Top Banner

Click here to load reader

How to detect side channel attacks in cloud infrastructures

Nov 02, 2014

ReportDownload

Technology

http://www.secludit.com

We integrated Elastic Detector, which is SecludIT's product, with OSSIM in order to detect side-channel attacks occurring in cloud infrastructures.
Elastic Detector takes care of solving the cloud elasticity issue, collecting security-relevant logs and forwarding (rsyslog) them to OSSIM where the correlation takes place (thanks to our plugin).

DEMO showed at the RaSIEM workshop (ARES conference) in Regensburg, Germany.

  • 1. Elastic SIEM to detect side-channel attacks in Cloud Infrastructures Pasquale Puzio SecludIT & EURECOM [email protected] Joint work with: Refik Molva (EURECOM) Sergio Loureiro (SecludIT) University of Regensburg, Germany September 4th

2. Agenda Cloud Computing and new security challenges Elasticity and Elastic Detector Multi-tenancy and side-channel attacks Co-residency checks Solution to detect side-channel attacks DEMO 2 3. Cloud Computing Not just virtualization On demand provisioning Pay-per-use Elasticity & Multi-tenancy Infrastructure as a Service (IaaS): virtual machines & storage Platform as a Service (PaaS): IaaS + dev environment Software as a Service (SaaS): on-demand software 3 4. IaaS: Infrastructure as a Service Users manage their own infrastructure through a web browser or API IaaS cloud providers supply resources from large data centers Virtual machines, storage, firewalls, load balancers, IP addresses, VLANs, software bundles, etc. Users install operating-system images on the cloud infrastructure 4 5. New advantage of IaaS: Elasticity 5 6. Solution to Elasticity: Elastic Detector Security must be global, automatic and constant: ELASTIC Continuous analysis at every level: firewalls, servers, applications and data Periodic analysis of servers by isolating and analyzing clones EVA: Elastic Vulnerability Assessment 6 7. 7 8. New security challenge of IaaS: Multi-tenancy CLOUD PROVIDER VIRTUAL MACHINES VIRTUAL MACHINES TENANT 1 TENANT 2 TENANT 3 8 9. Side-Channel Attacks in IaaS An attacker takes advantage of a shared physical component in order to steal information from the victim Any co-resident user can perpetrate a side-channel attack Hypervisors enforce logical isolation, but it is not sufficient 9 CLOUD PROVIDER VIRTUAL MACHINES VICTIM ATTACKER 10. Access-driven Side-channel Attacks The co-resident attacker observes the activity of the processor cache to steal an ElGamal decryption key from a victim using the libgcrypt library. How it works: PRIME: fill the processor cache; IDLE: wait for a pseudo-random interval. During this interval the victim is supposed to access the cache and change the content of some blocks; PROBE: resume the execution and refill the cache. Measure the delay to learn the activity of the victim. Measurements will be analyzed to infer the encryption key. Measurements are converted to basic operations. The attacker obtains a relatively small set of encryption keys which can be used to perform a brute-force attack. Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 305-316. DOI=10.1145/2382196.2382230 http://doi.acm.org/10.1145/2382196.2382230 10 11. Access-driven Side-channel Attacks 11 CLOUD PROVIDER VIRTUAL MACHINES VICTIM ATTACKER ATTACKER 1 FILL 2 WAIT 4 REFILL VICTIM 3 EXECUTE 1 4 3 12. Our Work: Side-channel Attack Detection We developed a Python script which uses AWS APIs in order to launch and terminate a set of virtual machines in a given region This is exactly what an attacker would do We detect the attack before it is performed: best for security 12 Placement Co- residency check Side- channel Attack Log collection Correlation 13. Our Work: Side-channel Attack Detection 13 Placement Co- residency check Side- channel Attack Log collection Correlation 14. Co-residency Check on Amazon EC2 3 simple checks to determine co-residency: matching Dom0 IP address small packet round-trip times numerically close internal IP addresses (e.g. within 7). The Dom0 IP co-residency check has an effective false positive rate of zero. TCP SYN traceroute to determine victims Dom0 IP. Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security (CCS '09). ACM, New York, NY, USA, 199-212. DOI=10.1145/1653662.1653687 http://doi.acm.org/10.1145/1653662.1653687 14 15. Co-residency Check on Amazon EC2 15 16. Solution Architecture 16 17. OSSIM Open source tool for SIEM by Alien Vault OSSIM provides several features such as event collection, normalization, and correlation. Widely adopted (more than 195.000 users in 175 countries) Easily expandable with custom plugins 17 18. Integration between Elastic Detector and OSSIM CLOUD PROVIDER VIRTUAL MACHINES VIRTUAL MACHINES ATTACKERS VMs VICTIMS VM USERS VMs Instance created Instance terminated 18 19. Our Work: Side-channel Attack Detection 19 Placement Co- residency check Side- channel Attack Log collection Correlation 20. Our Work: Side-channel Attack Detection 20 Placement Co- residency check Side- channel Attack Log collection Correlation 21. Our Work: Plugin for Parsing Remote Logs Nagios logs forwarded to OSSIM need to be parsed and converted to events Logs are filtered by defining a regular expression for each event LOG: Aug 19 15:51:32 debian-secludit nagios3: SERVICE NOTIFICATION: [email protected];72-us-east-1;722;notify-service-by-cloutomate;Found new Instance: i-f0ad689c REGULAR EXPRESSION: ^(?Pw{3}sd{1,2}sdd:dd:dd)sdebian- secluditsnagios3:sSERVICEsNOTIFICATION:[email protected]{3};(?Pd {2,3})-(?Pw{2}-w{4,9}-d);d{3};notify-service-by- cloutomate;FoundsnewsInstance:s(?Pi-[a-z,0-9]{8})$ 21 Account Region Instance id 22. Our Work: Side-channel Attack Detection 22 Placement Co- residency check Side- channel Attack Log collection Correlation 23. Our Work: Side-channel Attack Detection Logs have been delivered to OSSIM and converted to events We now have to define a correlation rule to detect the side-channel attack 23 24. Our Work: Results 24 25. DEMO 10 t1.micro virtual machines on Amazon EC2 Virtual machines are launched in a very short time All virtual machines are terminated after 5 minutes (after the co-residency check) 25 26. DEMO Enjoy! 27. About SecludIT Founded by security experts together with EURECOM, a French research institute in telecom and network security, SecludIT has developed Elastic Security, a set of products and services specifically designed to help cloud infrastructure providers and users to safely migrate to the cloud. SecludIT has become a recognized industry player, one of the Cloud Security Alliance founders and active member, co-author of security best practices V2.1 https://cloudsecurityalliance.org/research/security-guidance/#_v2. SecludIT is a technology partner of Amazon Web Services, HP Cloud, VMware and Eucalyptus. Website: http://www.secludit.com Blog: http://www.elastic-security.com 27 28. THANK YOU Questions? 29. OSSIM: Correlation directives 29