and response

  15. Figure 11: Replayed a HTTP Request and response 15

  16. Results (modifying requests) ● Signed parts cannot be changed ● S3 unsigned payload option ● Prevented by SSL/TLS 16

  17. Figure 12: HTTP request payload to be modified 17

  18. Figure 13: HTTP request payload changed and sent 18

  19. Figure 14: Successfully modified HTTP request and uploaded to AWS 19

  20. Results (HTTP Smuggling) ● Not successful, as AWS responds with HTTP Status Code 500 Figure 15: Result of executing the detecting if http smuggling is possible 20

  21. Results (Timing attack) ● Escher ● Correlation found? (between execution time and number of correct bits in signature) Figure 16: The results of seeing if a timing attack would be effective 21

  22. Results (Timing attack) Figure 17: Figure 15, but without the standard deviation plotted 22

  23. Conclusion How does Signature Version 4 ensure protection? ● Data integrity: Signature ● User verification: API KEY ID, and Secret Access Key ● Reuse of signed portions: Expiration of request What kind of attacks are possible? ● Replay attack: reuse of signed portions is possible for a limited time ● Modifying requests: signed portions of requests cannot be modified, unsigned portions can be modified ● HTTP Smuggling: not successful ● Timing attack: correlation found locally 23

  24. Conclusion Does the Signature Version 4 protocol, used when sending a request to AWS REST API endpoints, provide data integrity, verification of the requesting user, and protection against reuse of signed requests? ● Provides data integrity of signed portions ● Verifies that signed parts were indeed signed by user ● Does not fully provide protection of reuse of signed portions 24

  25. Future work ● Other services ● Timing attack on AWS servers ● Inspect the SSL/TLS from AWS API endpoint 25

  26. Conclusion Does the Signature Version 4 protocol, used when sending a request to AWS REST API endpoints, provide data integrity, verification of the requesting user, and protection against reuse of signed requests? ● Provides data integrity of signed portions ● Verifies that signed parts were indeed signed by user ● Does not fully provide protection of reuse of signed portions 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to REST Web REST Web Services Characteristics Services Principle of REST Web

Introduction to REST Web REST Web Services Characteristics Services Principle of REST Web

Introduction to REST Web Services 2/14/2009 Agenda What is REST? Introduction to REST Web REST Web Services Characteristics Services Principle of REST Web Services Design Semantic of HTTP/1.1 Operations Asst. Prof. Dr. Kanda

522 views • 12 slides
RESTful Web Services Stefan Marr Agenda What is REST? The Bookmark Example Principles of REST

RESTful Web Services Stefan Marr Agenda What is REST? The Bookmark Example Principles of REST

RESTful Web Services Stefan Marr Agenda What is REST? The Bookmark Example Principles of REST Web Service Design Semantic of HTTP/1.1 Operations SOAP vs. REST Style Assets and Drawbacks Security Public Web Services HPI, Seminar Advanced

330 views • 10 slides
Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings Increase Building Security Improperly delivered packages are at risk for theft. Drafting of residents through gates and doors cannot be

376 views • 13 slides
Amazon Web Services Amazon Web Services Thilina Gunarathne Salsa Group, Indiana University.

Amazon Web Services Amazon Web Services Thilina Gunarathne Salsa Group, Indiana University.

Introduction to Amazon Web Services Amazon Web Services Thilina Gunarathne Salsa Group, Indiana University. With contributions from Saliya Ekanayake. Introduction Fourth Paradigm Data intensive scientific discovery DNA Sequencing

649 views • 47 slides
Outline What is ReST ? Constraints in ReST REST Architecture Components Features of

Outline What is ReST ? Constraints in ReST REST Architecture Components Features of

Outline What is ReST ? Constraints in ReST REST Architecture Components Features of ReST applications Example of requests in REST & SOAP Complex REST request REST Server response Real REST examples REST Design

603 views • 34 slides
Introduction to Amazon Web Services Rob Amos - rob@salsadigital.com.au r.bok.im/5 @bok_

Introduction to Amazon Web Services Rob Amos - rob@salsadigital.com.au r.bok.im/5 @bok_

Introduction to Amazon Web Services Rob Amos - rob@salsadigital.com.au r.bok.im/5 @bok_ Owning the Stack Amazon Web Services Overview AWS SDK for iOS Alternative SDK The strategy today is simple: In order to move fast, build

821 views • 50 slides
Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph

Relational Document Time Series Amazon Aurora Amazon DocumentDB Amazon Timestream Graph Key-value Amazon RedShi Amazon Neptune Amazon DynamoDB Amazon RDS Ledger In-memory Amazon Quantum AWS Database Migration Amazon ElastiCache

612 views • 6 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD

VMD & NAMD on Elastic Compute Cloud (EC2) instance of Amazon Web Services (AWS) Start VMD & NAMD AMI (once you have created your AWS account) AMI - Amazon Machine Image Amazon Marketplace - https://aws.amazon.com/marketplace/ Search for

709 views • 36 slides
More on Distributed Web Services: REST Architecture REST, or Representational State Transfer, is

More on Distributed Web Services: REST Architecture REST, or Representational State Transfer, is

Web Services REresentation State Transfer (REST) More on Distributed Web Services: REST Architecture REST, or Representational State Transfer, is a distributed communication architecture fast becoming the lingua franca for Cloud Computing. The

353 views • 17 slides
IN5320 RESTful Web Services Outline The REST Architectural Style HTTP - REST in practice

IN5320 RESTful Web Services Outline The REST Architectural Style HTTP - REST in practice

IN5320 RESTful Web Services Outline The REST Architectural Style HTTP - REST in practice RESTful web services RESTful web services compared to other web services and tools Why REST? Already worked with a RESTful API in the

838 views • 58 slides
REST API Security Jamie Wallace EBSCO LearningExpress Physics 25 Years in Software Director

REST API Security Jamie Wallace EBSCO LearningExpress Physics 25 Years in Software Director

REST API Security Jamie Wallace EBSCO LearningExpress Physics 25 Years in Software Director of Software Development What is REST? Security? Solutions Implementation What is REST? Security? Solutions Implementation What is REST?

908 views • 57 slides
Topics RPC vs. REST: What's the What makes an API truly REST best practices difference

Topics RPC vs. REST: What's the What makes an API truly REST best practices difference

Topics RPC vs. REST: What's the What makes an API truly REST best practices difference and why does it RESTful? (Constraints and (common problems and matter? interface) their solutions) Planning and developing Drupal services

632 views • 28 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services

Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services

Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services Luan Teylo 1 , Rafaela C. Brum 1 , Luciana Arantes 2 , Pierre Sens 2 and Lcia M. A. Drummond 1 1 Federal Fluminense University - IC/UFF 2 Sorbonne

861 views • 28 slides
Filesystems for Cloud Services Amazon Holiday Traf fi c

Filesystems for Cloud Services Amazon Holiday Traf fi c

Filesystems for Cloud Services Amazon Holiday Traf fi c https://www.mediapost.com/publications/article/312409/from-cyber-monday-to-cyber-month-the-broadening-o.html Amazon Holiday Traf fi c This is only a 12-day outlook! The peak is likely much

695 views • 38 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or

SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or

SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or gins, major or dev evelopments, elopments, and d th the e dom omes estic tic impa pact ct of of Wo World ld Wa War II, es especial

993 views • 42 slides
What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment

What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment

What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment the Cold War 1941-1991 Main features of C&P in Britain from the Middle Ages through to the present day. It Early tensions between

308 views • 7 slides
SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

610 views • 24 slides
BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND support subscriptions BIND is the Swiss Army Education, knife of DNS software. 3% It is intended to work for TLD, 11% any use case

419 views • 6 slides
2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie Powell Contract Administrator Jonathan Miranda, MSJP Contract Administrator Pre-Bid Meeting Monday, August 6, 2018 August 6, 2018 Page 2 Oral

638 views • 48 slides
Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January 31, 2018 Ms. Lana Wolff City of Arlington City Council Member (District 5) (817) 459-6122 Keith Hamby City of Arlington Construction Inspector

248 views • 13 slides
Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public lines that are insecure Need to communicate securely Private lines : costly option VPN Secure private communications over public

671 views • 27 slides

More recommend