Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart Eran Tromer Hovav Shacham Stefan Savage.

Slides:

Advertisements

Similar presentations

Distributed System Lab.1 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart ¤, Eran Tromer, Hovav.

Advertisements

© 2012 Entrinsik, Inc. Informer Administration Exploring the system menu and functions PRESENTER: Jason Vorenkamp| Informer Software Engineer| March 2012.

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

Lecture 5: Cloud Security: what’s new? Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang,

EPAM Private Cloud Integration with AWS February, 2015.

Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.

OPNET Technologies, Inc. Performance versus Cost in a Cloud Computing Environment Yiping Ding OPNET Technologies, Inc. © 2009 OPNET Technologies, Inc.

1 NETE4631 Cloud deployment models and migration Lecture Notes #4.

Cloud Computing Resource provisioning Keke Chen. Outline  For Web applications statistical Learning and automatic control for datacenters  For data.

Infrastructure as a Service (IaaS) Amazon EC2

Resource-Freeing Attacks: Improve Your Cloud Performance (at Your Neighbor's Expense) (Venkat)anathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas.

Public Clouds (EC2, Azure, Rackspace, …) VM Multi-tenancy Different customers’ virtual machines (VMs) share same server Provider: Why multi-tenancy? Improved.

Hey You, Get Off My Cloud: Exploring information Leakage in third party compute clouds T.Ristenpart, Eran Tromer, Hovav Shacham and Steven Savage ACM CCS.

Hey, You, Get Off of My Cloud

By Christopher Moran, Nicoara Talpes 1.  Solution is addressed to VMs that are web servers  Web servers should not have confidential information anyway.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds by Thomas Ristenpart et al. defended by Ning Xia & Najim Yaqubie.

COMS E Cloud Computing and Data Center Networking Sambit Sahu

Multiple Tiers in Action

Authors: Thomas Ristenpart, et at.

Sam Becker. Introduction Why is it important? Security Why is it needed? Solution Schemes Questions.

Running Your Database in the Cloud Eran Levin VP R&D - Xeround.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds Liang Wang *, Antonio Nappa +, Juan Caballero +, Thomas Ristenpart *, Aditya Akella * *

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Written by Thomas Ristenpart Eran Tromer Hovav Shacham Stehan.

Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and Hovav Shacham.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.

CISCO NETWORKING ACADEMY Chabot College ELEC Application Layer Puzzles.

Department of Computer Science Engineering SRM University

Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.

ARP Poisoning Rushad Shaikh CSCI 5931 Web Security Spring 2004.

EPAM Private Cloud Integration with AWS February, 2015.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.

Microsoft FrontPage 2003 Illustrated Complete Finalizing a Web Site.

Cloud Computing Dave Elliman 11/10/2015G53ELC 1. Source: NY Times (6/14/2006) The datacenter is the computer!

Team 6: (DDoS) The Amazon Cloud Attack Kevin Coleman, Jeffrey Starker, Karthik Rangarajan, Paul Beresuita, Arunabh Verma and Amay Singhal.

Thomas Ristenpart,Eran Tromer, Horav Shahcham and Stefan Savage

HEY, YOU, GET OFF OF MY CLOUD: EXPLORING INFORMATION LEAKAGE IN THIRD-PARTY COMPUTE CLOUDS Eran Tromer MIT Hovav Shacham UCSD Stefan Savage UCSD ACM CCS.

How AWS Pricing Works Jinesh Varia Technology Evangelist.

A paper by Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security,

FYP Briefing Presentation Building an Efficient IaaS: - Let’s become experts in cloud computing! April 15, 2010.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.

References: “Hey, You, Get Off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” by Thomas Ristenpart, Eran Tromer – UC San Diego;

Hey, You, Get Off of My Cloud Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by Daniel De Graaf.

Report of Hacking Attacks Subject: Firewall Date: Fri, 28 Apr :21: From: David Walsh To: Dr. Lin, I recently had ADSL installed.

Thomas Ristenpart , Eran Tromer, Hovav Shacham ,Stefan Savage CCS’09

Cloud Computing % of us use some form of cloud coumputing.

Mapping/Topology attacks on Virtual Machines

Traffic Analysis– Wireshark Simple Example

Hey, You, Get Off of My Cloud

Automated Experiments on Ad Privacy Settings

1.4 Wired and Wireless Networks

HTTP and Abstraction on the Internet

Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,

AWS COURSE DEMO BY PROFESSIONAL-GURU. Amazon History Ladder & Offering.

Microsoft FrontPage 2003 Illustrated Complete

Client-Server Computing

Traffic Analysis– Wireshark Simple Example

Content Delivery and Remote DNS services

Exploring Information Leakage in Third-Party Compute Clouds

Presentation transcript:

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds By Thomas Ristenpart Eran Tromer Hovav Shacham Stefan Savage Presented by Clint Sbisa Ionut Trestian

Amazon specific Only shows that the mapping, etc. works on Amazon EC2, and says that it generalizes to Azure, etc.-- but does not show this Example (Google Cloud Service)  Single process, no long running queries, no local file access, no network access  The delivery vehicle is the web browser. The data that is created goes right into big table.

Amazon specific The attacks depend on Amazon offering services Determining the internal IP address associated to a service – traceroute not so precise How does the accuracy of mapping change with an increase in the number of zones Can attack only 'small' instances as shown in paper

Amazon specific Provider can implement better monitoring and scaling mechanisms Cloud provider can monitor CPU/network usage of collocated VMs and make sure a single one doesn't hog a resource Many different types of applications run on EC2-- paper focuses only on web services/applications

Error-prone Co-residency checks (over covert channels) relies entirely on only two active VMs, which might lead to errors with more than two Many other methods outlined in the paper are also very vulnerable to noise

Targeting methods Paper assumes VMs are running web services, etc.-- focused attack methods (based on recently launched VMs) will not work on services they cannot access easily (or at all)

Cost Shows nothing about the cost of running such attacks Running so many instances of VMs with hourly billing, network usage, etc. might add up in price Low accuracy of method makes for a higher price, simple changes by Amazon (acknowledged in the paper) can increase the price even higher

Attacks - exaggerated Estimating traffic rates Requesting 3 megabytes text files, what web pages are that big? Web sites are usually much more complex, not single large files Keystroke timing attack Completely idle? Demonstration not on EC2 instances When do you know when someone is using SSH?

Thank you !