PPT - Computer Science at Rutgers

Download Report

Transcript PPT - Computer Science at Rutgers

CS419 – Computer Security
Cloud Computing and Virtual Machines
Everyone is moving to the
“cloud.” What is it?
Everyone is moving to the
“cloud.” What is it?
Cloud computing:
Applications delivered as services over the internet
Hardware and systems software in the data centers
By 2015, 90% of government agencies and large
companies will use the cloud [Gartner, “Market Trends:
Application Development Software, Worldwide, 2012-2016,” 2012]
Many new companies & services rely exclusively
on the cloud, e.g., Instagram, MIT/Harvard EdX
[NYTimes, “Active in Cloud, Amazon Reshapes Computing,” Aug 28, 2012]
SaaS, PaaS, and IaaS
Infrastructure as a Service
Infrastructure: server, storage, network,
data center…
User does not manage underlying cloud
infrastructure
User specify when to request and release
resources
Example: Amazon EC2
Software as a Service
Browser-initiated application software
User: no upfront investment in services or
software licensing
Provider: low costs
Example: Google Apps
Platform as a Service
Between IaaS and SaaS
Enables user to deploy user-built
applications onto a virtualized cloud
platform
Example: Windows Azure
Cloud Computing
Infrastructure
Local computing (left figure)
Cloud computing (right figure)
Cloud Computing
Infrastructure
Multiplexing VMs on the same physical
hardware (potential threat!)
Benefits and risks
Benefits
Economics of scale: huge data center
Low capital expenditure
Dynamic provisioning (under utilize or
saturation)
Benefits and risks
Risks
Inherited risk between client and cloud
provider
Stable? Trustworthy?
Implicit threat from other clients due to
shared physical resources
Key enabler: Virtualization
What is a virtual machine?
How does virtualization work?
What are the types of virtualization?
VM
Hosted virtualization: The
“familiar” model of virtualization
Guest Guest
app
app
Guest OS
Host
app
Host
app
Host
app
Host operating system
Hardware
Bare-metal virtualation
Guest Guest
app
app
Guest Guest
app
app
Guest OS
Guest OS
Guest
app
Guest
app
Guest
OS
Guest
OS
Hypervisor
Hypervisor
Hardware
14
Let us work with bare-metal
virtualization
• Virtual machine monitor (VMM), also called a
hypervisor virtualizes system resources
– Runs directly on hardware
– Provides interface to give each program running
on it the illusion that it is the only process on the
system and is running directly on hardware
– Provides illusion of contiguous memory beginning
at address 0, a CPU, and secondary storage to
each program
Privileged Instructions
1. VMM running operating system o, which is
running process p
– p tries to read—privileged operation traps to
hardware
2. VMM invoked, determines trap occurred in o
– VMM updates state of o to make it look like
hardware invoked o directly, so o tries to read,
causing trap
3. VMM does read
– Updates o to make it seem like o did read
– Transfers control to o
Privileged Instructions
4. o tries to switch context to p, causing
trap
5. VMM updates virtual machine of o to
make it appear o did context switch
successfully
– Transfers control to o, which (as o
apparently did a context switch to p) has
the effect of returning control to p
Privilege and VMs
• Sensitive instruction discloses or alters
state of processor privilege
• Sensitive data structure contains
information about state of processor
privilege
When Is VM Possible?
• Can virtualize an architecture when:
1. All sensitive instructions cause traps
when executed by processes at lower
levels of privilege
2. All references to sensitive data
structures cause traps when executed
by processes at lower levels of privilege
Multiple Levels of Privilege
• Hardware supports n levels of privilege
– VM must also support n levels
– VM monitor runs at highest level, so n–1
levels of privilege left!
• Solution: virtualize levels of privilege
– Called ring compression
Why does virtualization enable
cloud computing?
• Hypervisor isolates virtual machines
from each other.
• But are they really isolated? We will
see next.
• Administrative virtual machine (Dom0)
has a view of other virtual machines
• Enables host-based intrusion detection
with good isolation!
Cloud computing threats
Can the confidentiality of VMs within
compute clouds be compromised?
Who is the adversary?
• The cloud provider (Amazon/Microsoft)
• Co-resident cloud tenants
This slide was from Bo Sun for the ACM Conference on Computer and Communications Security 2009
22
Threats from cloud provider
Currently, not much we can do. Implicitly
trust the cloud provider.
Encrypt data in VMs, but need to bring it
“home” to decrypt and perform
computations on it. Defeats the purpose
of cloud computing.
BUT….
Now is a very exciting time in cloud computing
security research. Two major developments:
1. Homomorphic encryption and its variants.
•
Allows encrypted data to be directly
manipulated within the cloud
2. The Intel SGX chip, announced in
2013/2014. Expected to ship in 2016.
•
Allows clients to create “enclaves” that can
protect data from the cloud provider
Threats from co-resident VMs
Placement
Placing adversary’s VM on the physical machine
which hosts the victim’s VM
Attacker-Victim VM Co-residence Strategy
Proving Co-residence
Extraction
Extract confidential information
Via “Manipulation of shared physical resource”
“Information Leakage”
Side channel Attacks
Threat Model
Adversaries are non-provider-affiliated
malicious third party
Victims are running confidentiality-requiring
services in the cloud
Attackers who are either interested in
attacking some known hosted services or
attacking a particular victim service
Enabled by cloud computing relying on same
physical computing resources
Probing and Attacking
Strategy
Can one determine where in the cloud
infrastructure an instance is located?
Can one easily determine if two instances are
co-resident on the same physical machine?
Can an adversary launch instances that will be
co-resident with other user’s instances?
Can an adversary exploit cross-VM information
leakage once co-resident?
Amazon AWS and EC2
Best known as Amazon Web Service and
Elastic Cloud Computing
Flexibly rent computing resources (on
demand)
Ability to run VMs with guest OSs as
Linux/Ubuntu/FreeBSD/OpenSolaris/Windo
ws
Xen hypervisor and Domain0 (previlieged
VM) to manage guest images, resource
provisioning and access control
Amazon EC2
Register Amazon AWS account
Creates VM images with your choice of OS
Bring up one or more instances of VM
images
Amazon EC2
Three degrees of freedom in specifying
physical infrastructure where instances
should run
Regions (US, Europe, Asia, etc.)
Availability zones (Power/Network connectivity)
Instance type (micro, small, medium, large,
xlarge) 32/64bit with different computing
power/memory/storage capacity
VMs placed on available physical servers
shared by multiple instances
Amazon EC2
VMs have access to many network
probing tools
nmap, hping, wget
Arbitrary attack code which attacks other
guest OS (VM instances)
External vs. internal probes
Cloud Cartography
Map the EC2 service to understand where
potential targets are located in the cloud
Hypothesis – availability zones and
instant types respond to different
internal IP addresses
Methods
Surveying public servers on EC2
Launching various types of EC2
Fuller map of EC2
Public EC2 IP address: 14054 unique
internal IPs responsive to port 80/443
IPs from same /16 are of the same zone
/24 containing a Dom0 IP address
Cloud Cartography
Mapping Significance
• Showed that internal IPs were assigned
correlates with zone and VM type
• Adversary can infer zones and instances
types of the target
• Such patterns can be exploited to ensure
maximum likelihood of Co-residence
• Prevention of mapping
– Remove clustering based on zone & VM type
– Make it harder to map external/internal IPs
• VLANs and bridging
Co-residence Proof
Matching Dom0 IP address
Small packet round-trip times
Numerically close internal IP address
Co-residence Proof
Matching Dom0 IP
Special-privileged “first guest OS”, which
manages routing of traffic to other guest VMs
Using two traceroute to identify
First hop = attacker instance’s Dom0 IP
Last hop = victim instance’s Dom0 IP
Done on a different physical machine
31 out of 400 pairs of instances found that have
equal domain address
Co-residence Proof
Round trip times
Lower in
Co-resident
instances
Numerically close IPs within 7
Only 8 VM instances on a physical machine
Co-residency Obfuscation
Dom0 does not respond to traceroute
Randomly assign internal IP address
Isolate accounts
What to do with co-residence?
Side channels to learn information about coresident instances
Other channels: network access, CPU branch predictors
and instruction caches, DRAM memory bus, etc
Prime + Trigger + Probe measurement technique
Prime: Read B at s-byte offsets in order to ensure it is
cached
Trigger: Busy-loop until the CPU’s cycle counter jumps by
a large value
Probe: Measure the time it takes to again read B at s-byte
offsets.