Introdcution
An increasing number of companies are considering transfer their services or data to the ‘cloud’. However, there are numerous factors to think about before adopting this new technology, one of the most significant one is security. In this paper, I am going to mainly discuss the top 5 threats in cloud computing. They are VM related issues, data security, multi-tenancy isolation failure, web browser vulnerabilities (refer to the flaws in a system that allow an attack to be successful), and identity problems.
Before directly digging into details of those attacks, it is significant to understand what computational cloud is. The layout of this report is as follows: section 2 provides a necessary background about the basic concept of computational computing and its models. Section 3 illustrates an in-depth analysis of the potential threat of multi-tenancy and prevention solutions. Section 4 is similar to section3 but solely focuses on VM issues. Section 5 presents the attack of a web browser associated with SaaS application. Section 6 discussed data security in detail. Section 7 is a combination of identity and insider attack issues. A summary is presented in Section 8. This is followed by a reference in Sec 8.
Background
Briefly, cloud computing offers on-demand network access to a shared pool of configurable resources (network, servers, storage) with minimal management effort. To be specific, it is a combination of technologies such as virtualization, web services, distributed computing, and virtual network. With virtualization, physical servers can be configured into virtual machines (VM). This allows the resources of a physical computer, including processor, memory, storage and I/O channels, to be shared between concurrent VMs. When a client creates a VM, part of the resource the server is distributed. Web services make it possible for customers to get access to SaaS while distributed computing is significant for resource distribution. In the end, it is neccessary that servers would be needed to connect with the use of routing protocols. The figure is shown below:
Infrastructure as a Service (IaaS): basic computing resources such as network, storage, and CPU.
Platform as a Service (PaaS): cloud provider offers a computing platform including OS, database and webserver and customers can build their applications with provided platform
Software as a Service (SaaS): mostly access the service through a web browser. One crucial point is that these models are highly co-dependent, any attack on any cloud service layer can compromise the upper layer. There are trade-offs to each model between security and flexibility. In the layer of IaaS, customers have better control of their system and thus be responsible for managing the security issues. Private cloud is often designed for banks, government, police system or hospitals for better security. Small businesses or individual users would normally go for public cloud for the limited resources(service) they need.
Multi-tenancy threats and countermeasures
Multi-tenancy implies sharing of computational resources, storage, services and applications with other tenants. Physical servers are consolidated to multiple virtual machine instances on virtualized servers. Multi-tenancy has different modes which means that tenants may in the same instance or not. It is relatively safe than each tenant has a customized instance. To deliver secure multi-tenancy, isolation is the key factor and under no circumstance should any tenant gain any control of other tenants. Often in the case, the underlying components that make up this infrastructure (CPU caches, GPUs) are not designed to offer isolation features for a multi-tenant architecture. To address this, Virtual Machine Monitor or Hypervisor is designed. It provides the opportunity to run multiple OS in one single server and controls access between guest operating systems and the physical compute resource. The structure is displayed below:
However, the presence of a VMM does not necessarily make a system more secure. Instead, if an attacker has taken control of the hypervisor(high-privileged), he can invoke functions, such as for creating VMs, or managing I/O devices. This has been discussed in Joanna Rutkowska’s paper “Owning Xen Trilogy”. They modified the Xen’s hypervisor memory and planted hypervisor rootkits inside Xen to gain backdoor functionality. This attack can be stopped by proposing a solution which job is to detect hidden processes running in the victim VM. This abnormal process often is the indicator of a rootkit installed. To generally overcome the vulnerability of the hypervisor, virtual machine introspection has been proposed that we should create an Admin VM (function as “backup” hypervisor) to access the memory and virtual CPUs of the monitored VM to check the status of the system. It uses two distinct strategies: (i) integrity checking of illegal changes to kernel code and system call table; (ii) comparison from data as seen inside and outside to see if the malicious code affects the integrity of the data. Still, the presence of an Admin somehow creates a new threat. The attacker might access the Admin VM from a guest VM and perform a denial-of-service attack. Some people suggest remove the extra VM and enhance the hypervisor directly by automatically check the statue of the kernel by itself. In contrast to the attack described in the previous paragraph, whose goal is to launch an attack to achieve the authorization of the hypervisor. There is also another attack aiming at the tenant from the same host which is the second multi-tenancy mode called Cross-VM attack. It is possible that one customer’s VM (instance) could be assigned to the same server as their adversary (using vSwitch). A malicious VM can infer information about other VMs through shared resources without triggering hypervisor. In turn, create a new potential threat that attackers would try to defeat the isolation (via side-channels between VMs). Side-channel attacks are classified mainly because the hardware medium attackers exploit. Cache side-channel attack is one of the most common chosen by adversaries due to their interaction and sharing between multiple processes. Younis A talked about a well-known attack in this category called the Prime and Probe Attack. In this attack, an attacker uses a process to fill the cache. As a result, the process would distribute a specific time for the victim to access the cache. Since the attacker knows the predefined time, he can refill the same cache set and cause the victim’s data being evicted. The structure of multi-tenancy is shown below:
This attack aims at attacking co-resident VMs and retrieving information from them.
Thomas Ristenpart used the Amazon EC2 service as a case study. The attack has two steps: placement and extraction. They had to place their VMs in the same server as their adversary and extracted valuable information via a cross-VM attack. In the end, they found out that VMs from the same zone can share the same IP address prefixes such as 10.251.0.0/16. Also, they can ensure VMs are co-resident by checking Dom0 IP address. By the end of the paper, they utilized side channels to learn information about co-resident instances. It can be temporarily solved by periodic VM migrations to reduce the co-location possibility of the victim instance and the attacker’s VM. Tianwei Zhang proposed a more efficient way of triggering VM migration using CloudRadar.
The attacker then can utilize (time-shared) caches usage to measure if the victim instance is running and operates a denial-of-service attack. Speaking of side channels, most of the time, the attacker would take advantage of the CPU cache (single-core processor) or a shared last-level cache (multi-core system) to trace the execution path of the victim instance. This usually can be prevented by applications to detect any strange behavior on the CPU cache (similar to the Admin VM discussed before).
VM related issues
Virtual machine (VM) issues are mainly the responsibility of cloud providers in the layer of IaaS. IaaS vendors deliver their service in a scalable way by virtualization. Besides, VM image is one of the potential threats. It is a prepackaged software template that customers use to create VMs. Normally, a small private cloud image is stored in a hard drive and engineer needs to carry it to the local infrastructure to install it. On the contrary, public VM image can be compromised with the risk of malicious code. For example, an attacker can create an image containing a Trojan horse and upload it to an open-source site. Whoever downloads that image would be infected by this hidden malware. Data leakage by virtual machine replication which is the root for providing on-demand service.
Cloning can lead to machine secrets exposure: host keys. Once an attacker has the context of the keys, it is easy to eavesdrop the data in transit. More importantly, cryptography is frequently used to overcome data storage vulnerabilities and play a significant role in cloud data.
Network components are shared by different tenants. They may be in the same prefix Ip pool. Virtual networks are necessary for communication between VMs. This improves the chance of some attacks such as sniffing and spoofing packet. An attacker can easily create a VM in the same network and fake its way to connect to other VMs and once it takes control of one single VM inside, the whole virtual network is under attack. To solve this, VM must have its own access control policy to regulate the in-flow traffic. Others also suggest proper authentication and encryption techniques such as IPsec to ensure that they only communicate with the ones they are supposed to.
Other attacks like VM hogging in which an attack consumes most of the GPU and memory, leading to starving of resources for the remaining. In a VM escape attack, an attacker can break out from a compromised VM and take control of the hypervisor. For example, cloudburst is used for memory corruption and it would focus on memory-mapped I/O and port I/O to find a way to execute code on the host from the guest.
Sometimes, virtual machines needed to be migrated from one physical host to another new host. This happens a lot in real situations when the physical server reaches its peak (resource exhaustion). It would cause potential damage such as service unavailability (failure in certain scenarios that needs intensive CPU or Memory), Proper security policies must be employed immediately to avoid the risk of being attacked. Otherwise, as a result of the attack, the information of VM (applications, data and OS kernel) is leaked.
At last, sometimes, uncontrolled rollback could lead to reset vulnerabilities. This technique is originally used to restore the state of VMs when they are contaminated or mistakenly configured by customers. It happens occasionally when a system is automatically triggered by some bug and causes a rollback. All the patches disappear and need to be fixed instantly.
Web browser attacks under IaaS application
Web application is part of the SaaS. In other word, security holes in the web applications create vulnerabilities to the SaaS application. Example can be traditional stateless HTTP protocol which is vulnerable to attacks list below: Cross-Site Scripting attacks are one of the old school attacks. It is another injection attack where attacks can execute malicious scripts into a legitimate website and steal valuable information. It can be realized by inserting a string within the web page and treated as a valid code by the browser. Most of the time, attacker use it to gain control of normal user account.
Man in the middle attack (HITM) is another class of attacks which is also known as a passive attack. In such an attack, an entity tried to intrude in an ongoing connection between a client and a server by injecting false information. Most of the time, the motivation behind it is to have knowledge of the important data transferred between them. I am going to explain how it works in detail.
A concrete example would be when a client transmits a 48-bit credit-card number b1-b48 plus pin to the server. To ensure the process, all information is encrypted using the public key of the server. The attack is pretty simple, the attacker can generate ciphertext C by encrypting 0 using the public key of the server and send C’, C1, C2…C48. If the server accepts it and the attacker would know that the first digit is 0. By repeating the attack for 48 times, the whole card number is exposed. This can be stopped by randomly guessing the card number in which the number of messages would be 248.
Dos/DDos Attacks in computing is attempting to make a machine resource unavailable to its intended users. The attacker would usually generate thousands of unique IP addressed and try to connect to the server and interrupt services of a host connected to the internet.
Generally speaking, the security of web applications should be guaranteed and scanned by a web application scanner.
Data security
Data security is a common concern for any technology, especially when some company (bank, government or hospital) wants to store sensitive and critical data in the cloud as well as transit data in safety. There are three main problems around data. Firstly, organizational data is often processed in plaintext and stored in the cloud since it is convenient for data scientists to execute data pipelines such as data cleaning, formatting, extracting. If anyone steals the authentication (username and password) of the operator, he can easily get access to all the data. So, when data is not being used, data encryption can reduce the risk of data leakage.
Also, data backup is something crucial when it comes to data recovery. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to any attack. For example, if data got contaminated by viruses (Cloud consumer staff may also make mistakes like accidentally delete important data), it is still available to restore the data with the backup. In real life, the data usually has three copies on different servers.
Even the data is in the cloud, it still can be affected by traditional attacks: SQL injection attacks. The idea behind this is simple, the hacker’s data is misunderstood by the web-site as the legitimate user. The most commonly used one is # which comments the rest SQL input. This can be avoided by sanitizing input. Examples can be no semicolon allowed or the regulated input should be string without any strange symbols.
Data integrity is another issue. If A sends something to B, the content of the data should be intact. Most cloud providers would propose to secure data using a digital signature with the RSA algorithm while data is being transferred over the Internet.
Identity, authentication, authorization mechanisms, and inside attacker
Identity is the core of any security system. It consists of a set of information associated with a specific entity including personal information. In normal case, authentication is usually username and password and is insufficient to secure the communication.
Use multifactor authentication to reduce the risk of credential compromise. A new scheme is proposed for mutual authentication. It allows a user and a cloud server to authenticate each other anonymously and establish a channel between them. In terms of authorization, it is necessary to assign user access rights as well as plan a collection of roles to fill specific responsibilities. Developers should be constrained to assigned projects. System managers should be constrained to assigned resources.
It is true that the computational cloud can be infected by technical holes. There are some other vulnerabilities that are common to any organization and can easily be neglected.
Some of those are the lack of customer background checks and lack of security education. Most cloud providers do not check the background of customers, and anyone with a valid email address and credit card can open an account. Attacker can perform unlimited malicious activities without being identified.
Also, people are always a weak point in any security issues. They should be educated on how to correctly open an account and reasonably consume limited resources. Sometimes, a valid user would create 4GB/2Core VM and would not release it after using it. It wastes valuable resources as well as potential risk for unattended VM (normal user would not have any protection policy).
Another one is inside attack which means an authorized malicious insider will utilize the system in a way that benefits himself and not be authorized to perform. Besides, there is often little knowledge about how the provider grants access to physical and virtual assets and how they monitor their employees. It can be solved by giving specific authorization. However, in real situations, it is always a privileged account shared by deployment engineers as well as team members.
Summary
Cloud computing is a powerful technology to accomplish different activities with less budget. However, if it is not implemented properly, many threats may be yielded. In the report, I generally talk about threats that are common in real life and more likely to happen. I summarize the problems as follow: 1.multi-tenancy is the most significant threat containing a threat to co-exist tenants in the same instance or host.
2.VM related problem is underneath the technique of virtualization, the key component is hypervisor which ensures the smooth running of guest operate systems. It is hard to define the boundary of VMs since tenants are either share the same physical server or even the same instance.
3.Web vulnerability in the computational cloud is even more complex than traditional attacks
4.Data security issues happen whether data is safely stored or transferred. More often, it is very critical to deal with data loss 5.Unauthorized access to the VM or Stolen authentication both are dangerous to the security of cloud computing.
Reference
[1]Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: CCS 2014 (2014) [2] https://blog.invisiblethings.org/2008/07/07/0wning-xen-in-vegas.html [3]CSA. (Top Threats to Cloud Computing v1.0) [4] Morsy, M.A., Grundy, J., Müller, I.: An analysis of the cloud computing security problem. In: Proceedings of Asia Pacific Software Engineering Conference Cloud Workshop, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2010) [5] T. Ristenpart, E. Tromer, H. Shacham, S. SavageHey, you, get off of my cloud: exploring information leakage in third-party compute clouds 16th ACM conference on Computer and communications security 2009, ACM, Chicago, IL (2009) [6] B Grobauer, T Walloschek, E StockerUnderstanding cloud computing vulnerabilities Security & Privacy, IEEE, 9 (2011), pp. 50-57 [7] Meiko Jensen, Jörg Schwenk, Nils Gruschka and Luigi Lo Iacono, “On Technical Security Issues in Cloud Computing,” in IEEE ICCC, Bangalore 2009, pp. 109-116. [8] Zhang, T., Zhang, Y., Lee, R.B: Cloudradar: a real-time side-channel attack detection system in clouds. In: Proceedings of the 19th Symposium on Research in Attacks, Intrusions, and Defenses (RAID), Telecom SudParis, France (2016)