Cloud computing related slides. this research paper was issued when there was a boom of cloud computing and the researcher found different ways to hack or leak the information based on the same assumptions and Amazon replied to this paper.

1. Hey, You, Get Off of My Cloud:
Exploring Information Leakage in
Third-Party Compute Clouds
Presented by:
Fahad

2. Problem Domain
This paper want to solve problem about side channel attack on
cloud computing security. Attacker might penetrate the VM
isolation and “listening” or harm confidentiality of other
customer through multi- tenancy VMs in the same physical
machine.
2

3. Amazon EC2 as case study
1. Amazon using Xen hypervisor (later called DomO)
2. DomO manage =>guest images, physical resource provisioning, and access
control rights.
3. Two regions, one located in the USA and one in Europe.
4. Each region contains three availability zones
5. Containing 5 Linux instance types.
6. Also each instance have one-to-one correlation of internal and external IP
address.
3

4. A simplified model of third-party cloud computing
Users run Virtual Machines (VMs) on cloud provider’s
infrastructure
Multitenancy (users share
physical resources):
➔ Virtual Machine Manager
(VMM) manages physical
server resources for VMs
➔ To the VM should look like
dedicated server
4

5. Trust Models in cloud computing
Users must trust third-party provider
to
➔ Not spy on running VMs / data
➔ Secure infrastructure from
internal/external attackers
5

6. A new threat Model
Attacker identifies one or more
victims VMs in cloud:
1. Achieve advantageous placement
1. Launch attacks using physical proximity
1. Attacker launches VMs
2. VMs each check for co-
residence on same
server as victim
Exploit VMM vulnerability
I.e. DoS, Side-channel attack
6

7. Threats
1. Cloud cartography (VM placement)
a. Map internal infrastructure of cloud
b. Map used to locate targets in cloud
2. Checking for co-residence
a. check that VM is on same server as target
i. Network-based co-residence checks
ii. Efficacy confirmed by covert channels
3. Achieving co-residence
a. Brute forcing placement
b. Instance flooding after target launches
4. Side-channel information leakage
a. coarse-grained cache-contention channels might leak
confidential information
7

8. (Simplified) EC2 instance networking
Our experiments indicate
that internal IPs are
statically assigned to
physical servers
Co-residence checking
via Dom0: only hop on
traceroute to co-resident
target
8

9. Task 1: Cloud cartography
(VM Placement)
➔ Author act like attacker, place the malicious process along with the
victim’s process on same physical machine with shared resources
(i.e. caches).
➔ Author is using network probing for discovery of cloud
cartography
➔ Collected data is then analyzed to get hints about the cloud map.
9

10. Cloud cartography ...continued
From “Account A”: launch 20 instances of each type in each availability zone
20 x 15 = 300 instances launched
From “Account B”: launch 20 instances of each type in Zone 3
20 x 5 = 100 instances launched
39 hours apart
55 of 100 Account B instances had IP address assigned to Account A instance
Most/24 associated to single instance type and zone
Seems that user account doesn’t impact placement
Associate each /24 with Zone & Type
10

11. Task 2: Co-Residence
Two instances are co-residence if:
1. Matching DomO IP address.
2. Small packet round-trip times (RTT).
3. Numerically close internal IP addresses.
4. Covert channel test:
a. If two instances communicate with the covert channel, then they
are co-residence
11

12. Task 3: Exploiting VM placement
Two Approaches:
1. Brute-forcing placement
2. Abusing placement locality
12

13. Achieving co-residence
Attacker launches many instances in parallel
near time of target launch
Experiment:
Repeat for 10 trials:
1. Launch 1 target VM (Account A)
2. 5 minutes later, launch 20 “attack” VMs (alternate
using Account B or C)
3. Determine if any co-resident with target
4 / 10 trials succeeded
In paper: parallel placement locality good for >56 hours
success against commercial accounts
13

14. Attacker has uncomfortably good chance at
achieving co-residence with your VM
What can the attacker then do?
14

15. Task 4: Exploiting information leakage
After the attacker places their instance in the same physical machine as target,
they might perform side channel attack:
➔ Extracting cryptographic keys via:
a. Cached-based
b. Denial of services (DOS)
➔ Attacker might learn information from:
a. Target cache workload
b. Network traffic
c. Keystroke timing
15

16. Cache-based load measurement to determine co-residence
➔ 3 pairs of instances, 2 pairs co-resident and 1 not
➔ 100 cache load measurements during HTTP gets (1024 byte page)and
with no HTTP gets
16

17. Cache-based load measurement ...Continued
Instances co-
resident
Instances co-
resident
Instances NOT co-resident
17

18. Mitigations
Mitigation 1: Preventing cloud cartography may accomplished by the
provider not using static local IP address again.
Mitigation 2: Preventing the attacker determines co-residence with the
provider should set DomO to not respond in traceroutes, then should randomly
assign internal IP addresses at the time of instance launch, and should use
virtual LANs to isolate accounts.
18

19. ...continued
Mitigation 3: Preventing VM placement exploit with offload choice to users.
So, authorized user only can change VM placement.
Mitigation 4: To preventing information leakage by side attack. The
provider should avoid co-residence in same physical machine.
19

20. Summarize
Attacks Possible countermeasures:
Cloud cartography (VM Placement) ➔ Not using static IP addresses, Random
Internal IP assignment
➔ Isolate each user’s view of internal address
space
Checking for co-residence ➔ Hide Dom0 from traceroutes
➔ Random Internal IP assignment
➔ Virtual LANs to isolate accounts
Exploiting VM Placement ➔ Allow users to opt out of multitenancy
➔ Authorize users can only change VM
placement
Exploiting Information leakage ➔ Avoid co-residence in same physical
machine for information leakage
20

21. Amazon’s response in 2009
Amazon downplays report highlighting vulnerabilities in its cloud service:
1. The side channel techniques presented are based on testing results from a
carefully controlled lab environment with configurations that do not match
the actual Amazon EC2 environment.
2. As the researchers point out, there are a number of factors that would make
such an attack significantly more difficult in practice.

22. Thanks