Title: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds
1Hey, You, Get Off of My CloudExploring
Information Leakage in Third-Party Compute Clouds
- Authors Thomas Ristenpart, et at.
- Defended by Vaibhav Rastogi and Yi Yang
2Introduction
- Introduction
- EC2 Service, Network Probing
- Attacking Steps
- Cloud Cartography
- Placement
- Extraction
- Discussion
3Traditional system security mostly means keeping
bad guys out. The attacker needs to either
compromise the auth/access control system, or
impersonate existing users
4But clouds allow co-tenancy Multiple
independent users share the same physical
infrastructure So, an attacker can legitimately
be in the same physical machine as the target.
5How to find out where the target is located How
to be co-located with the target in the same
(physical) machine How to gather information
about the target
6Exploring Information Leakage in Third-Party
Compute Clouds
- First work on cloud cartography
- Attack launched against commercially available
real cloud (Amazon EC2) - Up to 40 success in co-residence with target VM
7- Cloud infrastructure provider is trustworthy
- Cloud insiders are trustworthy
- Attacker is a malicious third party who can
legitimately the cloud provider as a client - Threat An attackers instances can run on the
same physical hardware as potential victims.
Therefore, the attacker might manipulate shared
physical resources (eg. CPU caches, network
queues, etc) to learn otherwise confidential
information.
8Attack Tasks
- Map the cloud infrastructure to find where the
target is located - Use various heuristics to determine co-residency
of two VMs - Launch probe VMs trying to be co-resident with
target VMs - Exploit cross-VM leakage to gather information
about target
9The EC2 Service
- The EC2 service enables users to flexibly rent
computational resources for use by their
applications. - A privileged virtual machine, called Domain0, is
configured to route packets for its guest images
and reports itself as a hop in traceroutes. - 2 Regions, 3 Availability zones, 5 instance
types. - Each instance has one internal IP and one
external IP. Both are static. For example - External IP 75.101.210.100
- Internal IP 10.252.146.52
Figures from Xen Wiki
10Network Probing
- Nmap, hping, wget for network probing
- Nmap is a security scanner used to discover hosts
and services on a computer network, thus creating
a "map" of the network. - hping is a packet generator and analyzer for the
TCP/IP protocol. - Wget is a computer program that retrieves content
from web servers.
By using such tools, we can understand VM
placement in the EC2 system and provide evidence
of co-residence.
11- Finding Different availability zones correspond
to different internal IP address ranges
12 Finding same instance type within the same
zone similar IP regions
13Task 2 Determining co-residence
- Check to determine if a given VM is placed in the
same physical machine as another VM - Instances are likely co-resident if they have
- (1) matching Dom0 IP address,
- (2) small packet round-trip times, or
- (3) numerically close internal IP addresses
(e.g. within 7).
14Task 3 Making a probe VM co-resident with
target VM
- Brute force scheme
- Idea figure out targets availability zone and
type - Launch many probe instances in the same area
- Success rate 8.4, but on large target set
15Task 3 Making a probe VM co-resident with
target VM
- Smarter strategy utilize locality
- Idea VM instances launched right after target
are likely to be co-resident with the target - Success rate 40!
16Task 3 Making a probe VM co-resident with
target VM
Window of opportunity is quite large, measured in
days
17Task 4 Gather leaked information
- Now that the VM is co-resident with target, what
can it do? - Gather information via side channels
- Perform DoS
18Task 4.1 Gathering information
- Measure latency of cache loads
- Use that to determine
- Co-residence
- Traffic rates
- Keystroke timing
19Credits
Ragib Hasan Johns Hopkins University
20Mitigation strategies 1 Mapping
- Use a randomized scheme to allocate IP addresses
- Block some tools (nmap, traceroute)
21Mitigation strategies 2 Co-residence checks
- Prevent traceroute (i.e., prevent identification
of dom0)
22Mitigation strategies 3 Co-location
- Not allow co-residence at all
- Beneficial for cloud user
- Not efficient for cloud provider
23Mitigation strategies 4 Information leakage
- Prevent cache load attacks?
24Discussion
- How is the problem different from other attacks?
- Whats so special about clouds?