Conference Paper

AmazonIA: When elasticity snaps back

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services. Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users. In this paper we consider security and privacy aspects of real-life cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them. Our Amazon Image Attacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes no assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances. Following the maxim "security and privacy by design" we show how our automated tools together with changes to the user interface can be used to mitigate our attacks.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Specifically, due to the open characteristic of public clouds, customers have the freedom to choose virtual machine images provided by anybody, including malicious providers. [2] points out a security vulnerability that Amazon EC2 suffers from: any member of the EC2 community can create and upload Amazon Machine Images (AMIs), which can be used by any EC2 user. If the AMIs are malicious and are widely used, Wang they could flood the whole EC2 community with malicious applications, including MapReduce. ...
... as an abstract presentation of equation (1) and (2). In other words, Λ(x 1 , . . . ...
... However, SecureMR cannot guarantee high integrity in an environment where malicious workers take the majority portion. For instance, equation (2) in [8] also showed that when the malicious worker fraction is 0.5 and the malicious cheat probability is 0.1, 40% of duplication rate can achieve only 25% of detection rate. The maximum detection rate SecureMR can achieve under this environment setting is 80%, with a duplication rate more than 500%. ...
Article
Full-text available
Big data applications have made significant impacts in recent years thanks to the fast growth of cloud computing and big data infrastructures. However, public cloud is still not widely accepted to perform big data computing, due to the concern with the public cloud’s security. Result integrity is one of the most significant security problems that exists in the cloud-based big data computing scenario. In this paper, we propose MtMR, a Merkle tree-based verification method that assures high result integrity of MapReduce jobs. MtMR overlays MapReduce on a hybrid cloud environment and applies two rounds of Merkle tree-based verifications on the pre-reduce phase (i.e., the map phase and the shuffle phase) and the reduce phase, respectively. In each round, MtMR samples a small portion of reduce task input/output records on the private cloud and performs Merkle tree-based verification on all the task input/output records. Based on the design of MtMR, we perform a series of theoretical studies to analyze its security and performance overhead. Our results indicate that MtMR is a promising method in terms of high result integrity and low performance overhead. For example, by setting the sampled record ratio as an optimal value, MtMR can guarantee no more than 10 incorrect records in each reduce task by sampling only 4% of records in that task.
... StealthDB offers a stronger leakage profile compared to the prior complete encrypted database systems. A snapshot adversary [5,8,16,23,50] learns only the "shape" of the database which includes the dimensions of the data structures maintained by the DBMS, along the recently collected query log information. An adversary with persistent access to memory and disk learns the inequalities (<, >, =) between the encrypted values in the indexes which are compared during the query execution, along with the query access pattern which includes the position of the result records in the database. ...
... A snapshot attack might be due to a memory dump or some cold-boot attack by a malicious cloud provider or by a co-located client running on the same cloud server as the victim process which gets occasional access to the memory of the entire system due to access control bugs. SQL injection attacks [16,17,31], VM attack leaks [5,8,23,50], disk theft and a "smash-and-grab" after a full system compromise [16] are some real-world examples of snapshot attacks [30]. ...
Preprint
Encrypted database systems provide a great method for protecting sensitive data in untrusted infrastructures. These systems are built using either special-purpose cryptographic algorithms that support operations over encrypted data, or by leveraging trusted computing co-processors. Strong cryptographic algorithms (e.g., public-key encryptions, garbled circuits) usually result in high performance overheads, while weaker algorithms (e.g., order-preserving encryption) result in large leakage profiles. On the other hand, some encrypted database systems (e.g., Cipherbase, TrustedDB) leverage non-standard trusted computing devices, and are designed to work around the architectural limitations of the specific devices used. In this work we build StealthDB - an encrypted database system from Intel SGX. Our system can run on any newer generation Intel CPU. StealthDB has a very small trusted computing base, scales to large transactional workloads, requires minor DBMS changes, and provides a relatively strong security guarantees at steady state and during query execution. Our prototype on top of Postgres supports the full TPC-C benchmark with a 30% decrease in the average throughput over an unmodified version of Postgres operating on a 2GB unencrypted dataset.
... For example, as deep learning based face recognition has become popular in access control and surveillance systems, the adversary may seek to modify the face classifier to bypass the access control or avoid being identified. Because a cloud environment is complex, involving a lot of entities and their interactions such as customers, network, cloud storage and ML applications, an adversary may exploit potential vulnerabilities in the network or storage protocols [46], [56], [16] to get accesses to the target model in transit or at rest, and then modify the parameters to meet his attack goals. Different types of model integrity attacks have been proposed: (1) in a DNN trojan attack [37], [29], [19], the adversary can slightly modify the target DNN model to make it mis-classify the inputs containing a trigger predefined by the adversary, while classifying inputs without the trigger correctly; (2) in an errorgeneric data poisoning attack [14], [43], [63], the adversary can intentionally degrade the model accuracy of one specific class or the overall accuracy, via model fine-tuning on malicious training samples; the same technique can also be used in an error-specific attack [47], where the model mis-classifies a target class as an adversary desired class. ...
... We do not make specific assumptions about how the model integrity is compromised, and to what extent the model is modified. We consider, but not limited to, the following attacks to compromise the model integrity hosted in the cloud: x An adversary can exploit the vulnerabilities of cloud network protocols or service interfaces [56] to tamper with the model when it is in transit between the customer and cloud provider; y An adversary can also exploit the cloud storage vulnerabilities (e.g., [46]) or OS images [16] to replace the model with a compromised one; z The adversary can be the dishonest cloud provider who violates the SLA for financial benefits. For example, he can compress the model to save storage and computational resources. ...
Preprint
Deep learning has become popular, and numerous cloud-based services are provided to help customers develop and deploy deep learning applications. Meanwhile, various attack techniques have also been discovered to stealthily compromise the model's integrity. When a cloud customer deploys a deep learning model in the cloud and serves it to end-users, it is important for him to be able to verify that the deployed model has not been tampered with, and the model's integrity is protected. We propose a new low-cost and self-served methodology for customers to verify that the model deployed in the cloud is intact, while having only black-box access (e.g., via APIs) to the deployed model. Customers can detect arbitrary changes to their deep learning models. Specifically, we define \texttt{Sensitive-Sample} fingerprints, which are a small set of transformed inputs that make the model outputs sensitive to the model's parameters. Even small weight changes can be clearly reflected in the model outputs, and observed by the customer. Our experiments on different types of model integrity attacks show that we can detect model integrity breaches with high accuracy (>>99\%) and low overhead (<<10 black-box model accesses).
... Monitoring system (Lombardi and Di Pietro, 2009) Managing VM images Imaging management systems (Wei et al., 2009) Sensitive information Architecture change (Bugiel et al., 2011) Memory disclosure attack on memory de-duplication Read-only page flag (Suzaki et al., 2011) Limitation of random number generator External sources (Ristenpart and Yilek, 2010) Virtualisation Virtual network Virtual network model (Wu et al., 2010) Sensitive data Additional security check, storing metadata information (Subashini and Kavitha, 2011) Data loss and leakage Security components (e.g., identity management, log service, access control), secure block storage (Vaquero et al., 2011;Deng et al., 2012) Data integrity MAC with Merkle tree-based structure (Juels and Oprea, 2013) Data relocation Constraint-based data geo-location (Gondree and Peterson, 2013) Data Big data processing Efficient security mechanism (HLA, E-PDP) (Liu et al., 2015) When considering PaaS security, we believe the problem is driven by virtualisation (and utilisation) encouraged multi-tenancy with the primary problem prevention tool being appropriate isolation of users, resources, and data. Table 1 provides an overview. ...
... These approach, conducted as the general countermeasures, can be used on any cloud, for example, Amazon elastic computer cloud (EC2), to protect sensitive information. In practice, Bugiel et al. (2011) could extract highly sensitive information (e.g., passwords, keys, and credentials) from publicly available Amazon machine images (AMIs) using an automated tool they developed. The tool discovers the sensitive information (i.e., private keys and credentials) usually in the home directory of users, the home directory of a super user (i.e., root), and common locations for programs and configuration files. ...
... Monitoring system (Lombardi and Di Pietro, 2009) Managing VM images Imaging management systems (Wei et al., 2009) Sensitive information Architecture change (Bugiel et al., 2011) Memory disclosure attack on memory de-duplication Read-only page flag (Suzaki et al., 2011) Limitation of random number generator External sources (Ristenpart and Yilek, 2010) Virtualisation Virtual network Virtual network model (Wu et al., 2010) Sensitive data Additional security check, storing metadata information (Subashini and Kavitha, 2011) Data loss and leakage Security components (e.g., identity management, log service, access control), secure block storage (Vaquero et al., 2011;Deng et al., 2012) Data integrity MAC with Merkle tree-based structure (Juels and Oprea, 2013) Data relocation Constraint-based data geo-location (Gondree and Peterson, 2013) Data Big data processing Efficient security mechanism (HLA, E-PDP) (Liu et al., 2015) When considering PaaS security, we believe the problem is driven by virtualisation (and utilisation) encouraged multi-tenancy with the primary problem prevention tool being appropriate isolation of users, resources, and data. Table 1 provides an overview. ...
... These approach, conducted as the general countermeasures, can be used on any cloud, for example, Amazon elastic computer cloud (EC2), to protect sensitive information. In practice, Bugiel et al. (2011) could extract highly sensitive information (e.g., passwords, keys, and credentials) from publicly available Amazon machine images (AMIs) using an automated tool they developed. The tool discovers the sensitive information (i.e., private keys and credentials) usually in the home directory of users, the home directory of a super user (i.e., root), and common locations for programs and configuration files. ...
... VMI sharing. [42] explores a variety of attacks that leverage the virtual machine image sharing in Amazon EC2. Researchers were able to extract highly sensitive information from publicly available VMIs. ...
... 3) The VMI layer mainly captures the stealthy bridges and corresponding attacks caused by VMI sharing. Since virtual machines in different enterprise networks may be instantiated from the same parent VMI, they could inherit the same security issues from parent image, such as software vulnerabilities, malware, or backdoors, etc. Bugiel et al. explores a number of attacks that take advantage of the VMI sharing in Amazon EC2 [42]. Evidence from [28] shows that 98% of Windows VMI and 58% of Linux VMIs in Amazon EC2 contain software with critical vulnerabilities. ...
Article
Full-text available
Cloud computing, with the paradigm of computing as a utility, has the potential to significantly tranform the IT industry. Attracted by the high efficiency, low cost, and great flexibility of cloud, enterprises began to migrate large parts of their networks into cloud. The cloud becomes a public space where multiple “tenants” reside. Except for some public services, the enterprise networks in cloud should be absolutely isolated from each other. However, some “stealthy bridges” could be established to break such isolation due to two features of the public cloud: virtual machine image sharing and virtual machine co-residency. This paper proposes to use cross-layer Bayesian networks to infer the stealthy bridges existing between enterprise network islands. Cloud-level attack graphs are firstly built to capture the potential attacks enabled by stealthy bridges and reveal hidden possible attack paths. Cross-layer Bayesian networks are then constructed to infer the probability of stealthy bridge existence. The experiment results show that the cross-layer Bayesian networks are capable of inferring the existence of stealthy bridges given supporting evidence from other intrusion steps in a multi-step attack.
... is not under the control of the user of the cloud resources. Research has already shown various side channels and other techniques that can be used to steal private data from cloud environments [15,4,21]. What is needed to address this is some way to isolate data from the physical platform so that side channels or a malicious or compromised cloud provider cannot access it. ...
... The authors also note that these risks have not slowed the use of cloud computing, and using NFV in the cloud will only appear as a risk to organizations that do not trust cloud computing in general. However, there has a large body of research into information leakage via side channels and vulnerabilities in the cloud, as the economy of scale used in cloud computing generally necessitates the sharing of resources between different customers (tenants) [15,4,21]. As mentioned above, malicious tenants can make use of these side channels to access private data from other tenants, such as sensitive data about an organization's network or traffic. ...
Conference Paper
Network Function Virtualization has received a large amount of research and recent efforts have been made to further leverage the cloud to enhance NFV. However, since there are privacy and security issues with using cloud computing, work has been done to allow for operating on encrypted data, which introduces a large amount of overhead in both computation and data, while only providing a limited set of operations, since these encryption schemes are not fully homomorphic. We propose using trusted computing to circumvent these limitations by having hardware enforce data privacy and provide guaranteed computation. Prior work has shown that Intel's Software Guard Extensions can be used to protect the state of network functions, but there are still questions about the usability of SGX in arbitrary NFV applications and the performance of SGX in these applications. We extend prior work to show how SGX can be used in network deployments by extending the Click modular router to perform secure packet processing with SGX. We also present a performance evaluation of SGX on real hardware to show that processing inside of SGX has a negligible performance impact, compared to performing the same processing outside of SGX.
... The actual number is often much smaller since Pileus will always try to schedule event handlers of the same cloud operation on the same cloud node. 8 In this case, a user's TCB at a given time becomes a composite of all cloud simulated cloud has 1,000 cloud nodes, and to simplify the discussion, we ignore the actual service deployment and assume each user operation takes five cloud nodes picked at random. We then investigate the effectiveness of different approaches by comparing the expected number of cloud nodes of a user's TCB (Y-axis in the figure). ...
... User → Public declassification allows a user to safely release a private resource to public. For images, the declassifier is motivated by the problem studied in Amazonia [8], where a careless user may publish her images with sensitive data such as API keys remained. We thus implemented the countermeasures suggested in Amazonia which parses the image and scans for any sensitive data. ...
Conference Paper
Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user's data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user's cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services "on demand" to service each user's cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information flow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, finding that we can systematically prevent compromised cloud services from attacking other users' cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to Open-Stack shows that confined cloud services can service users' cloud operations effectively for a modest overhead.
... However, there are very few efforts which incorporate security risks in VM placement strategies. In fact, security risk is one of the major factors influencing the acceptance for IaaS clouds in practical application domains, while prevalent known vulnerabilities are found to be common in public VM images that provisioned by IaaS providers [5,6]. By scanning a number of public VM images, Bugiel et al. [6] found out that image publishers may leave unwanted information (e.g. ...
... In fact, security risk is one of the major factors influencing the acceptance for IaaS clouds in practical application domains, while prevalent known vulnerabilities are found to be common in public VM images that provisioned by IaaS providers [5,6]. By scanning a number of public VM images, Bugiel et al. [6] found out that image publishers may leave unwanted information (e.g. passwords, keys, and other credentials) in their images. ...
... When the software will be used for virtualization services the viruses will damage the code. In Amazon EC2 the sidechannel attacks (-the data flowing between sender and receiver without interference‖) is discussed by [13]. In all cases that have been discussed the intruder gets control of the user's data and services by adding some bit in the data flow. ...
... Nonetheless, the notion of cloud is based on resource sharing abstraction, and cloud hardware and software resources are typically shared among different users or organizations through isolation techniques such as virtual machines or containers. The characteristics of resource sharing and the large size of cloud system software make the cloud vulnerable to different classes of attacks [3]- [8]. Scientific workflows running on clouds or virtualized data centers rely on the integrity of the OS and hypervisor code to operate correctly, which introduces a large trusted computing base (TCB). ...
Article
Full-text available
Big data workflow management systems (BDWMSs) have recently emerged as popular data analytics platforms to conduct large-scale data analytics in the cloud. However, the protection of data confidentiality and secure execution of workflow applications remains an important and challenging problem. Although a few data analytics systems, such as VC3 and Opaque, were developed to address security problems, they are limited to specific domains such as Map-Reduce-style and SQL query workflows. A generic secure framework for BDWMSs is still missing. In this paper, we propose SecDATAVIEW, a distributed BDWMS that employs heterogeneous workers, such as Intel SGX and AMD SEV, to protect both workflow and workflow data execution, addressing three major security challenges: (1) Reducing the TCB size of the big data workflow management system in the untrusted cloud by leveraging the hardware-assisted TEE and software attestation; (2) Supporting Java-written workflow tasks to overcome the limitation of SGX's lack of support for Java programs; and (3) Reducing the adverse impact of SGX enclave memory paging overhead through a ‘'Hybrid’' workflow task scheduling system that selectively deploys sensitive tasks to a mix of SGX and SEV worker nodes. Our experimental results show that SecDATAVIEW imposes moderate overhead on the workflow execution time.
... Each rule includes functions whose execution is dependent on matching of string patterns. We apply a string pattern-based matching strategy similar to prior work [33] [34], where we check if the value satisfies the necessary condition. Table 5 lists the functions and corresponding string patterns. ...
Preprint
Context: Security smells are coding patterns in source code that are indicative of security weaknesses. As infrastructure as code (IaC) scripts are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. Methodology: We apply qualitative analysis with 3,339 IaC scripts to identify security smells for IaC scripts written in three languages: Ansible, Chef, and Puppet. We construct a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to automatically identify security smells in 61,097 scripts collected from 1,093 open source software repositories. We also submit bug reports for 1,500 randomly-selected smell occurrences identified from the 61,097 scripts. Results: We identify nine security smells for IaC scripts. By applying SLIC on 61,097 IaC scripts we identify 64,356 occurrences of security smells that included 9,092 hard-coded passwords. We observe agreement for 130 of the responded 187 bug reports, which suggests the relevance of security smells for IaC scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in IaC scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in IaC scripts using (i) code review, and (ii) static analysis tools.
... With DGAs we indicate a family of algorithms that given a seed, often shipped with the malware as a pre-shared secret, generate strings of domain names that can be queried and resolved for locating the active C&C server. In addition, these evasion characteristics are currently being enhanced by using the Cloud Computing environment [50,53], in which both bots and C&C servers can be provisioned dynamically and being moved from one location to another or even between providers within the cloud [17,27]. This fact makes botnets more difficult to trace and detect in real time [68]. ...
Article
Full-text available
Botnets are evolving, and their covert modus operandi, based on cloud technologies such as the virtualisation and the dynamic fast-flux addressing, has been proved challenging for classic intrusion detection systems and even the so-called next-generation firewalls. Moreover, dynamic addressing has been spotted in the wild in combination with pseudo-random domain names generation algorithm (DGA), ultimately leading to an extremely accurate and effective disguise technique. Although these concealing methods have been exposed and analysed to great extent in the past decade, the literature lacks some important conclusions and common-ground knowledge, especially when it comes to Machine Learning (ML) solutions. This research horizontally navigates the state of the art aiming to polish the feature discovery process, which is the single most time-consuming part of any ML approach. Results show that only a minor fraction of the defined features are indeed practical and informative, especially when considering 0-day botnet identification. The contributions described in this article will ease the detection process, ultimately enabling improved and more scalable solutions for DGA-based botnets detection.
... Malicious staff in the cloud can steal the privacy of traffic easily. Research has also shown various attacks that can steal private data from cloud environments [9,43,58]. Confronted with the untrustworthiness of cloud platforms, SGX-assisted privacy preserving NFV platforms [15,23,27,28,49,54] have been proposed to protect the privacy of traffic which goes through the outsourced NFV platforms. ...
Preprint
Full-text available
Intel has introduced a trusted computing technology, Intel Software Guard Extension (SGX), which provides an isolated and secure execution environment called enclave for a user program without trusting any privilege software (e.g., an operating system or a hypervisor) or firmware. Nevertheless, SGX is vulnerable to several side channel attacks (e.g. page-fault-based attack and cache-based attack). In this paper, we explore a new, yet critical side channel attack in SGX, interface-based side channel attack, which can infer the information of the enclave input data. The root cause of the interface-based side channel attack is the input dependent interface invocation information (e.g., interface information and invocation patterns) which can be observed by the untrusted privilege software can reveal the control flow in the enclave. We study the methodology which can be used to conduct the interface-based side channel attack. To illustrate the effectiveness of the interface-based side-channel attacks, we use our methodology to infer whether tracked web pages have been processed by the SGX-assisted NFV platforms and achieve the accuracy of 87.6% and recall of 76.6%. We also identify the packets which belong to the tracked web pages, with the accuracy of 67.9%and recall of 71.1%. We finally propose some countermeasures to defense the interface-based side channel attack in SGX-assisted applications.
... Mais ils permettent également aux utilisateurs d'être des administrateurs de leurs machines virtuelles, ou de télécharger et de partager leurs images VM personnalisées avec d'autres utilisateurs. Bien que les fournisseurs de Cloud fournissent des directives de sécurité sur la façon de préparer une image avant de la libérer sur un marché, les recherches actuelles de Balduzzi [85], Bugiel [86] et Meer [87] montrent que les images du marché sont très précaires. Les utilisateurs de ces marketplaces sont généralement plus ou moins anonymes. ...
Thesis
Le Cloud Computing a connu une forte croissance au cours des dernières années et est devenu très populaire dans le paysage informatique actuel. Les fournisseurs des services Cloud promettent « une évolutivité infinie et des ressources illimitées» combinées à l’accès à la demande partout. Cela permet aux utilisateurs du Cloud d’oublier rapidement qu’il existe toujours une infrastructure informatique derrière un Cloud. En raison de la virtualisation et de la multi-tenancy, la complexité de ces infrastructures est encore plus accrue par rapport aux centres de données traditionnels, alors qu’elle est transparente à l’utilisateur et hors de son contrôle. Cela rend la gestion des services, en particulier de la sécurité, plus compliquée. En raison des caractéristiques attractives du Cloud Computing, de nombreuses organisations utilisent le service du stockage en Cloud pour stocker leurs données critiques. Les données peuvent être stockées à distance dans le Cloud par les utilisateurs et peuvent être consultées à l’aide de clients légers en cas et temps de besoin. L’un des problèmes majeurs dans le Cloud Computing aujourd’hui est la sécurité des données. Le stockage des données dans le Cloud peut être risqué en raison d’utilisation d’Internet par des services basés sur le Cloud, ce qui signifie moins de contrôle sur les données stockées. L’une des principales préoccupations du Cloud est de savoir comment exploiter tous les avantages du Cloud, tout en maintenant les contrôles de sécurité sur les biens des organisations. Dans cette thèse, nous proposons deux approches novatrices pour sécuriser le stockage de données en nuage par pSSS et mrSSS respectivement. Les schémas de partage de secret fragmentent et diffusent des données sur plusieurs fournisseurs de services en nuage, ce qui permet d’atteindre une meilleur confidentialité et disponibilité des données. pSSS et mrSSS corrigent trois lacunes dans les approches existantes de partage de secret. La première étant la sécurité à long terme des données à vie longue; la seconde, la supposition que la corruption de données se produit uniquement au moment de la récupération, après que la distribution des parts a été correctement effectuée ; et la troisième, la dégradation de la performance de calcul dans le cas des données volumineuses. Pour évaluer nos approches, nous étudions théoriquement les facteurs qui influent nos approches en matière de sécurité et de complexité. En outre, nous validons également la pertinence de nos approches expérimentalement et démontrons leur supériorité par rapport aux méthodes existantes.
... Another security risk comes from the use of preset virtual machine images. Although Cloud providers provide security guidelines on how to prepare an image before releasing it to a market, current research by Balduzzi [9], Bugiel [10] and Meer [11] shows that market images are very precarious. ...
Preprint
Cloud computing has grown strongly in recent years and has become very popular in today's IT landscape. Cloud service providers promise "infi-nite scalability and unlimited resources" combined with on-demand access everywhere. This allows cloud users to quickly forget that there is always a computing infrastructure behind a cloud. Due to virtualization and multi-tenancy, the complexity of these infrastructures is even greater compared to traditional data centers, while it is transparent to the user and beyond his control. This makes management of services, especially security , more complicated. Because of the attractive features of Cloud Computing, many organizations use the cloud storage service to store their critical data. Data can be stored remotely in the cloud by users and can be accessed using thin clients in case and time of need. One of the major problems in Cloud Computing today is data security. Storing data in the cloud can be risky because of the use of the Internet by cloud-based services , which means less control over the stored data. One of the main concerns of the cloud is how to exploit all the advantages of the Cloud, while maintaining the security controls on the assets of the organizations. In this article, we propose an innovative secret sharing based approach to secure the storage of data in cloud computing environment. Secret sharing schemes fragment and disseminate data across multiple cloud service providers, resulting in greater privacy and data availability. mrSSS corrects a significant limitation in existing approaches to secret sharing: the degradation of computational performance in the case of large data sets. To evaluate our approach, we theoretically study the factors that influence it in terms of security and complexity. In addition, we validate its relevance experimentally and demonstrate its superiority over existing methods.
... -Some vulnerabilities are not technical, but stem from human or organizational factors, e.g., lack of security training for personnel (e.g. the vulnerability described in [7] lies is the careless behaviour of users not cleaning their Amazone Machines Images of passwords before making them available for others). In contrast, risk patterns are appropriate for capturing forbidden socio-technical configurations that are at least partly technical in the way they expose data. ...
Conference Paper
Full-text available
Ensuring the protection of sensitive data is important for the adoption of cloud services. Cloud systems are becoming increasingly complex and dynamic, leading to various potential scenarios for attackers to get access to sensitive data. To handle such data protection risks, the concept of risk patterns was introduced previously. A risk pattern models a structural fragment of cloud systems that should not appear in the running system because it would lead to high data protection risks. At deployment and at run time, graph pattern matching and dynamic re-configuration methods can be used to ensure that the run-time model of the cloud system contains no instance of the risk patterns. The previous work left it open, however, how and to what extent real data protection vulnerabilities can be modeled in the form of risk patterns. Therefore, this paper focuses on the design of risk patterns based on vulnerabilities described in the literature. Based on an analysis of 87 papers, we determined 45 risk patterns. Our findings (i) demonstrate that risk patterns can indeed capture many of the vulnerabilities described in the cloud literature, (ii) give insight into the typical structure of risk patterns, and (iii) show the limits of the applicability of the risk pattern approach.
... For instance, the latest Xen hypervisor contains 586K lines of code [19]. Moreover, hypervisor vulnerabilities have been frequently reported [1,13,40,52,54,55,61]. Other issues with virtualization include performance slowdowns that are caused by a large amount of underlying processes, data traffic, and context switching between the host hypervisor and the guest VM environment. ...
Conference Paper
Hardware-assisted trusted execution environments are secure isolation technologies that have been engineered to serve as efficient defense mechanisms to provide a security boundary at the system level. Hardware vendors have introduced a variety of hardware-assisted trusted execution environments including ARM TrustZone, Intel Management Engine, and AMD Platform Security Processor. Recently, Intel Software Guard eXtensions (SGX) and AMD Memory Encryption Technology have been introduced. To the best of our knowledge, this paper presents the first comparison study between Intel SGX and AMD Memory Encryption Technology in terms of functionality, use scenarios, security, and performance implications. We summarize the pros and cons of these two approaches in comparison to each other.
... While the cloud vendors can be trusted and the cloud infrastructure (i.e., the virtualization layer) can be assumed to be secure, the virtual machines and the MapReduce applications installed in the virtual machines cannot be trusted to always return correct results. For instance, ( Balduzzi, Zaddach, Balzarotti, Kirda, & Loureiro, 2012) and ( Bugiel, Nürnberger, Pöppelmann, Sadeghi, & Schneider, 2011) point out a security vulnerability that Amazon EC2 suffers from: some members of the EC2 community can create and upload malicious Amazon Machine Images (AMIs), which, if widely used, could flood the EC2 cloud with virtual machine instances that contain malicious applications, including MapReduce. The above threat puts a MapReduce customer in a dilemma: using public clouds has economic advantage but incurs the risk of getting wrong computation results; on the other hand, avoiding the public cloud completely (i.e., running everything "in house" or in the private cloud) can guarantee result accuracy, but there will be less economic benefit. ...
... While the cloud vendors can be trusted and the cloud infrastructure (i.e., the virtualization layer) can be assumed to be secure, the virtual machines and the MapReduce applications installed in the virtual machines cannot be trusted to always return correct results. For instance, ( Balduzzi, Zaddach, Balzarotti, Kirda, & Loureiro, 2012) and ( Bugiel, Nürnberger, Pöppelmann, Sadeghi, & Schneider, 2011) point out a security vulnerability that Amazon EC2 suffers from: some members of the EC2 community can create and upload malicious Amazon Machine Images (AMIs), which, if widely used, could flood the EC2 cloud with virtual machine instances that contain malicious applications, including MapReduce. The above threat puts a MapReduce customer in a dilemma: using public clouds has economic advantage but incurs the risk of getting wrong computation results; on the other hand, avoiding the public cloud completely (i.e., running everything "in house" or in the private cloud) can guarantee result accuracy, but there will be less economic benefit. ...
... (see Section 6.1. 3) Compared to the program anomaly detection solutions [4] [5] [6] [7] [8], RIA can detect not only the control flow tampering, but also the data tampering. Compared to the task assignment-based solution [9] [10] [11], RIA does not have restrictions on the task number and is more general. ...
Article
Public cloud vendors have been offering varies big data computing services on their clouds. However runtime integrity is one of the major security concerns that hinder the wide adoption of those services. In this paper, we focus on MapReduce, a popular big data computing framework, and propose the runtime integrity audition (RIA), a solution that remotely verifies the runtime integrity of MapReduce applications. RIA records the runtime variable values of the MapReduce application on the public cloud and checks those values against the application’s code on the private cloud. By doing so, RIA protects the runtime integrity of MapReduce applications. Based on the idea of RIA, we developed a prototype system, called MR Auditor, and tested its applicability and performance with several Hadoop applications. Our experimental results showed that MR Auditor is a general tool that can efficiently audit the runtime integrity of all the MapReduce applications that we tested. In addition, MR Auditor incurs a moderate performance overhead. For example, when verifying the Word Count application, a proper parameter setting of MR Auditor incurs 1% of extra execution time on the public cloud and 14% of extra execution time on the private cloud. OAPA
... We found it as a new topic in the field of privacy and also a potential research area. At this level preserving privacy is based on few mature areas like "Amazon Elastic computer cloud [ec2]" "begiel et al" [27] present a type of "image attack focuses on extracting sensitive information while the user is actually unaware". Preserving privacy is a crucial one specially in the field of open source and developing platform for managing cloud. ...
... Audit may not be feasible for closed-source and proprietary implementations. Furthermore, libraries can be subverted, e.g., by compromising a code repository [37,71] or a VM image [6,14,73]. In this paper, we investigate potential consequences of using untrusted training algorithms on a trusted platform. ...
Conference Paper
Machine learning (ML) is becoming a commodity. Numerous ML frameworks and services are available to data holders who are not ML experts but want to train predictive models on their data. It is important that ML models trained on sensitive inputs (e.g., personal images or documents) not leak too much information about the training data. We consider a malicious ML provider who supplies model-training code to the data holder, does \emph{not} observe the training, but then obtains white- or black-box access to the resulting model. In this setting, we design and implement practical algorithms, some of them very similar to standard ML techniques such as regularization and data augmentation, that "memorize" information about the training dataset in the model\textemdash yet the model is as accurate and predictive as a conventionally trained model. We then explain how the adversary can extract memorized information from the model. We evaluate our techniques on standard ML tasks for image classification (CIFAR10), face recognition (LFW and FaceScrub), and text analysis (20 Newsgroups and IMDB). In all cases, we show how our algorithms create models that have high predictive power yet allow accurate extraction of subsets of their training data.
... Audit may not be feasible for closed-source and proprietary implementations. Furthermore, libraries can be subverted, e.g., by compromising a code repository [37,71] or a VM image [6,14,73]. In this paper, we investigate potential consequences of using untrusted training algorithms on a trusted platform. ...
Article
Machine learning (ML) is becoming a commodity. Numerous ML frameworks and services are available to data holders who are not ML experts but want to train predictive models on their data. It is important that ML models trained on sensitive inputs (e.g., personal images or documents) not leak too much information about the training data. We consider a malicious ML provider who supplies model-training code to the data holder, does not observe the training, but then obtains white- or black-box access to the resulting model. In this setting, we design and implement practical algorithms, some of them very similar to standard ML techniques such as regularization and data augmentation, that "memorize" information about the training dataset in the model yet the model is as accurate and predictive as a conventionally trained model. We then explain how the adversary can extract memorized information from the model. We evaluate our techniques on standard ML tasks for image classification (CIFAR10), face recognition (LFW and FaceScrub), and text analysis (20 Newsgroups and IMDB). In all cases, we show how our algorithms create models that have high predictive power yet allow accurate extraction of subsets of their training data.
... Their analysis focused on security issues over VM hopping and VM mobility. In [4], Bugiel et al., analyzed publicly available VM images in the Amazon EC2 repository. Their analysis focused on public interfaces to therein extract private information to launch attacks such as starting a botnet or launching an impersonation attack. ...
... DBMS's increasingly run on virtual machines (VMs), exposing them to the threat of VM image leaks [3,9,19,53]. Some VM snapshots only contain the persistent storage, whereas full-state snapshots also include the VM's memory and CPU registers. ...
Conference Paper
Encrypted databases, a popular approach to protecting data from compromised database management systems (DBMS's), use abstract threat models that capture neither realistic databases, nor realistic attack scenarios. In particular, the "snapshot attacker" model used to support the security claims for many encrypted databases does not reflect the information about past queries available in any snapshot attack on an actual DBMS. We demonstrate how this gap between theory and reality causes encrypted databases to fail to achieve their "provable security" guarantees.
... The successful attack gives various security issues, possible to check the resource usage, altered the configuration of the system and files or leak sensitive data. The author (Ristenpart et al., 2009) and (Bugiel et al., 2011) describes cross-VM side channel and covert-channel attacks in Amazon EC2. The side channel attack technique passively observes data flowing between sender to receiver without interfering. ...
Article
The cloud computing provides on demand services over the Internet with the help of a large amount of virtual storage. The main features of cloud computing is that the user does not have any setup of expensive computing infrastructure and the cost of its services is less. In the recent years, cloud computing integrates with the industry and many other areas, which has been encouraging the researcher to research on new related technologies. Due to the availability of its services & scalability for computing processes individual users and organizations transfer their application, data and services to the cloud storage server. Regardless of its advantages, the transformation of local computing to remote computing has brought many security issues and challenges for both consumer and provider. Many cloud services are provided by the trusted third party which arises new security threats. The cloud provider provides its services through the Internet and uses many web technologies that arise new security issues. This paper discussed about the basic features of the cloud computing, security issues, threats and their solutions. Additionally, the paper describes several key topics related to the cloud, namely cloud architecture framework, service and deployment model, cloud technologies, cloud security concepts, threats, and attacks. The paper also discusses a lot of open research issues related to the cloud security.
Article
Full-text available
One of the major goals of any organization or individual is to ensure the protection of their sensitive data and privacy against any form of attack. It is well known that some of the secured encryption standard has been hacked. It would be worthwhile to improve on them by developing a security mechanism to strengthen them. The aim of this study is to develop a customized encryption and decryption solution using Artificial Neural Network. This security solution can be used separately or in combination with the existing encryption standards. The design and implementation of the encryption and decryption system was computed using the linear activation function of Artificial Neural Network. The encryption and decryption of data was tested for several kind of text messages and the results were accurate with no error. The encryption and decryption algorithm performed excellently well as programmed. In addition, the solution when combined with MD5 (Message-Digest-5) encryption standards improved on the security of data. Finally the implementation used in this research could function as a model that can be used in conjunction with other data encryption standard to enhance data security.
Article
Container technology has become a popular development that can conveniently accelerate building, running, and sharing applications. However, a container image packaging a collection of software usually lurks various defects threatening consumer safety, such as embedded malware, software vulnerability, privacy leakage, etc. Moreover, developers and users share container images through a centralized, public, and massive repository (e.g., Docker Hub), which can magnify the impact of these security defects in a fast-spreading way. Unfortunately, existing detection methods cannot effectively or efficiently discover such hidden flaws among the numerous images. This paper proposes a novel method to effectively detect and measure container security flaws embedded in images. Based on the crucial insight that container images are constructed hierarchically, each image depends on layers of forwarding image and adds updated content in layers of itself. Our work mines a Global Relationship Tree (GRT) based on dependency among the images that contain common layers. Meanwhile, by traversing the GRT and leveraging content differential analysis, we can locate the changing content in an image corresponding to defects. Therefore, when checking flaws among numerous images, we make a layer-sensitive detection by reusing common layers’ detection results in iterative processes to boost detection and accurately measure the influence scope of defects. Finally, we summarize and develop a set of detection primitives for scaling our approach to handle various flaws that may lead to multiple risks in potential. Depending upon this method, we implemented SEAF, a Scalable, Efficient, and Application-independent Framework, and evaluated it on popular images of diverse applications in Docker Hub. The experiment result shows that SEAF can discover different security flaws fast. Compared to the state-of-the-art tool, Clair, SEAF is more efficient and can find significantly more types of defects.
Chapter
Deep learning training is often outsourced to clouds due to its high computation overhead. However, clouds may not perform model training correctly due to the potential violations on Service Level Agreement (SLA) and attacks, incurring low quality of outsourced training. It is challenging for customers to understand the quality of outsourced training on clouds. They cannot measure the quality by simply testing the trained models because the testing performance is impacted by various factors, e.g., the quality of training and testing data. In order to address these issues, in this paper, we propose a novel framework that allows customers to verify the quality of outsourced training without modifying the processes of model training. Particularly, our framework achieves black-box verification by utilizing an extra training task that can be learned by the model only after the model converges on the original training task. We construct well-designed extra training tasks according to the original tasks, and develop a training quality verification method to measure the model performance on the extra task with a hypothesis testing-based threshold. The experiment results show that the models passing the quality verification achieve at least 96% of their best performance with negligible accuracy loss, i.e., less than 0.25%. KeywordsOutsourced deep learning servicesVerification
Article
Containers have replaced virtual machines because of their superior performance and lower resource use. The largest problems they face arise when security issues, such as establishing an appropriate level of isolation, are neglected. Namespaces and groups are tools offered by the Linux kernel, present limitations in its implementation. The solution to mitigate them, on the other hand, involves the use of a heterogeneous and complex set of additional measures: control MAC access, privilege segregation using capabilities and call filtering to the core with scomp. These mechanisms, however, are complex and require detailed knowledge of the technology on which it is based. The suppliers of platform as a service (PaaS) have the advantage the economy of scale to meet these challenges. In this work we deal with security in different contexts, and try to determine if running containers in operation in an infrastructure of reduced size can maintain an acceptable level of security. We’ve done this by looking at container technology and excellent security procedures from a guidebook.
Article
Over the three industrial revolutions, man has achieved great achievements. But besides that great success will always go hand in hand with many problems that arise. Because the rate at which technology develops is directly proportional to the threats it poses. The emergence of new technology requires researchers and students to pay attention to discover new threats to make it reliable and user-friendly. In the meantime 4.0 cloud computing is a new technology model. Security issues in cloud computing are considered one of the biggest obstacles besides the broad benefits of cloud computing. New concepts introduced by the cloud create new challenges for the security community. Addressing these challenges requires, in addition to the ability to cultivate and adjust security measures developed for other systems, to propose new security policies, models and protocols to address optimal and effective cloud security challenges. In this article, we provide comprehensive research on cloud security including classification of known security threats and advanced practices in attempting to address these threats. The paper also provides classification dependency and provides solutions in the form of preventive action rather than proactive action.
Article
Data confidentiality is one of the biggest concerns that hinders enterprise customers from moving their workloads to the cloud. Thanks to the trusted execution environment (TEE), it is now feasible to build encrypted databases in the enclave that can process customers' data while keeping it confidential to the cloud. Though some enclave-based encrypted databases emerge recently, there remains a large unexplored area in between about how confidentiality can be achieved in different ways and what influences are implied by them. In this paper, we first provide a broad exploration of possible design choices in building encrypted database storage engines, rendering trade-offs in security, performance and functionality. We observe that choices on different dimensions can be independent and their combination determines the overall trade-off of the entire storage. We then propose Enclage , an encrypted storage engine that makes practical trade-offs. It adopts many enclave-native designs, such as page-level encryption, reduced enclave interaction, and hierarchical memory buffer, which offer high-level security guarantee and high performance at the same time. To make better use of the limited enclave memory, we derive the optimal page size in enclave and adopt delta decryption to access large data pages with low cost. Our experiments show that Enclage outperforms the baseline, a common storage design in many encrypted databases, by over 13x in throughput and about 5x in storage savings.
Article
Context: Security smells are recurring coding patterns that are indicative of security weakness and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this article is to help practitioners avoid insecure coding practices while developing infrastructure as code scripts through an empirical study of security smells in Ansible and Chef scripts. Methodology: We conduct a replication study where we apply qualitative analysis with 1,956 IaC scripts to identify security smells for IaC scripts written in two languages: Ansible and Chef. We construct a static analysis tool called Security Linter for Ansible and Chef scripts (SLAC) to automatically identify security smells in 50,323 scripts collected from 813 open source software repositories. We also submit bug reports for 1,000 randomly selected smell occurrences. Results: We identify two security smells not reported in prior work: missing default in case statement and no integrity check. By applying SLAC we identify 46,600 occurrences of security smells that include 7,849 hard-coded passwords. We observe agreement for 65 of the responded 94 bug reports, which suggests the relevance of security smells for Ansible and Chef scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in Ansible and Chef scripts, similarly to that of the Puppet scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using (i) code review, and (ii) static analysis tools.
Chapter
Docker has become increasingly popular because it provides efficient containers that are directly run by the host kernel. Docker Hub is one of the most popular Docker image repositories. Millions of images have been downloaded from Docker Hub billions of times. However, in the past several years, a number of high-profile attacks that exploit this key channel of image distribution have been reported. It is still unclear what security risks the new ecosystem brings. In this paper, we reveal, characterize, and understand the security issues with Docker Hub by performing the first large-scale analysis. First, we uncover multiple security-critical aspects of Docker images with an empirical but comprehensive analysis, covering sensitive parameters in run-commands, the executed programs in Docker images, and vulnerabilities in contained software. Second, we conduct a large-scale and in-depth security analysis against Docker images. We collect 2,227,244 Docker images and the associated meta-information from Docker Hub. This dataset enables us to discover many insightful findings. (1) run-commands with sensitive parameters expose disastrous harm to users and the host, such as the leakage of host files and display, and denial-of-service attacks to the host. (2) We uncover 42 malicious images that can cause attacks such as remote code execution and malicious cryptomining. (3) Vulnerability patching of software in Docker images is significantly delayed or even ignored. We believe that our measurement and analysis serves as an important first-step study on the security issues with Docker Hub, which calls for future efforts on the protection of the new Docker ecosystem.
Chapter
Any software system is exposed to potential attack. The recent and continuous appearance of vulnerabilities in software systems makes security a vital issue if these systems are to succeed. The detection of potential vulnerabilities thus signifies that a set of policies can be established to minimize their impact. This therefore implies identifying the risks and data to be protected, and the design of an action plan with which to manage incidents and recovery. The purpose of this chapter is to provide an analysis of the most common vulnerabilities in recent years, focusing on those vulnerabilities which are specific to cloud computing. These specific vulnerabilities need to be identified in order to avoid them by providing prevention mechanisms, and the following questions have therefore been posed: What kinds of vulnerabilities are increasing? Has any kind of vulnerability been reduced in recent years? What is the evolution of their severity?
Conference Paper
Big data workflow management systems (BDWFMSs) have recently emerged as popular platforms to perform large-scale data analytics in the cloud. However, the protection of data confidentiality and secure execution of workflow applications remains an important and challenging problem. Although a few data analytics systems were developed to address this problem, they are limited to specific structures such as Map-Reduce-style workflows and SQL queries. This paper proposes SecDATAVIEW, a BDWFMS that leverages Intel Software Guard eXtensions (SGX) and AMD Secure Encrypted Virtualization (SEV) to develop a heterogeneous trusted execution environment for workflows. SecDATAVIEW aims to (1) provide the confidentiality and integrity of code and data for workflows running on public untrusted clouds, (2) minimize the TCB size for a BDWFMS, (3) enable the trade-off between security and performance for workflows, and (4) support the execution of Java-based workflow tasks in SGX. Our experimental results show that SecDATAVIEW imposes 1.69x to 2.62x overhead on workflow execution time on SGX worker nodes, 1.04x to 1.29x overhead on SEV worker nodes, and 1.20x to 1.43x overhead on a heterogeneous setting in which both SGX and SEV worker nodes are used.
Article
In this paper, we consider the SQL Selection-GroupBy-Aggregation (SGA) query evaluation on an untrusted MapReduce system in which mappers and reducers may return incorrect results. We design {\sl CorrectMR} , a system that supports efficient verification of result correctness for both intermediate and final results of SGA queries. {\sl CorrectMR} includes the design of Pedersen Merkle R-tree (PMR-tree), a new authenticated data structure (ADS). To enable efficient verification, {\sl CorrectMR} includes a distributed ADS construction mechanism that allows mappers/reducers to construct PMR-trees in parallel without a centralized party. {\sl CorrectMR} provides the following verification functionality: (1) correctness verification of PMR-trees by replication; (2) correctness verification of intermediate (final, resp.) query results by constructing local ( global , resp.) PMR-trees and verification objects. Our experimental results demonstrate the efficiency and effectiveness of {\sl CorrectMR} .
Chapter
Information Technology (IT) services and infrastructures significantly depend on auditing in order to reduce security, privacy, trust and forensics issues. Auditing is even more vital and complex in cloud computing environments due to non‐transparent architectures, multi‐tenancy, rapid elasticity, forensics challenges, and missing security, privacy and trust. Researchers have demonstrated that traditional IT auditing solutions are not yet flexible enough and ready to solve cloud‐based security issues, leading to immense problems for Cloud Service Providers (CSPs) in offering secure and trusted services. CSPs must meet national and international IT compliance regulations, which are even more challenging in cloud infrastructures. This chapter discusses the current security and privacy challenges in cloud computing, how cloud‐auditing methodologies can help alleviate some of these issues, and how cloud auditing is evolving. It also covers the current cloud compliance regulations, and describes how global organizations are working together to develop compliance regulations specifically for cloud computing.
Article
Full-text available
Encrypted database systems provide a great method for protecting sensitive data in untrusted infrastructures. These systems are built using either special-purpose cryptographic algorithms that support operations over encrypted data, or by leveraging trusted computing co-processors. Strong cryptographic algorithms (e.g., public-key encryptions, garbled circuits) usually result in high performance overheads, while weaker algorithms (e.g., order-preserving encryption) result in large leakage profiles. On the other hand, some encrypted database systems (e.g., Cipherbase, TrustedDB) leverage non-standard trusted computing devices, and are designed to work around the architectural limitations of the specific devices used. In this work we build StealthDB – an encrypted database system from Intel SGX. Our system can run on any newer generation Intel CPU. StealthDB has a very small trusted computing base, scales to large transactional workloads, requires minor DBMS changes, and provides a relatively strong security guarantees at steady state and during query execution. Our prototype on top of Postgres supports the full TPC-C benchmark with a 30% decrease in the average throughput over an unmodified version of Postgres operating on a 2GB unencrypted dataset.
Chapter
In this chapter we described the concept of multicloud architecture in which locally distributed clouds are combined to provide combined services of locally distributed clouds to the users. We started with basic of cloud computing and reached to multicloud through single cloud. In this chapter have described four architectural models for multicloud. Architecture models are Repetition of applications, Partition of System architecture into layers, Partition of Security features into segments and Distributing of data into fragments with these models security of the data resides in the datacenters of the cloud computing must be increased which leads to reliability in data storing of data.
Conference Paper
Docker containers have recently become a popular approach to provision multiple applications over shared physical hosts in a more lightweight fashion than traditional virtual machines. This popularity has led to the creation of the Docker Hub registry, which distributes a large number of official and community images. In this paper, we study the state of security vulnerabilities in Docker Hub images. We create a scalable Docker image vulnerability analysis (DIVA) framework that automatically discovers, downloads, and analyzes both official and community images on Docker Hub. Using our framework, we have studied 356,218 images and made the following findings: (1) both official and community images contain more than 180 vulnerabilities on average when considering all versions; (2) many images have not been updated for hundreds of days; and (3) vulnerabilities commonly propagate from parent images to child images. These findings demonstrate a strong need for more automated and systematic methods of applying security updates to Docker images and our current Docker image analysis framework provides a good foundation for such automatic security update. This article is summarized in: the morning paper an interesting/influential/important paper from the world of CS every weekday morning, as selected by Adrian Colyer
Article
The cloud concept promises computing as a utility. More and more functions are moved to cloud environments. But this transition comes at a cost: Security and privacy solutions have to be adapted to new challenges in cloud environments. We investigate secret communication possibilities – data transmission concealing its mere existence or some of its characteristics – in clouds. The ability to establish such secret communication provides a powerful instrument to adversaries and can be used to gather information for attack preparation, to conceal the coordination of malicious instances or to leak sensitive data.
Conference Paper
Public cloud vendors have been offering varies big data computing services. However, runtime integrity is one of the major concerns that hinders the adoption of those services. In this paper, we focus on MapReduce, a popular big data computing framework, propose the runtime integrity audition (RIA), a solution to verify the runtime integrity of MapReduce applications. Based on the idea of RIA, we developed a prototype system, called MR Auditor, and tested its applicability and the performance with multiple Hadoop applications. Our experimental results showed that MR Auditor is an efficient tool to detect runtime integrity violation and incurs a moderate performance overhead.
Conference Paper
Cloud computing is playing an ever larger role in the IT infrastructure. The migration into the cloud means that we must rethink and adapt our security measures. Ultimately, both the cloud provider and the customer have to accept responsibilities to ensure security best practices are followed. Firewalls are one of the most critical security features. Most IaaS providers make firewalls available to their customers. In most cases, the customer assumes a best-case working scenario which is often not assured. In this paper, we studied the filtering behavior of firewalls provided by five different cloud providers. We found that three providers have firewalls available within their infrastructure. Based on our findings, we developed an open-ended firewall monitoring tool which can be used by cloud customers to understand the firewall's filtering behavior. This information can then be efficiently used for risk management and further security considerations. Measuring today's firewalls has shown that they perform well for the basics, although may not be fully featured considering fragmentation or stateful behavior.
Conference Paper
Full-text available
Google hacking is a term to describe the search queries that find out security and privacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user login pages and revealing username-passwords are all possible in Google with a single click. Google can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques in Google and the search queries that reveal cryptographic secrets are explained with examples in details.
Article
Full-text available
As more and more organizations consider moving their applications and data from dedicated hosting infrastructure, which they own and operate, to shared infrastructure leased from 'the cloud', security remains a key sticking point. Tenants of cloud hosting providers have substantially less control over the construction, operation, and auditing of infrastructure they lease than infrastructure they own. Because cloud-hosted infrastructure is shared, attackers can exploit the proximity that comes from becoming a tenant of the same cloud hosting provider. As a result, some have argued that that cloud-hosted infrastructure is inherently less secure than the self-hosted infrastructure, and that it will never be appropriate for high-stakes applications such as health care or financial transaction processing. We strive to present a more balanced treatment of the potential security impacts of transitioning to cloud-hosted infrastructure, surveying both the security costs and security benefits of doing so. The costs include exposure to new threats, some of which are technological, but many others of which are contractual, jurisdictional, and organizational. We also survey potential countermeasures to address these threats, which are also as likely to be contractual or procedural as technological. Transitioning to a cloud-hosted infrastructure may also have security benefits; some security measures have high up-front costs, may become affordable when amortized at cloud scale, and impact threats common to both cloud-and self-hosted infrastructures.
Article
Full-text available
The cloud computing paradigm is still evolving, but has recently gained tremendous momentum. However, security and privacy issues pose as the key roadblock to its fast adoption. In this article, the authors present security and privacy challenges that are exacerbated by the unique aspects of clouds and show how they're related to various delivery and deployment models. They discuss various approaches to address these challenges, existing solutions, and future work needed to provide a trustworthy cloud computing environment.
Conference Paper
Full-text available
We have developed a program called fiwalk which produces detailed XML describing all of the partitions and files on a hard drive or diskimage, as well as any extractable metadata from the document files themselves. We show how it is relatively simple to create automated disk forensic applications using a Python module we have written that reads fiwalk's XML files. Finally, we present three applications using this system: a program to generate maps of disk images; an image redaction program; and a data transfer kiosk which uses forensic tools to allow the migration of data from portable storage devices without risk of infection from hostile software that the portable device may contain.
Conference Paper
Full-text available
Cloud computing is revolutionizing how information technology resources and services are used and managed but the revolution comes with new security problems. Among these is the problem of securely managing the virtual-machine images that encapsulate each application of the cloud. These images must have high integrity because the initial state of every virtual machine in the cloud is determined by some image. However, as some of the enefits of the cloud depend on users employing images built by third parties, users must also be able to share images safely. This paper explains the new risks that face administrators and users (both image publishers and image retrievers) of a cloud's image repository. To address those risks, we propose an image management system that controls access to images, tracks the provenance of images, and provides users and administrators with efficient image filters and scanners that detect and repair security violations. Filters and scanners achieve efficiency by exploiting redundancy among images; an early implementation of the system shows that this approach scales better than a naive approach that treats each image independently.
Conference Paper
Full-text available
Patching is a critical security service that keeps computer systems up to date and defends against security threats. Existing patching systems all require running systems. With the increasing adoption of virtualization and cloud computing services, there is a growing number of dormant virtual machine (VM) images. Such VM images cannot benefit from existing patching systems, and thus are often left vulnerable to emerging security threats. It is possible to bring VM images online, apply patches, and capture the VMs back to dormant images. However, such approaches suffer from unpredictability, performance challenges, and high operational costs, particularly in large-scale compute clouds where there could be thousands of dormant VM images. This paper presents a novel tool named Nüwa that enables efficient and scalable offline patching of dormant VM images. Nüwa analyzes patches and, when possible, converts them into patches that can be applied offline by rewriting the patching scripts. Nüwa also leverages the VM image manipulation technologies offered by the Mirage image library to provide an efficient and scalable way to patch VM images in batch. Nüwa has been evaluated on freshly built images and on real-world images from the IBM Research Compute Cloud (RC2), a compute cloud used by IBM researchers worldwide. When applying security patches to a fresh installation of Ubuntu-8.04, Nüwa successfully applies 402 of 406 patches. It speeds up the patching process by more than 4 times compared to the online approach and by another 2--10 times when integrated with Mirage. Nüwa also successfully applies the 10 latest security updates to all VM images in RC2.
Conference Paper
Full-text available
The success of cloud computing can lead to large, centralized collections of virtual machine (VM) images. The ability to interactively search these VM images at a high semantic level emerges as an important capability. This paper examines the opportunities and challenges in creating such a search capability, and presents early evidence of its feasibility.
Conference Paper
Full-text available
Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. Managed through a web-services interface, users can configure highly flexible but complex cloud computing environments. Furthermore, users misconfiguring such cloud services poses a severe security risk that can lead to security incidents, e.g., erroneous exposure of services due to faulty network security configurations. In this article we present a novel approach in the security assessment of the end-user configuration of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization and automated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical scenarios. Our approach effectively allows to remediate today's security concerns through validation of configurations of complex cloud infrastructures.
Conference Paper
Full-text available
In the last several years, identity theft has been on the rise. The Internet represents an appealing place for fraudsters to collect a host of personal and financial data related to many innocent users. Using the collected data they can impersonate the users and commit different fraudulent activities including application fraud. Mining Internet data for fraudulent purposes is commonly referred to as (black hat) Google hacking. We discuss in this paper the impact of Google hacking on identity fraud, with an emphasis on fraudulent applications for identity certificates such as credit cards, passports, and so on. The discussion is based on the results of an experiment performed over the Internet by conducting some (white hat) Google hacking and collecting sensitive identity information for living as well as dead persons. We also outline the architecture of a security tool for detecting application fraud that is currently under development.
Article
Full-text available
The disk sanitization practices are studied. Computer systems used by people with varying authorization levels typically employ authentication, access control lists, and a privileged operating system to maintain information privacy. The study indicates that the secondary hard-disk market is almost certainly awash in information that is both sensitive and confidential. If sanitization practices are not significantly improved, it is only a matter of time before the confidential information on repurposed hard drives is exploited by individuals and organizations that would do us harm.
Conference Paper
Full-text available
Cryptographic algorithms have already become a basic technique used in many application areas, like confidentiality and content protection. However, the big question of key management still remains unanswered. As a part of it, to efficiently use public key cryptography, we require a good local storage system to guarantee the confidentiality and availability of keys and certificates. In this paper, we take a look at local key and certificate storage in JDK 1.3. We discuss the requirements for such systems, evaluate the standard JDK solution, KeyStore, and finally propose an improved solution that does not suffer from the many shortcomings of KeyStore.
Article
Zusammenfassung Heutzutage ist es als Betreiber eines Server außerst wichtig flexibel au Anderungen zu reagieren. Zum Beispiel kann man im heutigen Internet heute auf einer Seite einen Besucher haben, aber morgen schon eine Millionen. Genau auf diesem Aspekt antwortet Amazon EC2, eines der bekanntesten Cloud-Dienste von Amazon. Aus-gerüstet mit Hochverfügbarkeit, modernster Hardware und Funktionen bietet es einen elastischen, skalierbaren und dynamischen Infrastruktur-Dienst an. Dieser Dienst stellt einë außerst attraktive Alternative zu den bisherigen Arten einen Server zu betreiben dar. Amazon EC2 ist eines der vielen Cloud-Dienste von Amazon, das darauf setzt elastische Infrastrukturen in Form von virtuellen Maschinen anzubieten. Es be-steht hier die Möglichkeit Rechenzeit pro Stunde zu erwerben.
Article
The popularity of "Trust-on-first-use" (Tofu) authentica- tion, used by SSH and HTTPS with self-signed certificates, demonstrates significant demand for host authentication that is low-cost and simple to deploy. While Tofu-based applications are a clear improvement over completely inse- cure protocols, they can leave users vulnerable to even simple network attacks. Our system, PERSPECTIVES, thwarts many of these attacks by using a collection of "no- tary" hosts that observes a server's public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server's key over time (recognizing short-lived attacks). Clients can download these records on-demand and compare them against an unauthenticated key, detecting many common attacks. PERSPECTIVES ex- plores a promising part of the host authentication design space: Trust-on-first-use applications gain significant at- tack robustness without sacrificing their ease-of-use. We also analyze the security provided by PERSPECTIVES and describe our experience building and deploying a publicly available implementation.
Conference Paper
Random number generators (RNGs) are consistently a weak link in the secure use of cryptography. Routine cryp- tographic operations such as encryption and signing can fail spectacularly given predictable or repeated random- ness, even when using good long-lived key material. This has proved problematic in prior settings when RNG imple- mentation bugs, poor design, or low-entropy sources have resulted in predictable randomness. We investigate a new way in which RNGs fail due to reuse of virtual machine (VM) snapshots. We exhibit such VM reset vulnerabilities in widely-used TLS clients and servers: the attacker takes advantage of (or forces) snapshot replay to compromise sessions or even expose a server's DSA signing key. Our next contribution is a backwards-compatible framework for hedging routine cryptographic operations against bad ran- domness, thereby mitigating the damage due to randomness failures. We apply our framework to the OpenSSL library and experimentally confirm that it has little overhead.
Conference Paper
A virtual computing utility hosts guest virtual machines on server provider sites. Each VM is an instantiation of some image or virtual appliance, which might be supplied by the VM owner or a third-party image provider. This paper ad- dresses the problem of establishing a secure channel between a VM and an automated controller running on behalf of the VM's authorized owner. A secure channel is an essential toehold for post-install actions by the controller to adapt the VM to its local environment, join it to an application service, and/or monitor and control its execution. A simple and practical solution is to modify an image for a particular site or owner, e.g., by pre-installing keys or tokens onto the image. That approach compromises the portability of images, and could interfere with image sharing, use of new operating systems on image appliances, or endorsement of standard images by image providers. This paper presents an alternative solution that preserves the portability of images. The solution employs a stan- dard keymaster service on the images. The keymaster and controller conduct a one-round binding protocol for mutual authentication and key exchange, seeded by secure tokens passed from the utility boot authority. The binding proto- col relies only on security mechanisms at the transport layer and above, so it is suitable for use with remote controllers.
Conference Paper
As virtual machines become pervasive users will be able to create, modify and distribute new "machines" with unprecedented ease. This flexibility provides tremendous benefits for users. Unfortunately, it can also undermine many assumptions that today's relatively static security architectures rely on about the number of hosts in a system, their mobility, connectivity, patch cycle, etc. We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions for changing security architectures to adapt to these demands.
Conference Paper
Virtual-machine images are currently distributed as disk-image files, which are files that mirror the content of physical disks. This format is convenient for the virtual machine monitors that exe- cute these images. However, it is not well-suited for administering images because storing images as disk-image files forces adminis- trators to maintain the software on images with the same tools that they use to maintain the software on physical machines. Already, these tools cannot cope with "physical server sprawl"; in the future, because images can be snapshotted and cloned easily, enterprises that migrate from physical machines to images will need tools that scale to cope with the larger problem of "virtual-machine image sprawl". To address this problem, this paper proposes the Mirage image format (MIF), a new storage format that exposes the rich semantic information currently buried in disk-image files. Disk-image files contain a mapping from file name to file content (and file metadata). MIF decouples this mapping into a manifest that maps file names to content descriptors (and file metadata) and a store that holds the content. Each image has its own manifest and a store may contain content for many images. As with disk-image files, images in MIF fully encapsulate application state including all software dependences. In addition, conversion between MIF and traditional disk-image formats is easy. This paper shows, through examples, that MIF makes some typ- ical software management tasks—inventory control, customized deployment, and image update—faster and easier. The general technique is to operate on manifests instead of on content when- ever possible. These tasks can be performed without starting im- ages and, because manifests are simpler and orders of magnitude smaller than disk-image files, without accessing large amounts of data.
Conference Paper
Third-party cloud computing represents the promise of out- sourcing as applied to computation. Services, such as Mi- crosoft's Azure and Amazon's EC2, allow users to instanti- ate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it. In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities. Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, iden- tify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.
Conference Paper
Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.
Article
Experiments conducted to investigate the trade-off in a population of password users and their results are discussed. Various advices provided by experts to the users for memorizing passwords which are easy to remember and difficult to crack are presented. It is recommended that organizations should provide instruction and training on how to construct usable and secure passwords. It is suggested to use the output from a random password generator and to select a random string that can be pronounced and is easy to remember. The results confirm that users have difficulty remembring random passwords and that passwords based on mnemonic phrases are harder to guess.
Clobbering the Cloud!
  • N Arvantis
  • M Slaviero
  • H Meer
N. Arvantis, M. Slaviero, and H. Meer. Clobbering the Cloud!, 2009. http://www.sensepost.com/labs/ conferences/clobbering_the_cloud.
The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard)
  • T Ylonen
  • C Lonvick
T. Ylonen and C. Lonvick. The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), January 2006.
Architecting for the cloud: Best practices
  • J Varia
J. Varia. Architecting for the cloud: Best practices, January 2011. http://media.amazonwebservices. com/AWS_Cloud_Best_Practices.pdf.
How to Keep Your AWS Credentials on an EC2 Instance Securely
  • S Swidler
S. Swidler. How to Keep Your AWS Credentials on an EC2 Instance Securely, August 2009. http://shlomoswidler.com/2009/08/ how-to-keep-your-aws-credentials-on-ec2.html.
SSH Host Key Protection
  • B Hatch
B. Hatch. SSH Host Key Protection, Oct 2004. http://www.symantec.com/connect/articles/ ssh-host-key-protection.
Symbian OS Platform Security
  • C Heath
C. Heath. Symbian OS Platform Security. John Wiley & Sons, 2006.
The NIST Definition of Cloud Computing (Draft)
NIST. The NIST Definition of Cloud Computing (Draft). 2011. Special Publication 800-145 (Draft).
Programming amazon web services
  • James Murty