security on cloud storage and iaas
play

Security on cloud storage and IaaS at Taiwan-Japan Workshop - PowerPoint PPT Presentation

Jan 16, 2023 •113 likes •350 views

Resea earch I Institut ute e for or Se Secure Sy Systems Security on cloud storage and IaaS at Taiwan-Japan Workshop 2012/Nov/27 http://www.jst.go.jp/sicp/ws2012_nsc.html Kuniyasu Suzaki Research Institute for Secure Systems (RISEC)

  1. Resea earch I Institut ute e for or Se Secure Sy Systems Security on cloud storage and IaaS at Taiwan-Japan Workshop 2012/Nov/27 http://www.jst.go.jp/sicp/ws2012_nsc.html Kuniyasu Suzaki Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST)

  2. Overview of Security on Resea earch I Institut ute e IaaS Cloud Computing for or Se Secure Sy Systems Internet App1 App2 App3 (Secure communication) man in the middle attack OS1 OS2 OS3 Formal Verification To take high level EAL Client User (Evaluation Assurance • ID, Password, Secret Key Level) Mem Mem Mem management CPU CPU CPU • Software vulnerability Software Vulnerability Security update ・ Hypervisor Virtual Machine Monitor (hypervisor) ・ Management Host OS Memory CPU Vulnerable safe (un-mature) Security Guideline • CSA (Cloud Security Alliance) • Open Cloud Manifesto Auditing Standard • SAS70 Data Management • HIPAA • Information Leak Auditing • Information Loss • Digital Forensic • Information Erasure • Log

  3. My interests Resea earch I Institut ute e for or Se Secure Sy Systems • Sharing technologies (virtualization technologies) on IaaS are good for security? • Based on my papers [HotSec10], [EuroSec11], [EuroSec12] • Information leak / erase / loss on cloud storage • Funded by Strategic Information and Communications R&D Promotion Programme(SCOPE), Ministry of Internal Affairs and Communications (MIC).

  4. Sharing Technology Resea earch I Institut ute e for or Se Secure Sy Systems • Sharing is a key technology on Cloud computing, because it can reduce costs. It offers pseudo physical devices and shares same parts of devices. • Virtual Machine • VMware, Xen, KVM, etc. • Storage deduplication • Dropbox, EMC products, etc. • Memory deduplication

  5. Memory Deduplication Resea earch I Institut ute e for or Se Secure Sy Systems • Memory deduplication is a technique to share same contents page. • Mainly used for virtual machines. • Very effective when same guest OS runs on many virtual machines. • Most memory deduplication are included in virtual machine monitors with different implementations. • VMware, Xen, and KVM have own memory deduplication Guest Pseudo Memory VM1 VM2 VM(n) Real Physical Memory

  6. Is Memory Deduplication Resea earch I Institut ute e good or bad for security? for or Se Secure Sy Systems (1) Good • From logical sharing to physical sharing [HotSec10] (2) Bad • Cross-VM Side Channel Attack [EuroSec11] • Cause Information leak (3) Good or Bad • Affects to current security functions (Address Space Layout Randomization, Memory Sanitization, Page Cache Flushing) [EuroSec11]

  7. (1) Logical Sharing Resea earch I Institut ute e for or Se Secure Sy Systems • Current OSes use logical sharing technique to reduce consumption of memory. • “Dynamic-Link Shared Library” • Unfortunately, it includes vulnerabilities caused by dynamic management. • Search Path Replacement Attack • GOT (Global Offset Table) overwrite attack • Dependency Hell • Etc.

  8. (1) Solution, and further Resea earch I Institut ute e problem for or Se Secure Sy Systems • These vulnerabilities are solved by static-link in general, but it increase consumption of memory. • Fortunately, the increased consumption is mitigated by memory deduplication on IaaS. • It looks easy to solve the problem, but … • Current applications assume dynamic-link and are not re-compiled as static-link easily. • Dynamic-link is used for avoiding license contamination problems. The programs includes “ dlopen() ” to call dynamic link explicitly.

  9. (1) From Logical sharing Resea earch I Institut ute e to physical sharing for or Se Secure Sy Systems • Instead of static link, we proposed to use “self-contained binary translator” which integrates shared libraries into an ELF binary file. [HotSec’10] • The ELF binaries become fatter than static link, but the redundancy is shared by physical sharing (memory deduplication). • OSes on a cloud can increase security.

  10. (2) VM Side Channel Attack Resea earch I Institut ute e for or Se Secure Sy Systems • Memory deduplication is vulnerable for side channel attack. • The vulnerable is caused by Copy-On-Write of memory deduplication. • Copy-On-Write is a common technique to manage shared contents, but it became a Covert Channel for Information Leak.

  11. (2) Copy-On-Write (COW) Resea earch I Institut ute e for or Se Secure Sy Systems • When a write access is issued to a deduplicated page, a same contents page is created and accepts write access. This action is logically valid, but … • Write access time difference between deduplicated and non-deduplicated pages due to copying. Guest Pseudo Memory Attacker can guess VM1 VM2 VM1 VM2 Write Access existence of same (victim) (attacker) (victim) (attacker) contents on other VM. Real Physical Memory Re-created page cases access time difference

  12. (2) Attacking problem Resea earch I Institut ute e for or Se Secure Sy Systems • Cross VM side channel attack looks simple, but there are some problems. ① 4KB Alignment problem • Attacker must prepare exact same pages in order to guess victim’s contents. ② Self-reflection problem • Caused by redundant memory management on cache and heap. Attacker has a false-positive result. ③ Run time modification problem • Caused by swap-out, etc. Attacker has a false- negative result. • The attacking methods and countermeasure are mentioned in [EuroSec11].

  13. (3) Affects of OS Security functions on memory deduplication Resea earch I Institut ute e for or Se Secure Sy Systems • Modern OSes have security functions that modify memory contents dynamically. 1. Address Space Layout Randomization (ASLR) 2. Memory Sanitization • Pages are zero-cleared. Increase deduplication. 3. Page Cache Flushing • Useful to remove redundant pages. • These security functions are affected by memory deduplication.

  14. (3) Affects on Security Resea earch I Institut ute e Functions for or Se Secure Sy Systems • ASLR looks to be independent of memory deduplication because the contents are not changed on memory. However it increased consumption of memory, because It made different page tables. • Memory Sanitization and Page Cache Flushing increase zero-cleared pages and help memory deduplication. However, the costs are heavy and they decreased performance severely. The detail is written in my paper [EuroSec’12]

  15. Summary: Resea earch I Institut ute e OS on sharing technology for or Se Secure Sy Systems • Memory deduplication on cloud computing have a potential to change the structure of OS from the view of secuirty. • It will differ from OSes on devices (PC, Smartphone, etc), because OSes interact each other on IaaS. • The OS on IaaS should take care of security and performance on the environment which shares resources with others.

  16. Data management Problem Information Leak Resea earch I Institut ute e for or Se Secure Sy Systems • Information leak does not occur on network. • Secure communication (ssh, SSL/TLS, etc) is established between client and server, and it is not easy to attack. • Most information leaks on cloud storage occur on both edge machines (servers and clients) • On server Admin • Gmail Administrator read use’s contents (2010) • Dropbox had a bug to allow access with no Secure pass word (2011) Comm • On Client • P2P File sharing Mis-config • (Japanese “Winny”) (2003 ~ ) User Uploader

  17. Our proposal Resea earch I Institut ute e for or Se Secure Sy Systems • Virtual Jail Storage System (VJSS) • On Server: • Data are encrypted and cut a split tally. • It mean that whole content of file are not upload. Even if the all uploaded data are gathered, the full contents are not reconstructed. • Data are also coded by Reed-Solomon and uploaded on some servers. It works for fault tolerance. × • On Client: Admin • Original file is reconstructed with the split tally. • Files are under access-control. Files are × prohibited copying, printing, and screen cut&paste. Mis-config User Uploader

  18. Overview of VJSS Resea earch I Institut ute e for or Se Secure Sy Systems Original Sever Side × Provider A Provider B Provider C Provider D Encryption Crash × AONT: All or Nothing Transform Tally Encoding Read Solomon (3:4) Split tally Small part of Client Side Network encrypted file is cut Printer and stored in a client. Decoding Cut&Paste + Tally NonCopy Decryption VJSS (Jail Storage) Storage

  19. Deploying Plan Resea earch I Institut ute e (Against Disaster) for or Se Secure Sy Systems Hokkaido • Japan had a heavy natural disaster last (Sapporo) year. The deploying plan considers location against disaster. • Collaborate with Japanese providers. Tsukuba • Hokkaido Telecommunication Network • Tokyo - Hokkaido(Sapporo) 1,000km • Dream Arts Okinawa • Tokyo - Okinawa 1,500km • Severs for VJSS will be located at the southern and northern edges of Japan in order to prevent natural disasters. Okinawa Taiwan

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue Mentor: Dr. Ta Nguyen Binh Duong

Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue Mentor: Dr. Ta Nguyen Binh Duong

A Method for Evaluating Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue Mentor: Dr. Ta Nguyen Binh Duong Overview Introduction to Problem Background research Experimental methodology Results and analysis Future development

838 views • 29 slides
9th TF Storage Meeting in Athens Open discussion on IaaS and clouds 9th TF Storage (&

9th TF Storage Meeting in Athens Open discussion on IaaS and clouds 9th TF Storage (&

9th TF Storage Meeting in Athens Open discussion on IaaS and clouds 9th TF Storage (& cloud) Meeting in Athens TF Storage goes to clouds: TF Storage meeting @TNC conclusions: Participants expressed the need for

525 views • 13 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Security Monitoring and Enforcement for the

795 views • 42 slides
Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand

Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand

Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand access Economies of scale All compute/storage will move to the cloud? Todays IaaS clouds One company responsible for implementing and

1.11k views • 65 slides
Introduction to PaaS and IaaS Cloud Computing Roberto Beraldi Models for Cloud Computing

Introduction to PaaS and IaaS Cloud Computing Roberto Beraldi Models for Cloud Computing

Introduction to PaaS and IaaS Cloud Computing Roberto Beraldi Models for Cloud Computing (SaaS)Software as a Service XaaS (PaaS) Platform as a Service (IaaS) Infrastructure as a Service Models for cloud computing CC in a nutshell Cloud

1.15k views • 83 slides
Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper)

Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper)

Institute for Cyber Security Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin Jin, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October

494 views • 23 slides
Security in the Age of Cloud Kaushik Narayan CTO, Cloud Business Unit CASB Connect MVISION

Security in the Age of Cloud Kaushik Narayan CTO, Cloud Business Unit CASB Connect MVISION

Security in the Age of Cloud Kaushik Narayan CTO, Cloud Business Unit CASB Connect MVISION Cloud Innovation Pre- and Post-Acquisition Acquisition announced Expansion to IaaS Skyhigh API control: Sanctioned Apps Networks Custom Apps

565 views • 30 slides
Verifiability for Cloud Storage and Computation Melek nen July 5th, 2016 Lorient Joint

Verifiability for Cloud Storage and Computation Melek nen July 5th, 2016 Lorient Joint

Verifiability for Cloud Storage and Computation Melek nen July 5th, 2016 Lorient Joint work with Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva Cloud Outsourcing Storage and Computation Data storage Data processing [Cloud Security

393 views • 23 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Cloud Storage Nabil Abdennadher nabil.abdennadher@hesge.ch 1 Cloud storage Objective

Cloud Storage Nabil Abdennadher nabil.abdennadher@hesge.ch 1 Cloud storage Objective

Cloud Storage Nabil Abdennadher nabil.abdennadher@hesge.ch 1 Cloud storage Objective Provide logical storage pools that abstract a more complex distributed infrastructure made of commodity hardware Separate storage service

627 views • 15 slides
Revenue Maximization with Dynamic Auctions in IaaS Cloud Markets Wei Wang, Ben Liang, Baochun Li

Revenue Maximization with Dynamic Auctions in IaaS Cloud Markets Wei Wang, Ben Liang, Baochun Li

Revenue Maximization with Dynamic Auctions in IaaS Cloud Markets Wei Wang, Ben Liang, Baochun Li Department of Electrical and Computer Engineering University of Toronto June 3, 2013 Saturday, 29 June, 13 Prevalent Pricing Schemes for IaaS

587 views • 21 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
PICS: A Public IaaS Cloud Simulator In Kee Kim , Wei Wang, and Marty Humphrey Department of

PICS: A Public IaaS Cloud Simulator In Kee Kim , Wei Wang, and Marty Humphrey Department of

PICS: A Public IaaS Cloud Simulator In Kee Kim , Wei Wang, and Marty Humphrey Department of Computer Science University of Virginia 1 Motivation how best to use cloud Actual Deployment Based Evaluation . . . 1. Deploying small-scale test

578 views • 25 slides
Best Practices for Migrating MySQL to the Cloud Juan Pablo Arruti Percona Agenda IaaS vs

Best Practices for Migrating MySQL to the Cloud Juan Pablo Arruti Percona Agenda IaaS vs

Best Practices for Migrating MySQL to the Cloud Juan Pablo Arruti Percona Agenda IaaS vs DBaaS Migrating Data Replication between On-Premises and Cloud Testing Cloud Environments High Availability Monitoring

885 views • 59 slides
The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction

The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction

The Internet of Things and the DNS Jacques Latour / SSAC ICANN65 | June 2019 | 1 Introduction | 2 | 2 Security and Stability Advisory Committee (SSAC) Who We Are What We Do Role: Advise the ICANN community and 39 Members Board on

385 views • 15 slides
Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel

Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel

Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations https://github.com/bristol-sca/labynkyr December 7, 2016 Daniel P. Martin, Luke Mather, Elisabeth Oswald, Martijn Stam Cryptography Group,

516 views • 34 slides
Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka

Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka

Open Source Developers are Securitys new front line A shifting landscape of attacks Ilkka Turunen Global Director, Sonatype @llkkaT 20XX: Software has eaten the world It used open source to chew it up Everyone has a software supply

1.25k views • 59 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND 2 = 3 PLAN Introduction Elliptic Curve Cryptography Side Channel Attacks

473 views • 33 slides
Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011

Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011

Missile External Aerodynamics Using Star-CCM+ Star European Conference 03/22-23/2011 StarCCM_StarEurope_2011 4/6/11 1 Overview 2 Role of CFD in Aerodynamic Analyses Classical aerodynamics / Semi-Empirical Bound the problem

334 views • 21 slides
Selecting the Best Team for Your Next Project NJASBO - Facilities Cracker Barrel Wyndham Garden,

Selecting the Best Team for Your Next Project NJASBO - Facilities Cracker Barrel Wyndham Garden,

Selecting the Best Team for Your Next Project NJASBO - Facilities Cracker Barrel Wyndham Garden, Mount Olive, NJ February 25, 2009 Holiday Inn, Runnemede, NJ March 03, 2009 Presenters Chuck Romanoli, CCM Chief Operating Officer

519 views • 24 slides
Kingsgate Kingsgate Consolidated Limited Consolidated Limited 2005/06 Full Year Financials

Kingsgate Kingsgate Consolidated Limited Consolidated Limited 2005/06 Full Year Financials

Kingsgate Kingsgate Consolidated Limited Consolidated Limited 2005/06 Full Year Financials 2005/06 Full Year Financials A Cracker Result A Cracker Result With Responsible Low Cost Growth With Responsible Low Cost Growth

251 views • 24 slides

More recommend