Understanding Information Leakage in Cloud Computing

Slide Note
Embed
Share

Explore the threats of multi-tenancy in cloud computing, focusing on determining instance location, co-residency, and potential information exploitation. Research questions investigate these aspects using Amazon EC2 as a case study.


Uploaded on Sep 22, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by: Ibrahim Elsayed

  2. Overview What is the cloud? New threats in cloud computing Research questions Experiment Explore cloud infrastructure. Determine co-residency. Achieve co-residency. Exploit information. What can we do? Conclusion

  3. Cloud Computing What is the cloud? The new infrastructure for hosting data and deploying software and services. Benefits Cost Savings Scalability Flexibility

  4. Cloud Computing On-demand computing outsourcing Examples: Amazon s EC2 (Elastic Compute Cloud) Microsoft s Azure Service Platform Rackspace s Mosso New Threats: Trust relationship between customer and cloud provider Multi-tenancy (security threat)

  5. Multi-tenancy Your instance is placed on the same server with other customers

  6. Research Motivation Explore the threats of multi-tenancy in cloud computing Provide experimental results of the impact of these threats using a real cloud service provider (Amazon EC2) as a case study

  7. Research Questions Can one determine where in the cloud infrastructure an instance is located? Can one easily determine if two instances are co-resident on the same physical machine? Can an adversary launch instances that will be co-resident with other user s instances? Can an adversary exploit cross-VM information leakage once co-resident?

  8. AMAZON ELASTIC COMPUTE CLOUD - EC2 Scalable, pay-as-you-go compute capacity in the cloud Customers can run different operating systems within a virtual machine Different regions and availability zones

  9. Attack The attack considered requires two main steps: 1- Placement Place a malicious VM on the same physical machine as that of the victim 2- Extraction extract confidential information from the victim via a side channel attack

  10. Attacker Not affiliated with the provider (third-party user) Can run many instances at the same time o Can create multiple accounts o Up to 20 instances per account

  11. Cloud Cartography Try to learn about how Amazon places instance in order to carry out the attack Each instance assigned internal and external IP address Review addresses assigned to a large number of launched instances

  12. Determining Co-Residence Co-resident: instances running on same machine Network-based co-residence checks: Matching (host domain) Dom0 IP address Small packet round-trip times 10 RTTs 1st always slow Use last 9 Numerically close internal IP address (within 7)

  13. Achieving co-residency Two main techniques are presented to become co- resident with another user: - Brute Force launch many instances over a relatively long period of time. - Abusing Placement Locality Target recently launched attacks.

  14. Brute-Force Placement Launch many instances within a time frame If co-resident, successful placement Else, terminate probe instance Of 1686 target victims co-residence achieved with 141 victim servers ( 8.4% coverage of targets). Max 20 simultaneous instance for one account. Allows reasonable success rate when used to target large target sets

  15. Placement Locality Recall that one of the main features of cloud computing is to only run servers when needed. This suggests that servers are often run on instances, terminated when not needed, and later run again. The key idea is to catch the time at which the victim turns on (relaunches) his instance.

  16. EC2 Placement Policy Placement locality Sequential placement locality - Two instance run sequentially are often assigned to the same machine (one starts after one terminated). Parallel placement locality - Two instance from distinct accounts run roughly at the same time are often assigned to the same machine.

  17. Placement Locality Attack recently launched instances (temporal locality). Monitor a server s state (e.g., via network probing). Launch lots of instances right after the launch of victim s instance. Experiment Single victim instance is launched Attacker launches 20 instances within 5 minutes (in appropriate zone and type) Perform co-residence check

  18. Placement Locality Experiments achieved an 40% coverage of targets.

  19. Exploiting co-residence CPU contains small and fast memory cache shared by all instances .

  20. Exploiting co-residence CPU contains small and fast memory cache shared by all instances . If the attacker accesses the memory, it is served from the cache

  21. Exploiting co-residence CPU contains small and fast memory cache shared by all instances . If the attacker accesses the memory, it is served from the cache if the victim accesses the memory, the cache fills up and the attacker notices a slow-down

  22. Exploiting co-residence Time-shared cache allows an attacker to measure when other instances are experiencing computational load Web traffic monitoring

  23. Exploiting co-residence Also, the attacker can deduce the memory access patterns of the victim Example: if the victim is performing RSA or AES decryption, the access patterns are determined by the secret key Attacker can steal AES secret key in 65 milliseconds

  24. Keystroke timing attack Cache load measurements used to mount a keystroke attack The goal is to measure the time between keystrokes made by a victim typing a password Report a keystroke when the probing measurement is between 3.1 s and 9 s (upper threshold filters out unrelated activity) Inter-keystroke times if properly measures can be used to perform recovery of the password

  25. Inhibiting Side-Channel Attacks Blinding techniques Cache wiping, random delay insertion, adjust machine s perception of time But, are these effective? Usually, impractical and application specific May not be possible to PLUG all side-channels Only way: AVOID co-residence

  26. Research Questions - Answered Can one determine where in the cloud infrastructure an instance is located? - Yes. Can one easily determine if two instances are co-resident on the same physical machine? - Yes. Can an adversary launch instances that will be co-resident with other user s instances? - Yes. Can an adversary exploit cross-VM information leakage once co-resident? - Sort of.

  27. Summary New risks from cloud computing exposed Shared physical infrastructure may and most likely will cause problems Practical attack performed Suggested countermeasure

  28. Resources https://cse.sc.edu/~huangct/CSCE813F15/CCS09_clou dsec.pdf https://eprint.iacr.org/2005/271.pdf http://rump2009.cr.yp.to/8d9cebc9ad358331fcde611bf4 5f735d.pdf http://zoo.cs.yale.edu/classes/cs722/2011/esyta_cloud. pdf

Related


More Related Content