Hey You Get Off of My Cloud Exploring

“Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by: Ibrahim Elsayed

Overview ● ● What is the cloud? New threats in cloud computing Research questions Experiment ○ Explore cloud infrastructure. ○ Determine co-residency. ○ Achieve co-residency. ○ Exploit information. ● What can we do? ● Conclusion

Cloud Computing ● What is the cloud? The new infrastructure for hosting data and deploying software and services. ● Benefits ○ Cost Savings ○ Scalability ○ Flexibility

Cloud Computing ● On-demand computing outsourcing ● Examples: ○ Amazon’s EC 2 (Elastic Compute Cloud) ○ Microsoft’s Azure Service Platform ○ Rackspace’s Mosso ● New Threats: ○ Trust relationship between customer and cloud provider ○ Multi-tenancy (security threat)

Multi-tenancy ● Your instance is placed on the same server with other customers

Research Motivation ● Explore threats of multi-tenancy in cloud computing ● Provide experimental results of the impact of these threats using a real cloud service provider (Amazon EC 2) as a case study

Research Questions ● Can one determine where in the cloud infrastructure an instance is located? ● Can one easily determine if two instances are co-resident on the same physical machine? ● Can an adversary launch instances that will be co-resident with other user’s instances? ● Can an adversary exploit cross-VM information leakage once co-resident?

AMAZON ELASTIC COMPUTE CLOUD - EC 2 ● Scalable, pay-as-you-go compute capacity in the cloud ● Customers can run different operating systems within a virtual machine ● Different regions and availability zones

Attack ● The attack considered requires two main steps: 1 - Placement Place a malicious VM on the same physical machine as that of the victim 2 - Extraction extract confidential information from the victim via a side channel attack

Attacker ● Not affiliated with the provider (third-party user) ● Can run many instances at the same time o Can create multiple accounts o Up to 20 instances per account

Cloud Cartography ● Try to learn about how Amazon places instance in order to carry out the attack ● Each instance assigned internal and external IP address ● Review addresses assigned to a large number of launched instances

Determining Co-Residence ● Co-resident: instances running on same machine ● Network-based co-residence checks: ○ Matching (host domain) Dom 0 IP address ○ Small packet round-trip times ■ 10 RTTs ■ 1 st always slow ■ Use last 9 ○ Numerically close internal IP address (within 7)

Achieving co-residency ● Two main techniques are presented to become coresident with another user: - Brute Force launch many instances over a relatively long period of time. - Abusing Placement Locality Target recently launched attacks.

Brute-Force Placement ● Launch many instances within a time frame ○ If co-resident, successful placement ○ Else, terminate probe instance ● Of 1686 target victims co-residence achieved with 141 victim servers ( 8. 4% coverage of targets). ● Max 20 simultaneous instance for one account. ● Allows reasonable success rate when used to target large target sets

Placement Locality ● Recall that one of the main features of cloud computing is to only run servers when needed. ● This suggests that servers are often run on instances, terminated when not needed, and later run again. ● The key idea is to catch the time at which the victim turns on (relaunches) his instance.

EC 2 Placement Policy ● Placement locality ○ Sequential placement locality - Two instance run sequentially are often assigned to the same machine (one starts after one terminated). ○ Parallel placement locality - Two instance from distinct accounts run roughly at the same time are often assigned to the same machine.

Placement Locality ● Attack recently launched instances (temporal locality). ● Monitor a server’s state (e. g. , via network probing). Launch lots of instances right after the launch of victim’s instance. ● Experiment ○ Single victim instance is launched ○ Attacker launches 20 instances within 5 minutes (in appropriate zone and type) ○ Perform co-residence check

Placement Locality ● Experiments achieved an 40% coverage of targets.

Exploiting co-residence ● CPU contains small and fast memory cache shared by all instances.

Exploiting co-residence ● CPU contains small and fast memory cache shared by all instances. ● If the attacker accesses the memory, it is served from the cache

Exploiting co-residence ● CPU contains small and fast memory cache shared by all instances. ● If the attacker accesses the memory, it is served from the cache ● if the victim accesses the memory, the cache fills up and the attacker notices a slow-down

Exploiting co-residence ● Time-shared cache allows an attacker to measure when other instances are experiencing computational load ● Web traffic monitoring

Exploiting co-residence ● Also, the attacker can deduce the memory access patterns of the victim ● Example: if the victim is performing RSA or AES decryption, the access patterns are determined by the secret key ● Attacker can steal AES secret key in 65 milliseconds

Keystroke timing attack ● Cache load measurements used to mount a keystroke attack ● The goal is to measure the time between keystrokes made by a victim typing a password ● Report a keystroke when the probing measurement is between 3. 1 μs and 9 μs (upper threshold filters out unrelated activity) ● Inter-keystroke times if properly measures can be used to perform recovery of the password

Inhibiting Side-Channel Attacks ● Blinding techniques ○ Cache wiping, random delay insertion, adjust machine’s perception of time ● But, are these effective? ○ Usually, impractical and application specific ○ May not be possible to PLUG all side-channels ● Only way: AVOID co-residence

Research Questions - Answered ● Can one determine where in the cloud infrastructure an instance is located? - Yes. ● Can one easily determine if two instances are co-resident on the same physical machine? - Yes. ● Can an adversary launch instances that will be co-resident with other user’s instances? - Yes. ● Can an adversary exploit cross-VM information leakage once co-resident? - Sort of.

Summary ● New risks from cloud computing exposed ● Shared physical infrastructure may and most likely will cause problems ● Practical attack performed ● Suggested countermeasure

Resources ● https: //cse. sc. edu/~huangct/CSCE 813 F 15/CCS 09_clou dsec. pdf ● https: //eprint. iacr. org/2005/271. pdf ● http: //rump 2009. cr. yp. to/8 d 9 cebc 9 ad 358331 fcde 611 bf 4 5 f 735 d. pdf ● http: //zoo. cs. yale. edu/classes/cs 722/2011/esyta_cloud. pdf