230 likes | 689 Vues
Security and Privacy in Cloud Computing. Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013. Lecture 3 09/03/2013. Attacks and Attack Surfaces. Goal: Examine attack surfaces in a cloud Learn about novel attacks on clouds Recommended reading (no reviews)
E N D
Security and Privacy in Cloud Computing Ragib HasanUniversity of Alabama at BirminghamCS 491/691/791 Fall 2013 Lecture 3 09/03/2013
Attacks and Attack Surfaces Goal: • Examine attack surfaces in a cloud • Learn about novel attacks on clouds Recommended reading (no reviews) Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Announcements • Review Assignment #1 will be posted to course website this afternoon • Due: Tuesday, September 10, 12.29 pm • Please send reviews to ragib AT cis.uab.edu • Send review in plain text, in the email body (no attachments please) • Review format: Summary (5-6 sentences), Pros (3 or more points), Cons (3 or more points), Ideas for improvement Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Announcement Term Project • Must be a project related to cloud security • Form 2-member groups for the project • Project kickstart meeting: 9/5/2013, 12.30 pm-1.30 pm • Some sample project ideas will be provided • Feel free to come up with your own ideas • Amazon has donated compute time on the EC2 Cloud for this course Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Due dates • Project team formation: 9/5 • Project ideas: Due by 9/12 • Project progress meetings (Every 2 weeks, Sep-Nov) • Project demo: Early December Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Project Deliverables • Project Report: • A brief, 10-12 page writeup on the project and experiments • Project Demo: • (If possible and relevant) Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vsCloud Computing Security Securing a cloud Securing a traditional system Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vsCloud Computing Security Analogy Securing a motel Securing a house Owner and user are often the same entity Owner and users are almost invariably distinct entities Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Traditional systems security vsCloud Computing Security Securing a motel Securing a house Biggest user concerns Securing perimeter Checking for intruders Securing assets Biggest user concern Securing room against (the bad guy in next room | hotel owner) Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surfaces An attack surface is a vulnerability in a system that malicious users may utilize Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Clouds extend the attack surface • How? • By requiring users to communicate with the cloud over a public / insecure network • By sharing the infrastructure among multiple users Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Analyzing Attack Surfaces in Clouds Cloud attack surfaces can be modeled using a 3 entity model (user, service, cloud) Figure from: Gruschka et al., Attack Surfaces: A Taxonomy for Attacks on Cloud Services. Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 1 • Service interface exposed towards clients • Possible attacks: Common attacks in client-server architectures • E.g., Buffer overflow, SQL injection, privilege escalation Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 2 • User exposed to the service • Common attacks • E.g., SSL certificate spoofing, phishing Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 3 • Cloud resources/interfaces exposed to service • Attacks run by service on cloud infrastructure • E.g., Resource exhaustion, DoS Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 4 • Service interface exposed to cloud • Privacy attack • Data integrity attack • Data confidentiality attack Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 5 • Cloud interface exposed to users • Attacks on cloud control Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attack Surface: 6 • User exposed to cloud • How much the cloud can learn about a user? Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attacking a cloud Question: Given enough resources, how would you attack a cloud? Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Attacking a cloud Options: • From outside • Launch denial of service attacks • Probe cloud from outside • From inside • Exhaust resources internally • Probe cloud and/or other Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Novel attacks on clouds • Question: Can you attack a cloud or other users, without violating any law? • Answer: Yes!! By launching side channel attacks, while not violating Acceptable User Policy. Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Utilizing Side Channels • A Side Channel is a passive attack in which attacker gains information about target through indirect observations. • Examples? Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013
Further Reading • Gruschka and Jensen, “Attack Surfaces: A Taxonomy for Attacks on Cloud Services”, 3rd International Conference on Cloud Computing, 2010 Ragib Hasan | UAB CIS | CS491/691/791 Fall 2013