YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: How to detect side channel attacks in cloud infrastructures

Elastic SIEM to detectside-channel attacks in Cloud Infrastructures

Pasquale PuzioSecludIT & [email protected]

Joint work with:Refik Molva (EURECOM)Sergio Loureiro (SecludIT)

University of Regensburg, GermanySeptember 4th

Page 2: How to detect side channel attacks in cloud infrastructures

2

Agenda

• Cloud Computing and new security challenges

• Elasticity and Elastic Detector

• Multi-tenancy and side-channel attacks

• Co-residency checks

• Solution to detect side-channel attacks

• DEMO

Page 3: How to detect side channel attacks in cloud infrastructures

3

Cloud Computing

• Not just virtualization• On demand provisioning• Pay-per-use• Elasticity & Multi-tenancy• Infrastructure as a Service

(IaaS):virtual machines & storage

• Platform as a Service (PaaS):IaaS + dev environment

• Software as a Service (SaaS):on-demand software

Page 4: How to detect side channel attacks in cloud infrastructures

4

IaaS: Infrastructure as a Service

• Users manage their own infrastructure

through a web browser or API

• IaaS cloud providers supply resources

from large data centers

• Virtual machines, storage, firewalls,

load balancers, IP addresses, VLANs,

software bundles, etc.

• Users install operating-system images

on the cloud infrastructure

Page 5: How to detect side channel attacks in cloud infrastructures

5

New advantage of IaaS: Elasticity

Page 6: How to detect side channel attacks in cloud infrastructures

6

Solution to Elasticity: Elastic Detector

• Security must be global,

automatic and constant:

ELASTIC

• Continuous analysis at every

level: firewalls, servers,

applications and data

• Periodic analysis of servers by

isolating and analyzing clones

• EVA: Elastic Vulnerability

Assessment

Page 7: How to detect side channel attacks in cloud infrastructures

7

Page 8: How to detect side channel attacks in cloud infrastructures

8

New security challenge of IaaS: Multi-tenancy

CLOUD PROVIDER

VIRTUAL MACHINESVIRTUAL MACHINES

TENANT 1

TENANT 2

TENANT 3

Page 9: How to detect side channel attacks in cloud infrastructures

9

Side-Channel Attacks in IaaS

• An attacker takes advantage of a

shared physical component in

order to steal information from

the victim

• Any co-resident user can

perpetrate a side-channel attack

• Hypervisors enforce logical

isolation, but it is not sufficient

CLOUD PROVIDER

VIRTUAL MACHINES

VICTIM

ATTACKER

Page 10: How to detect side channel attacks in cloud infrastructures

10

Access-driven Side-channel Attacks

• The co-resident attacker observes the activity of the processor cache to steal an ElGamal decryption key from a victim using the libgcrypt library.

• How it works:– PRIME: fill the processor cache;– IDLE: wait for a pseudo-random interval.

During this interval the victim is supposed to access the cache and change the content of some blocks;

– PROBE: resume the execution and refill the cache.Measure the delay to learn the activity of the victim.

•Measurements will be analyzed to infer the encryption key.•Measurements are converted to basic operations.•The attacker obtains a relatively small set of encryption keys which can be used to perform a brute-force attack.

Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 305-316. DOI=10.1145/2382196.2382230 http://doi.acm.org/10.1145/2382196.2382230

Page 11: How to detect side channel attacks in cloud infrastructures

11

Access-driven Side-channel Attacks

CLOUD PROVIDERVIRTUAL MACHINES

VICTIM

ATTACKER

ATTACKER 1 FILL 2 WAIT 4 REFILL

VICTIM … 3 EXECUTE …

14

3

Page 12: How to detect side channel attacks in cloud infrastructures

12

Our Work: Side-channel Attack Detection

• We developed a Python script which uses AWS APIs in order to launch and terminate a set of virtual machines in a given region

• This is exactly what an attacker would do

• We detect the attack before it is performed: best for security

PlacementCo-

residency check

Side-channel Attack

Log collection Correlation

Page 13: How to detect side channel attacks in cloud infrastructures

13

Our Work: Side-channel Attack Detection

PlacementCo-

residency check

Side-channel Attack

Log collection Correlation

Page 14: How to detect side channel attacks in cloud infrastructures

14

Co-residency Check on Amazon EC2

3 simple checks to determine co-residency:• matching Dom0 IP address• small packet round-trip times• numerically close internal IP addresses (e.g. within 7).

The Dom0 IP co-residency check has an effective false positive rate of zero.TCP SYN traceroute to determine victim’s Dom0 IP.

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security (CCS '09). ACM, New York, NY, USA, 199-212. DOI=10.1145/1653662.1653687 http://doi.acm.org/10.1145/1653662.1653687

Page 15: How to detect side channel attacks in cloud infrastructures

15

Co-residency Check on Amazon EC2

Page 16: How to detect side channel attacks in cloud infrastructures

16

Solution Architecture

Page 17: How to detect side channel attacks in cloud infrastructures

17

OSSIM

• Open source tool for SIEM by Alien Vault• OSSIM provides several features such as event collection,

normalization, and correlation.• Widely adopted (more than 195.000 users in 175 countries)• Easily expandable with custom plugins

Page 18: How to detect side channel attacks in cloud infrastructures

18

Integration between Elastic Detector and OSSIM

CLOUD PROVIDERVIRTUAL MACHINES

VIRTUAL MACHINES

ATTACKER’S VMs

VICTIM’S VM

USERS’ VMs

Instance created

…Instance

terminated

Page 19: How to detect side channel attacks in cloud infrastructures

19

Our Work: Side-channel Attack Detection

PlacementCo-

residency check

Side-channel Attack

Log collection Correlation

Page 20: How to detect side channel attacks in cloud infrastructures

20

Our Work: Side-channel Attack Detection

PlacementCo-

residency check

Side-channel Attack

Log collection Correlation

Page 21: How to detect side channel attacks in cloud infrastructures

21

Our Work: Plugin for Parsing Remote Logs• Nagios logs forwarded to OSSIM need to be parsed and converted

to events• Logs are filtered by defining a regular expression for each event

LOG:Aug 19 15:51:32 debian-secludit nagios3: SERVICE NOTIFICATION: event@551;72-us-east-1;722;notify-service-by-cloutomate;Found new Instance: i-f0ad689c

REGULAR EXPRESSION:^(?P<date>\w{3}\s\d{1,2}\s\d\d:\d\d:\d\d)\sdebian-secludit\snagios3:\sSERVICE\sNOTIFICATION:\sevent@\d{3}\;(?P<account>\d{2,3})-(?P<region>\w{2}-\w{4,9}-\d)\;\d{3}\;notify-service-by-cloutomate\;Found\snew\sInstance:\s(?P<instanceid>i-[a-z,0-9]{8})$

Account

RegionInstance id

Page 22: How to detect side channel attacks in cloud infrastructures

22

Our Work: Side-channel Attack Detection

PlacementCo-

residency check

Side-channel Attack

Log collection Correlation

Page 23: How to detect side channel attacks in cloud infrastructures

23

Our Work: Side-channel Attack Detection

• Logs have been delivered to OSSIM and converted to

events

• We now have to define a correlation rule to detect the

side-channel attack

Page 24: How to detect side channel attacks in cloud infrastructures

24

Our Work: Results

Page 25: How to detect side channel attacks in cloud infrastructures

25

DEMO

• 10 t1.micro virtual machines on Amazon EC2

• Virtual machines are launched in a very short

time

• All virtual machines are terminated after 5

minutes (after the co-residency check)

Page 26: How to detect side channel attacks in cloud infrastructures

DEMO

Enjoy!

Page 27: How to detect side channel attacks in cloud infrastructures

27

About SecludIT

• Founded by security experts together with EURECOM, a French research institute in telecom and network security, SecludIT has developed Elastic Security, a set of products and services specifically designed to help cloud infrastructure providers and users to safely migrate to the cloud.

• SecludIT has become a recognized industry player, one of the Cloud Security Alliance founders and active member, co-author of security best practices V2.1 https://cloudsecurityalliance.org/research/security-guidance/#_v2. SecludIT is a technology partner of Amazon Web Services, HP Cloud, VMware and Eucalyptus.

• Website: http://www.secludit.com• Blog: http://www.elastic-security.com

Page 28: How to detect side channel attacks in cloud infrastructures

THANK YOU

Questions?

Page 29: How to detect side channel attacks in cloud infrastructures

29

OSSIM: Correlation directives


Related Documents