SlideShare a Scribd company logo

Detecting co residency with active traffic analysis techniques

Download as PPTX, PDF
Yama Haku
Yama Haku
1 of 36
Detecting Co-Residency with Active Traffic Analysis Techniques CCSW '12 Adam Bates, Benjamin Mood, Joe Pletcher,Hannah Pruse,Masoud Valafar, and Kevin Butler Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab University of Oregon, Eugene
Outline 1. Introduction 2. Cloud co-recidency 3. Active traffic analysis 4. system design 5. Implementation 6. Evaluation 7. Analysis 8. Discussion 9. Related work 10. Conclusion 2
1. Introduction  New challenges to security  sharing of a common physical platform  co-residency determination alternatives that may be available  focus on the network interface  active traffic analysis  create an outbound covert channel for data exfiltration 3
1. Introduction  Investigates virtualization side channels in physical hardware  Assesses severity of threat through extensive evaluation  Introduces proof-of-concept attacks for the network flow channel 4
2. Cloud co-recidency  Victims  legitimate cloud customers  Adversary  wishes to discover valuable information about his target  launch many instances, perform the co-residency check 5
3. Active traffic analysis  Network flow watermarking  a type of network covert timing channel  recently as a method for detecting stepping stone relays  Blind schemes  All necessary information is contained within the watermark  non-blind scheme  Information is stored for access by the exit gateways  Exploits virtualization’s dependence on traffic mixing  Does not require a corrupt network server 6
4. system design  Inject a target's network traffic with a persistent watermarking  Break hypervisor isolation guarantees  on-off interval-based packet arrival scheme  Due to the coarse-grained abilities of a co-located VM to inject network delay  out-of-band communication  overcome its limited ability to inject delay through network activity 7
4.1 threat model  motivation  investigate the existence of hardware-level side channels  the viability of isolation assurances for virtual machines  assume  naive timing channels are unavailable  route all local traffic through a switch  administrators proactively apply patches  administrators not interfere with the activities of customers  victim trust of the cloud infrestructure  victim's instances are available to the adversary over an open network 8
4.2 co-resident watermarking  relies on the pigeonhole principle SERVER, CLIENT, FLOODERs 9
4.2 co-resident watermarking  CLIENT initiates a web session with our target instance  CLIENT iterates through its list of registered FLOODERs  FLOODERs injects network activity into the outbound interface  If no watermark signature is detected  terminate all instances and launch a new set  If a signature is detected  use the co-resident FLOODER for a second phase of attack 10
4.3 Signal Encoding  the watermark embedding process  T : length of unwatermarked network flow  n : intervals  ti : length of intervals  pi : a certain number of packet arrivals  +d, -d : two different levels of packet delay  wi = {+d, -d}  +d : injecting a constant stream of UDP packets  -d : taking no action for the length of the interval 11
4.4 Signal Decoding  sorting intervals into X+d, X-d  Poisson distribution  Kolmogorov-Smirnov(KS) test 12
5. Implementation  SERVER  Apache 2  a script simulate background noise  CLIENT  continuously re-requesting a 10MB file  FLOODER  raw socket injection binary  create outbound multi-threaded UDP streams 13
6. Evaluation  Hardware  Dell workstations *2  Dell PowerEdge R610 server *1  4-core Intel Xeon E5606 processor *2  12 GB RAM  Intel 82599 10Gbps Ethernet controller  Hypervisor  VMWare ESXi 4.1  Xenified Linux 2.6.40 kernel  Virtual machine  Linux 2.6.34 kernel  1 vCPU  1.7 GB memory 14
6.1 Xen hypervisor  3200 total measurements  13 minutes and 20 second 15
6.2 VMWare ESXi hypervisor 16
6.3 system load 17
6.4 Network conditions  Measure the resiliency of encoded watermarks  traveling across longer network paths 18
6.5 Science clouds  ACISS compute cloud service  Futuregrid’s Sierra cloud  re-attempted the trial with multiple co-resident FLOODERs 19
6.5 Science clouds 20
6.6 Neighboring instance false positives  This attack must avoid false positives  Instances are not co-resident but share a common network path  inject layer 2 packets that are routed by MAC address 21
6.6 Neighboring instance false positives 22
6.7 Virtualization-Aware hardware  viability of hardware level defenses against co-resident watermarking  Repeated original Xen trial on an SR-IOV-enabled NIC  configured the driver to present two virtual functions (VFs) on a single outgoing port  connected SERVER and FLOODER to one VF each on our Xen testbed 23
6.7 Virtualization-Aware hardware 24
7. Analysis  co-resident watermarking  bypassing VM isolation  exploiting underlying hardware configurations  scouting mechanism 25
7.1 Covert communication  Transmit a secret such as a small key or message 26
7.2 Load measurement  Discovering more accurate traffic information  Monitoring the throughput of the undisturbed CLIENT-SERVER TCP session 27
8. Discussion  Embedding a message into a network flow  effectively multicast to all visitors to the server  retrieve the message while retaining plausible deniability 28
8.1 Invisibility  FLOODER’s activity would arouse immediate suspicion  Invisibility is extremely difficult to achieve 29
8.2 Defences  Provide each virtual machine instance with a dedicated path out of its physical host  Net relative to the network transmission speed of their physical host  Provision networks to not take advantage of the "free" bandwidth  Virtualization-aware hardware can address and close this side channel  random scheduling mechanism 30
9. Related work  9.1 Cloud side channels  9.2 Hypervisor Security  9.3 In-the-wild exploits 31
9.1 Cloud side channels  network timing side channel  challenge fault tolerance guarantees  be used to detect drive-failure vulnerabilities  Cache-based side channel  exploit the timing difference between the cache and main memory 32
9.2 Hypervisor Security  Preventing cache-based side channels  Checks whether organizations has any conflict with the SLA  monitors how the physical memory used by applications  changing how caches assign memory to applications  Reducing the role and size of the hypervisor  proposing the near elimination of the hypervisor 33
9.3 In-the-wild exploits  A handful of privilege escalation exploits in Xen and VMWare  An early version of Xen 3  allowed users to craft malicious grub.conf  buffer overflow error  VMWare  a bug in the folder-sharing  unprivileged user code to be executed by the vmx process 34
10. conclusion  determining co-residency of instances in cloud environments  Leveraged active traffic analysis techniques  co-resident watermarking scheme  determination of co-residency in 10 seconds  interpose a covert channel  performing passive attacks 35
End 36

Recommended

14 577
14 57714 577
14 577Chaitanya Ram
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...IOSR Journals
 
Iaetsd secure data dissemination based on
Iaetsd secure data dissemination based onIaetsd secure data dissemination based on
Iaetsd secure data dissemination based onIaetsd Iaetsd
 
Accelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnsAccelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnseSAT Publishing House
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 

Recommended

14 577
14 57714 577
14 577Chaitanya Ram
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...
DTADA: Distributed Trusted Agent Based Detection Approach For Doline And Sen...IOSR Journals
 
Iaetsd secure data dissemination based on
Iaetsd secure data dissemination based onIaetsd secure data dissemination based on
Iaetsd secure data dissemination based onIaetsd Iaetsd
 
Accelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnsAccelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnseSAT Publishing House
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORKPREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORKIJNSA Journal
 
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM ijcseit
 
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSNREPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSNIJNSA Journal
 
76201924
7620192476201924
76201924IJRAT
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemUltraUploader
 
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...IJNSA Journal
 
Security Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor NetworksSecurity Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor NetworksIJERA Editor
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622IJRAT
 
DOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSNDOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSNijcncs
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
 
D0961927
D0961927D0961927
D0961927IOSR Journals
 
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKSAN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKScsandit
 
Attacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networkingAttacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networkingPriyanka Aash
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior csandit
 
Data Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor NetworkData Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor NetworkEditor IJCATR
 
Detection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networksDetection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networksambitlick
 
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...ijsrd.com
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmAbhinandan P.b
 
Networking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarmNetworking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarmDocker, Inc.
 
Seminar
SeminarSeminar
SeminarKevin ITian
 

More Related Content

What's hot

PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORKPREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORKIJNSA Journal
 
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM ijcseit
 
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSNREPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSNIJNSA Journal
 
76201924
7620192476201924
76201924IJRAT
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemUltraUploader
 
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...IJNSA Journal
 
Security Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor NetworksSecurity Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor NetworksIJERA Editor
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622IJRAT
 
DOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSNDOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSNijcncs
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
 
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKSAN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKScsandit
 
Attacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networkingAttacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networkingPriyanka Aash
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior csandit
 
Data Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor NetworkData Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor NetworkEditor IJCATR
 
Detection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networksDetection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networksambitlick
 
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...ijsrd.com
 

What's hot (19)

PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORKPREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
PREVENTION OF WORMHOLE ATTACK IN WIRELESS SENSOR NETWORK
 
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM
 
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSNREPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
REPLICATION ATTACK MITIGATIONS FOR STATIC AND MOBILE WSN
 
76201924
7620192476201924
76201924
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment system
 
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
TRUST VALUE ALGORITHM: A SECURE APPROACH AGAINST PACKET DROP ATTACK IN WIRELE...
 
Security Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor NetworksSecurity Attacks and its Countermeasures in Wireless Sensor Networks
Security Attacks and its Countermeasures in Wireless Sensor Networks
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622
 
DOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSNDOS Attacks on TCP/IP Layers in WSN
DOS Attacks on TCP/IP Layers in WSN
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
 
D0961927
D0961927D0961927
D0961927
 
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKSAN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
AN ANTI-CLONE ATTACK KEY MANAGEMENT SCHEME FOR WIRELESS SENSOR NETWORKS
 
Attacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networkingAttacking SDN infrastructure: Are we ready for the next gen networking
Attacking SDN infrastructure: Are we ready for the next gen networking
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior
 
Data Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor NetworkData Transfer Security solution for Wireless Sensor Network
Data Transfer Security solution for Wireless Sensor Network
 
Detection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networksDetection and prevention of wormhole attack in mobile adhoc networks
Detection and prevention of wormhole attack in mobile adhoc networks
 
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
WDA: Wormhole Attack Detection Algorithm based on measuring Round Trip Delay ...
 

Similar to Detecting co residency with active traffic analysis techniques

Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmAbhinandan P.b
 
Networking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarmNetworking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarmDocker, Inc.
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...VMworld
 
_Solve Cloud Packet Mysteries_4
_Solve Cloud Packet Mysteries_4_Solve Cloud Packet Mysteries_4
_Solve Cloud Packet Mysteries_4Laura Taylor
 
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...PROIDEA
 
VXLAN in the contemporary data center
VXLAN in the contemporary data centerVXLAN in the contemporary data center
VXLAN in the contemporary data centerAnthony Chow
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneMadhu Venugopal
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker, Inc.
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTDEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTFelipe Prado
 
Network based virtual drawing & secured data sharing using vnc protocol
Network based virtual drawing & secured data sharing using vnc protocolNetwork based virtual drawing & secured data sharing using vnc protocol
Network based virtual drawing & secured data sharing using vnc protocolJAYANT RAJURKAR
 
Understanding network and service virtualization
Understanding network and service virtualizationUnderstanding network and service virtualization
Understanding network and service virtualizationSDN Hub
 
High performance and flexible networking
High performance and flexible networkingHigh performance and flexible networking
High performance and flexible networkingJohn Berkmans
 
Upgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfUpgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfVladimirRadzivil
 
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...NETWAYS
 
Energy saving Wireless Sensor Networks using Kerberos
Energy saving Wireless Sensor Networks using KerberosEnergy saving Wireless Sensor Networks using Kerberos
Energy saving Wireless Sensor Networks using KerberosEditor IJCATR
 

Similar to Detecting co residency with active traffic analysis techniques (20)

Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and Swarm
 
Networking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarmNetworking in docker ee with kubernetes and swarm
Networking in docker ee with kubernetes and swarm
 
Seminar
SeminarSeminar
Seminar
 
CloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX Boxes
CloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX BoxesCloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX Boxes
CloudComp 2015 - SDN-Cloud Testbed with Hyper-convergent SmartX Boxes
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...
VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hyb...
 
_Solve Cloud Packet Mysteries_4
_Solve Cloud Packet Mysteries_4_Solve Cloud Packet Mysteries_4
_Solve Cloud Packet Mysteries_4
 
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...
PLNOG16: VXLAN Gateway, efektywny sposób połączenia świata wirtualnego z fizy...
 
VXLAN in the contemporary data center
VXLAN in the contemporary data centerVXLAN in the contemporary data center
VXLAN in the contemporary data center
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-Plane
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTDEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
 
Network based virtual drawing & secured data sharing using vnc protocol
Network based virtual drawing & secured data sharing using vnc protocolNetwork based virtual drawing & secured data sharing using vnc protocol
Network based virtual drawing & secured data sharing using vnc protocol
 
Understanding network and service virtualization
Understanding network and service virtualizationUnderstanding network and service virtualization
Understanding network and service virtualization
 
High performance and flexible networking
High performance and flexible networkingHigh performance and flexible networking
High performance and flexible networking
 
B43040610
B43040610B43040610
B43040610
 
Upgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfUpgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdf
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
 
Energy saving Wireless Sensor Networks using Kerberos
Energy saving Wireless Sensor Networks using KerberosEnergy saving Wireless Sensor Networks using Kerberos
Energy saving Wireless Sensor Networks using Kerberos
 
Sdn03
Sdn03Sdn03
Sdn03
 

Detecting co residency with active traffic analysis techniques

  • 1. Detecting Co-Residency with Active Traffic Analysis Techniques CCSW '12 Adam Bates, Benjamin Mood, Joe Pletcher,Hannah Pruse,Masoud Valafar, and Kevin Butler Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab University of Oregon, Eugene
  • 2. Outline 1. Introduction 2. Cloud co-recidency 3. Active traffic analysis 4. system design 5. Implementation 6. Evaluation 7. Analysis 8. Discussion 9. Related work 10. Conclusion 2
  • 3. 1. Introduction  New challenges to security  sharing of a common physical platform  co-residency determination alternatives that may be available  focus on the network interface  active traffic analysis  create an outbound covert channel for data exfiltration 3
  • 4. 1. Introduction  Investigates virtualization side channels in physical hardware  Assesses severity of threat through extensive evaluation  Introduces proof-of-concept attacks for the network flow channel 4
  • 5. 2. Cloud co-recidency  Victims  legitimate cloud customers  Adversary  wishes to discover valuable information about his target  launch many instances, perform the co-residency check 5
  • 6. 3. Active traffic analysis  Network flow watermarking  a type of network covert timing channel  recently as a method for detecting stepping stone relays  Blind schemes  All necessary information is contained within the watermark  non-blind scheme  Information is stored for access by the exit gateways  Exploits virtualization’s dependence on traffic mixing  Does not require a corrupt network server 6
  • 7. 4. system design  Inject a target's network traffic with a persistent watermarking  Break hypervisor isolation guarantees  on-off interval-based packet arrival scheme  Due to the coarse-grained abilities of a co-located VM to inject network delay  out-of-band communication  overcome its limited ability to inject delay through network activity 7
  • 8. 4.1 threat model  motivation  investigate the existence of hardware-level side channels  the viability of isolation assurances for virtual machines  assume  naive timing channels are unavailable  route all local traffic through a switch  administrators proactively apply patches  administrators not interfere with the activities of customers  victim trust of the cloud infrestructure  victim's instances are available to the adversary over an open network 8
  • 9. 4.2 co-resident watermarking  relies on the pigeonhole principle SERVER, CLIENT, FLOODERs 9
  • 10. 4.2 co-resident watermarking  CLIENT initiates a web session with our target instance  CLIENT iterates through its list of registered FLOODERs  FLOODERs injects network activity into the outbound interface  If no watermark signature is detected  terminate all instances and launch a new set  If a signature is detected  use the co-resident FLOODER for a second phase of attack 10
  • 11. 4.3 Signal Encoding  the watermark embedding process  T : length of unwatermarked network flow  n : intervals  ti : length of intervals  pi : a certain number of packet arrivals  +d, -d : two different levels of packet delay  wi = {+d, -d}  +d : injecting a constant stream of UDP packets  -d : taking no action for the length of the interval 11
  • 12. 4.4 Signal Decoding  sorting intervals into X+d, X-d  Poisson distribution  Kolmogorov-Smirnov(KS) test 12
  • 13. 5. Implementation  SERVER  Apache 2  a script simulate background noise  CLIENT  continuously re-requesting a 10MB file  FLOODER  raw socket injection binary  create outbound multi-threaded UDP streams 13
  • 14. 6. Evaluation  Hardware  Dell workstations *2  Dell PowerEdge R610 server *1  4-core Intel Xeon E5606 processor *2  12 GB RAM  Intel 82599 10Gbps Ethernet controller  Hypervisor  VMWare ESXi 4.1  Xenified Linux 2.6.40 kernel  Virtual machine  Linux 2.6.34 kernel  1 vCPU  1.7 GB memory 14
  • 15. 6.1 Xen hypervisor  3200 total measurements  13 minutes and 20 second 15
  • 16. 6.2 VMWare ESXi hypervisor 16
  • 18. 6.4 Network conditions  Measure the resiliency of encoded watermarks  traveling across longer network paths 18
  • 19. 6.5 Science clouds  ACISS compute cloud service  Futuregrid’s Sierra cloud  re-attempted the trial with multiple co-resident FLOODERs 19
  • 21. 6.6 Neighboring instance false positives  This attack must avoid false positives  Instances are not co-resident but share a common network path  inject layer 2 packets that are routed by MAC address 21
  • 22. 6.6 Neighboring instance false positives 22
  • 23. 6.7 Virtualization-Aware hardware  viability of hardware level defenses against co-resident watermarking  Repeated original Xen trial on an SR-IOV-enabled NIC  configured the driver to present two virtual functions (VFs) on a single outgoing port  connected SERVER and FLOODER to one VF each on our Xen testbed 23
  • 25. 7. Analysis  co-resident watermarking  bypassing VM isolation  exploiting underlying hardware configurations  scouting mechanism 25
  • 26. 7.1 Covert communication  Transmit a secret such as a small key or message 26
  • 27. 7.2 Load measurement  Discovering more accurate traffic information  Monitoring the throughput of the undisturbed CLIENT-SERVER TCP session 27
  • 28. 8. Discussion  Embedding a message into a network flow  effectively multicast to all visitors to the server  retrieve the message while retaining plausible deniability 28
  • 29. 8.1 Invisibility  FLOODER’s activity would arouse immediate suspicion  Invisibility is extremely difficult to achieve 29
  • 30. 8.2 Defences  Provide each virtual machine instance with a dedicated path out of its physical host  Net relative to the network transmission speed of their physical host  Provision networks to not take advantage of the "free" bandwidth  Virtualization-aware hardware can address and close this side channel  random scheduling mechanism 30
  • 31. 9. Related work  9.1 Cloud side channels  9.2 Hypervisor Security  9.3 In-the-wild exploits 31
  • 32. 9.1 Cloud side channels  network timing side channel  challenge fault tolerance guarantees  be used to detect drive-failure vulnerabilities  Cache-based side channel  exploit the timing difference between the cache and main memory 32
  • 33. 9.2 Hypervisor Security  Preventing cache-based side channels  Checks whether organizations has any conflict with the SLA  monitors how the physical memory used by applications  changing how caches assign memory to applications  Reducing the role and size of the hypervisor  proposing the near elimination of the hypervisor 33
  • 34. 9.3 In-the-wild exploits  A handful of privilege escalation exploits in Xen and VMWare  An early version of Xen 3  allowed users to craft malicious grub.conf  buffer overflow error  VMWare  a bug in the folder-sharing  unprivileged user code to be executed by the vmx process 34
  • 35. 10. conclusion  determining co-residency of instances in cloud environments  Leveraged active traffic analysis techniques  co-resident watermarking scheme  determination of co-residency in 10 seconds  interpose a covert channel  performing passive attacks 35