The document discusses the use of elastic SIEM for detecting side-channel attacks in cloud infrastructures, emphasizing the challenges posed by multi-tenancy in IaaS environments. It presents a solution combining co-residency checks and log analysis to enhance security and prevent information leakage from shared physical components. Additionally, it outlines the integration of its detection system with the OSSIM tool to monitor and correlate events effectively.

1. Elastic SIEM to detect
side-channel attacks in
Cloud Infrastructures
Pasquale Puzio
SecludIT & EURECOM
pasquale@secludit.com
Joint work with:
Refik Molva (EURECOM)
Sergio Loureiro (SecludIT)
University of Regensburg, Germany
September 4th

2. Agenda
• Cloud Computing and new security challenges
• Elasticity and Elastic Detector
• Multi-tenancy and side-channel attacks
• Co-residency checks
• Solution to detect side-channel attacks
• DEMO
2

3. Cloud Computing
• Not just virtualization
• On demand provisioning
• Pay-per-use
• Elasticity & Multi-tenancy
• Infrastructure as a Service
(IaaS):
virtual machines & storage
• Platform as a Service (PaaS):
IaaS + dev environment
• Software as a Service (SaaS):
on-demand software
3

4. IaaS: Infrastructure as a Service
• Users manage their own infrastructure
through a web browser or API
• IaaS cloud providers supply resources
from large data centers
• Virtual machines, storage, firewalls,
load balancers, IP addresses, VLANs,
software bundles, etc.
• Users install operating-system images
on the cloud infrastructure
4

5. New advantage of IaaS: Elasticity
5

6. Solution to Elasticity: Elastic Detector
• Security must be
global, automatic and constant:
ELASTIC
• Continuous analysis at every
level:
firewalls, servers, applications
and data
• Periodic analysis of servers by
isolating and analyzing clones
• EVA: Elastic Vulnerability
Assessment 6

7. 7

8. New security challenge of IaaS: Multi-tenancy
CLOUD PROVIDER
VIRTUAL MACHINES
VIRTUAL MACHINES
TENANT 1
TENANT 2
TENANT 3
8

9. Side-Channel Attacks in IaaS
• An attacker takes advantage of a
shared physical component in
order to steal information from
the victim
• Any co-resident user can
perpetrate a side-channel attack
• Hypervisors enforce logical
isolation, but it is not sufficient
9
CLOUD PROVIDER
VIRTUAL MACHINES
VICTIM
ATTACKER

10. Access-driven Side-channel Attacks
• The co-resident attacker observes the activity of the processor
cache to steal an ElGamal decryption key from a victim using the
libgcrypt library.
• How it works:
– PRIME: fill the processor cache;
– IDLE: wait for a pseudo-random interval.
During this interval the victim is supposed to access the cache
and change the content of some blocks;
– PROBE: resume the execution and refill the cache.
Measure the delay to learn the activity of the victim.
• Measurements will be analyzed to infer the encryption key.
• Measurements are converted to basic operations.
• The attacker obtains a relatively small set of encryption keys which
can be used to perform a brute-force attack.
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract
private keys. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York,
NY, USA, 305-316. DOI=10.1145/2382196.2382230 http://doi.acm.org/10.1145/2382196.2382230 10

11. Access-driven Side-channel Attacks
11
CLOUD PROVIDER
VIRTUAL MACHINES
VICTIM
ATTACKER
ATTACKER 1 FILL 2 WAIT 4 REFILL
VICTIM …
3
EXECUTE
…
1
4
3

12. Our Work: Side-channel Attack Detection
• We developed a Python script which uses AWS APIs in order to
launch and terminate a set of virtual machines in a given region
• This is exactly what an attacker would do
• We detect the attack before it is performed: best for security
12
Placement
Co-
residency
check
Side-
channel
Attack
Log
collection
Correlation

13. Our Work: Side-channel Attack Detection
13
Placement
Co-
residency
check
Side-
channel
Attack
Log
collection
Correlation

14. Co-residency Check on Amazon EC2
3 simple checks to determine co-residency:
• matching Dom0 IP address
• small packet round-trip times
• numerically close internal IP addresses (e.g. within 7).
The Dom0 IP co-residency check has an effective false positive
rate of zero.
TCP SYN traceroute to determine victim’s Dom0 IP.
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring
information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and
communications security (CCS '09). ACM, New York, NY, USA, 199-212. DOI=10.1145/1653662.1653687
http://doi.acm.org/10.1145/1653662.1653687
14

15. Co-residency Check on Amazon EC2
15

16. Solution Architecture
16

17. OSSIM
• Open source tool for SIEM by Alien Vault
• OSSIM provides several features such as event
collection, normalization, and correlation.
• Widely adopted (more than 195.000 users in 175 countries)
• Easily expandable with custom plugins
17

18. Integration between Elastic Detector and OSSIM
CLOUD PROVIDER
VIRTUAL MACHINES
VIRTUAL MACHINES
ATTACKER’S VMs
VICTIM’S VM
USERS’ VMs
Instance
created
…
Instance
terminated
18

19. Our Work: Side-channel Attack Detection
19
Placement
Co-
residency
check
Side-
channel
Attack
Log
collection
Correlation

20. Our Work: Side-channel Attack Detection
20
Placement
Co-
residency
check
Side-
channel
Attack
Log
collection
Correlation

21. Our Work: Plugin for Parsing Remote Logs
• Nagios logs forwarded to OSSIM need to be parsed and converted
to events
• Logs are filtered by defining a regular expression for each event
LOG:
Aug 19 15:51:32 debian-secludit nagios3: SERVICE NOTIFICATION:
event@551;72-us-east-1;722;notify-service-by-cloutomate;Found new
Instance: i-f0ad689c
REGULAR EXPRESSION:
^(?P<date>w{3}sd{1,2}sdd:dd:dd)sdebian-
secluditsnagios3:sSERVICEsNOTIFICATION:sevent@d{3};(?P<account>d
{2,3})-(?P<region>w{2}-w{4,9}-d);d{3};notify-service-by-
cloutomate;FoundsnewsInstance:s(?P<instanceid>i-[a-z,0-9]{8})$
21
Account
Region
Instance id

22. Our Work: Side-channel Attack Detection
22
Placement
Co-
residency
check
Side-
channel
Attack
Log
collection
Correlation

23. Our Work: Side-channel Attack Detection
• Logs have been delivered to OSSIM and converted to
events
• We now have to define a correlation rule to detect the
side-channel attack
23

24. Our Work: Results
24

25. DEMO
• 10 t1.micro virtual machines on Amazon EC2
• Virtual machines are launched in a very short
time
• All virtual machines are terminated after 5
minutes (after the co-residency check)
25

26. DEMO
Enjoy!

27. About SecludIT
• Founded by security experts together with EURECOM, a French
research institute in telecom and network security, SecludIT has
developed Elastic Security, a set of products and services
specifically designed to help cloud infrastructure providers and users
to safely migrate to the cloud.
• SecludIT has become a recognized industry player, one of the
Cloud Security Alliance founders and active member, co-author of
security best practices V2.1
https://cloudsecurityalliance.org/research/security-guidance/#_v2.
SecludIT is a technology partner of Amazon Web Services, HP
Cloud, VMware and Eucalyptus.
• Website: http://www.secludit.com
• Blog: http://www.elastic-security.com 27

28. THANK YOU
Questions?

29. OSSIM: Correlation directives
29