virtual machines in cloud environment Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011 httpressysconcomstorydec091225058Cloud20security20226jpg Cloud Computing Cloud computing is a model for enabling ubiquitous convenient ondemand network access to a shared pool o ID: 401930
Download Presentation The PPT/PDF document "Security of" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security of virtual machines in cloud environment
Rohit KugaonkarCMSC 601 Spring 2011May 9th 2011
http://res.sys-con.com/story/dec09/1225058/Cloud%20security%20226.jpgSlide2
Cloud Computing
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. - The NIST Definition of Cloud Computing
http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdfSlide3
Cloud framework and charactersitcs
On-Demand servicePay only for actual usageShared resourcesRapid elasticity
Virtualization
Advanced Security
"Cloud Security and Privacy'',O'Reilly Slide4
Top security concerns in cloud computing
Insecure programming interfaces or APIsThreat from inside employeesData ProtectionIdentity and access management
Shared Technology issuesHypervisor security
Cross-side channel attacks between VMsSlide5
XEN hypervisor archietecture
http://vzxen.com/images/xen-hypervisor.pngSlide6
Cross VM side channel attacks
Virtual machines share the physical memory, CPU cycles, network buffers, DRAM of the physical machineAttack on Amazon EC2 web services: Researchers from MIT and University of California explained in their paper “Hey,You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” Slide7
Cross VM side channel attacks continued…
Attacks takes place in two steps:Placement of attacker virtual machine on the same physical machine.Exploiting the shared resources.
CPU cache leakage attackMeasure load of the other virtual web server
Extract AES and RSA keys.
Keystrokes timing analysis
Extract user passwords from SSH terminal.Slide8
Related work
D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES”.D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel
”.D. Page, “Defending against cache-based side-channel attacks”.
D. Page, “Partitioned cache architecture as a side-channel defense
mechanism”.
E.
Tromer
, D. A.
Osvik
, and A. Shamir, "Efficient cache attacks on AES, and
countermeasuresSlide9
Related work continued…
Dawn Xiaodong Song, David Wagner, Xuqing Tian, ``Timing Analysis of Keystrokes and Timing Attacks on SSH'‘.
Cloud service providers: “Securing Microsoft's Cloud Infrastructure", Microsoft Global Foundation Services.
“Amazon Web Services: Overview of Security Processes"
Slide10
Proposed approach
Dividing the security mechanism in 2 components.Customized operating system image.A light weight process running on each of the virtual machines.
Collect security logs or any malicious behavior from each of the virtual machines and send
it for
analysis to dedicated machine. Slide11
Proposed approach continued…
Analysis part will be performed at dedicated machine/s. Analysis of the security logs in real time.Looking for the same cache memory access pattern!
Routing all the web server traffic through these dedicated machines.
Real time fixing of any tampering on
VMs.
Wiping out cache only when attack pattern is detected by the dedicated machine.Slide12
Future work
Hypervisor security.Security mechanism to protect against keystroke based timing attacks.Slide13
http://blog.llnw.com/wp-content/uploads/2010/04/cloud-question.pngSlide14
References
Thomas Ristenpart , Eran Tromer , Hovav Shacham and Stefan Savage ``Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds’’.
Tim Mather, Subra
Kumaraswamy
,
Shahed
Latif
, ``Cloud Security and Privacy'',O'Reilly publication.
D. A.
Osvik
, A. Shamir, and E.
Tromer
, “Cache attacks and countermeasures: the case of AES”,
D. Page, “Theoretical use of cache memory as a cryptanalytic side-channel”,
D. Page, “Defending against cache-based side-channel attacks.
D. Page, “Partitioned cache architecture as a side-channel defense mechanism”.
E.
Tromer
, D. A.
Osvik
, and A. Shamir, "Efficient cache attacks on AES, and countermeasures“.
Dawn
Xiaodong
Song, David Wagner,
Xuqing
Tian
, ``Timing Analysis of Keystrokes and
Timing Attacks on SSH”.