Vulnerabilities in SaaS layer of cloud computing
Upcoming SlideShare
Loading in...5
×
 

Vulnerabilities in SaaS layer of cloud computing

on

  • 2,467 views

 

Statistics

Views

Total Views
2,467
Views on SlideShare
2,444
Embed Views
23

Actions

Likes
0
Downloads
36
Comments
1

2 Embeds 23

http://cdsouza.com 21
http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Nice work. I just want to ask: If a university decides to moves its email services to the cloud, what will be the role of a cloud provider if a student decides to use the university's email to send spam mails.

    Thanks
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Distribution model in which the applications are hosted by the vendor and made available to the customer over a network either through a web or mobile interface.
  • To change the admin's password: '%admin% to $uid Or Simply sets: $pwd to hehehe', trusted=100, admin='yes

Vulnerabilities in SaaS layer of cloud computing Vulnerabilities in SaaS layer of cloud computing Presentation Transcript

  • Vulnerabilities in SaaSLayer of Cloud Computing Clinton D Souza Rafael Santana Arizona State University
  • Overview Introduction Cloud Computing Overview Research Results Conclusion Discussion Future work Q&A
  • Introduction Research funded by Fulton Undergraduate Research Initiative (FURI). Co-Author: Dr. Partha Dasgupta. Purpose of research is bring to attention, existent vulnerabilities in Software as a Service layer of cloud computing.
  • Cloud Computing Overview  Cloud Computing architecture is divided into three layers:  Infrastructure as a Service (IaaS)  Platform as a Service (Paas)  Software as a Service (SaaS)http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png
  • Cloud Computing Models Most common cloud computing models:  Public Cloud  Private Cloud  Hybrid Cloud
  • Simple Cloud Security Structure
  • Research Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be: <?php // $uid: or uid like %admin% $query = "UPDATE usertable SET pwd=... WHERE uid= or uid like %a dmin%;"; // $pwd: hehehe, trusted=100, admin=yes $query = "UPDATE usertable SET pwd=hehehe, trusted=100, admin=yes WHERE ...;"; ?>
  • Research To connect to the uploaded SaaS application, user will have to use a client/user portal which uses a web service interface that is vulnerable to a variety of attacks, some of which include:  Buffer Overflow  Cross Site Scripting  SQL Injection  Denial of Service
  • Result w The most common •Denial of Service Availability •Account lockout attacks associated with •Buffer-over-flo SaaS model in a public •Cross-site scrip ng cloud infrastructure. Data Security •Access control weakness •Privilege escala on They are divided into the •Network Penetra on Network Security •Session Hijacking following four groups: •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
  • Discussion  Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011)  Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file.  Common Vulnerability Scoring System score it to be 9 out of 10 maximum.  Method will accept commands that are passed to a function that simply executes them without authentication.  McAfee SaaS includes:  Email Protection (Protection against viruses and spam)  McAfee Integrated Suites (Protection against viruses, web threats, etc…)  Patch released in August 2011.http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
  • Conclusion Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry w •Denial of Service Availability •Account lockout •Buffer-over-flo •Cross-site scrip ng Data Security •Access control weakness •Privilege escala on •Network Penetra on Network Security •Session Hijacking •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
  • Future Work Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved. Propose a suitable solution for how to minimize the intensity of the penetration attack. Document resultant effects and extent of the exploit and compare with other research projects/paper results. Document and explore the extent to which data can be exploited.
  • Q&A
  • References: [1] GoGrid Cloud Hosting, “Cloud Infrastructure”, http://pyramid.gogrid.com/#/, 2010 [2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012 [3] Verizon Bussiness, “2012 Data Breach Investigations Report” http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2012_en_xg.pdf, 2012 [4] The PHP Group,”SQL Injection”, http://php.net/manual/en/security.database.sql- injection.php, 2001-2012 http://www.butyoudontlooksick.com/wpress/wp-content/uploads/2010/09/cloudy-question.jpg