Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

Similar presentations


Presentation on theme: "Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011"— Presentation transcript:

1 Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

2  “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. - The NIST Definition of Cloud Computing

3  On-Demand service  Pay only for actual usage  Shared resources  Rapid elasticity  Virtualization  Advanced Security "Cloud Security and Privacy'',O'Reilly

4  Insecure programming interfaces or APIs  Threat from inside employees  Data Protection  Identity and access management  Shared Technology issues  Hypervisor security  Cross-side channel attacks between VMs

5

6  Virtual machines share the physical memory, CPU cycles, network buffers, DRAM of the physical machine  Attack on Amazon EC2 web services: Researchers from MIT and University of California explained in their paper “Hey,You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds”

7  Attacks takes place in two steps: 1. Placement of attacker virtual machine on the same physical machine. 2. Exploiting the shared resources.  CPU cache leakage attack  Measure load of the other virtual web server  Extract AES and RSA keys.  Keystrokes timing analysis  Extract user passwords from SSH terminal.

8  D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES”.  D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel”.  D. Page, “Defending against cache-based side- channel attacks”.  D. Page, “Partitioned cache architecture as a side-channel defense mechanism”.  E. Tromer, D. A. Osvik, and A. Shamir, "Efficient cache attacks on AES, and countermeasures

9  Dawn Xiaodong Song, David Wagner, Xuqing Tian, ``Timing Analysis of Keystrokes and Timing Attacks on SSH'‘.  Cloud service providers: “Securing Microsoft's Cloud Infrastructure", Microsoft Global Foundation Services. “Amazon Web Services: Overview of Security Processes"

10  Dividing the security mechanism in 2 components.  Customized operating system image.  A light weight process running on each of the virtual machines.  Collect security logs or any malicious behavior from each of the virtual machines and send it for analysis to dedicated machine.

11  Analysis part will be performed at dedicated machine/s.  Analysis of the security logs in real time.  Looking for the same cache memory access pattern!  Routing all the web server traffic through these dedicated machines.  Real time fixing of any tampering on VMs.  Wiping out cache only when attack pattern is detected by the dedicated machine.

12  Hypervisor security.  Security mechanism to protect against keystroke based timing attacks.

13

14  Thomas Ristenpart, Eran Tromer, Hovav Shacham and Stefan Savage ``Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds’’.  Tim Mather, Subra Kumaraswamy, Shahed Latif, ``Cloud Security and Privacy'',O'Reilly publication.  D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES”,  D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel”,  D. Page, “Defending against cache-based side-channel attacks.  D. Page, “Partitioned cache architecture as a side-channel defense mechanism”.  E. Tromer, D. A. Osvik, and A. Shamir, "Efficient cache attacks on AES, and countermeasures“.  Dawn Xiaodong Song, David Wagner, Xuqing Tian, ``Timing Analysis of Keystrokes and Timing Attacks on SSH”.


Download ppt "Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011"

Similar presentations


Ads by Google