CCSW '12 Adam Bates, Benjamin Mood, Joe Pletcher,Hannah Pruse,Masoud Valafar, and Kevin Butler Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab University of Oregon, Eugene Detecting Co-Residency with Active Traffic Analysis Techniques
36
Embed
Detecting co residency with active traffic analysis techniques
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CCSW '12
Adam Bates, Benjamin Mood, Joe Pletcher,Hannah Pruse,Masoud Valafar, and Kevin Butler
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
University of Oregon, Eugene
Detecting Co-Residency with Active Traffic Analysis Techniques
Outline
2
1. Introduction
2. Cloud co-recidency
3. Active traffic analysis
4. system design
5. Implementation
6. Evaluation
7. Analysis
8. Discussion
9. Related work
10. Conclusion
1. Introduction
3
New challenges to securitysharing of a common physical platform
co-residency determination alternatives that may be availablefocus on the network interfaceactive traffic analysiscreate an outbound covert channel for data exfiltration
1. Introduction
4
Investigates virtualization side channels in physical hardware
Assesses severity of threat through extensive evaluation
Introduces proof-of-concept attacks for the network flow channel
2. Cloud co-recidency
5
Victimslegitimate cloud customers
Adversary wishes to discover valuable information about his targetlaunch many instances, perform the co-residency check
3. Active traffic analysis
6
Network flow watermarking a type of network covert timing channelrecently as a method for detecting stepping stone relays
Blind schemesAll necessary information is contained within the
watermarknon-blind scheme
Information is stored for access by the exit gatewaysExploits virtualization’s dependence on traffic mixingDoes not require a corrupt network server
4. system design
7
Inject a target's network traffic with a persistent watermarking
Due to the coarse-grained abilities of a co-located VM to inject network delay
out-of-band communicationovercome its limited ability to inject delay through
network activity
4.1 threat model
8
motivationinvestigate the existence of hardware-level side channelsthe viability of isolation assurances for virtual machines
assumenaive timing channels are unavailableroute all local traffic through a switchadministrators proactively apply patchesadministrators not interfere with the activities of customersvictim trust of the cloud infrestructurevictim's instances are available to the adversary over an
open network
4.2 co-resident watermarking
9
relies on the pigeonhole principleSERVER, CLIENT, FLOODERs
4.2 co-resident watermarking
10
CLIENT initiates a web session with our target instance
CLIENT iterates through its list of registered FLOODERs
FLOODERs injects network activity into the outbound interface
If no watermark signature is detectedterminate all instances and launch a new set
If a signature is detecteduse the co-resident FLOODER for a second phase of
attack
4.3 Signal Encoding
11
the watermark embedding processT : length of unwatermarked network flown : intervalsti : length of intervalspi : a certain number of packet arrivals+d, -d : two different levels of packet delaywi = {+d, -d} +d : injecting a constant stream of UDP packets-d : taking no action for the length of the interval
4.4 Signal Decoding
12
sorting intervals into X+d, X-dPoisson distributionKolmogorov-Smirnov(KS) test