Transcript Document
Hey, You, Get Off of My Cloud:
Exploring Information Leakage in
Third-Party Compute Clouds
Authors: Thomas Ristenpart, et at.
Defended by Vaibhav Rastogi and Yi Yang
Introduction
• Introduction
• EC2 Service, Network Probing
• Attacking Steps
– Cloud Cartography
– Placement
– Extraction
• Discussion
Traditional system security mostly
means keeping bad guys out.
The attacker needs to either
compromise the auth/access control
system, or impersonate existing
users
But clouds allow co-tenancy :
Multiple independent users
share the same physical
infrastructure
So, an attacker can legitimately
be in the same physical machine
as the target.
How to find out where the
target is located
How to be co-located with
the target in the same
(physical) machine
How to gather information
about the target
Exploring Information Leakage in
Third-Party Compute Clouds
• First work on cloud cartography
• Attack launched against commercially
available “real” cloud (Amazon EC2)
• Up to 40% success in co-residence with target
VM
• Cloud infrastructure provider is trustworthy
• Cloud insiders are trustworthy
• Attacker is a malicious third party who can
legitimately the cloud provider as a client
Threat: An attacker’s instances can run on the same
physical hardware as potential victims. Therefore, the
attacker might manipulate shared physical resources
(eg. CPU caches, network queues, etc) to learn
otherwise confidential information.
Attack Tasks
• Map the cloud infrastructure to find where the
target is located
• Use various heuristics to determine co-residency
of two VMs
• Launch probe VMs trying to be co-resident with
target VMs
• Exploit cross-VM leakage to gather information
about target
The EC2 Service
• The EC2 service enables users to flexibly rent
computational resources for use by their applications.
• A privileged virtual machine, called Domain0, is
configured to route packets for its guest images and
reports itself as a hop in traceroutes.
• 2 Regions, 3 Availability zones, 5 instance types.
• Each instance has one internal IP and one external IP.
Both are static. For example:
– External IP: 75.101.210.100
– Internal IP: 10.252.146.52
[Figures from Xen Wiki]
Network Probing
• Nmap, hping, wget for network probing
• Nmap is a security scanner used to discover hosts and
services on a computer network, thus creating a "map" of
the network.
• hping is a packet generator and analyzer for the TCP/IP
protocol.
• Wget is a computer program that retrieves content from
web servers.
By using such tools, we can understand VM
placement in the EC2 system and provide
evidence of co-residence.
Finding: Different availability zones correspond
to different internal IP address ranges;
Finding: same instance type within the same zone
= similar IP regions
Task 2: Determining co-residence
• Check to determine if a given VM is placed in the
same physical machine as another VM
• Instances are likely co-resident if they have
(1) matching Dom0 IP address,
(2) small packet round-trip times, or
(3) numerically close internal IP addresses (e.g.
within 7).
Task #3: Making a probe VM co-resident with target
VM
Brute force scheme
– Idea: figure out target’s availability zone and type
– Launch many probe instances in the same area
– Success rate: 8.4%, but on large target set
14
Task #3: Making a probe VM co-resident with
target VM
Smarter strategy: utilize locality
– Idea: VM instances launched right after target are
likely to be co-resident with the target
– Success rate: 40%!
15
Task #3: Making a probe VM co-resident with
target VM
Window of opportunity is quite large, measured in
days
16
Task #4: Gather leaked information
Now that the VM is co-resident with target, what can
it do?
– Gather information via side channels
– Perform DoS
17
Task 4.1: Gathering information
• Measure latency of cache loads
• Use that to determine
– Co-residence
– Traffic rates
– Keystroke timing
18
Credits
Slides based on work of
Ragib Hasan
Johns Hopkins University
19
Mitigation strategies #1: Mapping
• Use a randomized scheme to allocate IP addresses
• Block some tools (nmap, traceroute)
20
Mitigation strategies #2: Co-residence checks
• Prevent traceroute (i.e., prevent identification of
dom0)
21
Mitigation strategies #3: Co-location
• Not allow co-residence at all
– Beneficial for cloud user
– Not efficient for cloud provider
22
Mitigation strategies #4: Information leakage
• Prevent cache load attacks?
23
Discussion
• How is the problem different from other attacks?
• What’s so special about clouds?
24