Cloud Security and Mobile Application Security · Cloud Security and Mobile Application Security...
Transcript of Cloud Security and Mobile Application Security · Cloud Security and Mobile Application Security...
Cloud Security and Mobile Application Security
SBA Research & Vienna University of Technology
Edgar R. Weippl
Target Audience
Graduate students in computer science
• Some knowledge in in security but no focus on information security
• Interest in Privacy and Security
Trust
• Humans interact with humans.
• Computer and communication security as a mechanism to implement trust.
Bruce Schneier, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, John Wiley & Sons, 2012.
Empirical Research
• Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
• WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Large-scale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.
• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
Empirical Research
• Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
• WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Large-scale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.
• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
Cloudoscopy
Amir Herzberg and Haya Shulman
Computer Science Dept. Bar-Ilan University
- and -
Johanna Ullrich and Edgar Weippl
SBA Research, Wien
Cloud Computing / IaaS
Infrastructure for on-demand IT services
Rent storage, cycles, infrastructure, data hosting, outsource expertise and maintenance
Some popular providers
Amazon EC2, Microsoft Azure, Google, Rackspace
Resource sharing between a number of VMs
CPU
Memory
Bandwidth
New Threats
Malicious cloud tenants, e.g., conflicting interests Resource sharing can be exploited for attacks by
malicious tenants on other tenants, e.g., cross VM attacks
Malicious cloud operator, e.g., may cheat to save resources
Placement of instances on same physical region, same host…
Charges the subscriber not proportionally to service provided
Rerouting traffic inefficiently
Selling the list of its clients to data hoarders
Cloud Computing Security
Isolation to prevent attacks by other tenants Network and host isolation
Cloud service verification to establish trust in cloud Known (traditional) services verification:
storage and computation. Extensively studied
New (infrastructure) services verification: placement and communication
Cloud Computing Security
Verify placement and communication To prevent single point of failure
To reduce latency and guarantee quality of service
To avoid snooping on traffic by attackers
Efficient placement of instances and communication
To prevent cross VM attacks, e.g., memory side channel attacks
Cloud security is difficult to measure Need tools to enable clients to verify cloud services
Cloudoscopy
1. IP address deanonymisation: Expose the internal IP address of a victim instance
2. Hop-count measuring: measure its hop-count distance from adversarial cloud instances
3. Co-residence testing: test to find a specific instance which is close enough to the victim (e.g., co-resident) to allow (denial of service or side-channel) attacks.
IP Address Deanonymisation
Expose the internal IP address of a victim in- stance, then • Simple: tracert, ping
• New approach: interrupt-overloading side-
channel – general and not protocol specific
• New approach: server-bounce scan – In some protocols, e.g., SMTP, servers open a
connection using a domain name from an incoming connection.
Hop-count measuring
Once IP is found, find path to victim
Cloud platforms block ICMP errors/ control messages
Our idea: Scan with incrementing TTL
Use timing side-channel to count hosts
Co-residence Testing
Place prober on same host as victim
Check if TTL scan to victim is 0
Check patterns to prober via interrupt-based side-channel
If both pass – attacker is co-resident with victim
Co-residence Testing
• Legitimate use:
– Ensure location (EU vs. US laws)
– Ensure separation of locations (redundancy)
• Attacks based on
– tenant-to-tenant and tenant-provider communication
– Blocking is not the solution, because 1/3 of communication would be less efficient
Empirical Research
• Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
• WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Large-scale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.
• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
Apps, Mobile Devices, Cloud Services
• So many new opportunities
• Building on experience of previous decades
• Things can only get better
• Really?
Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
Data Deduplication
• At the server
– Same file only stored once
– Save storage space at server
• At the client
– Calculate hash or other digest
– Reduce communication
Attacks
• Hash manipulation
• Stolen Host ID
• Direct Up-/Download
– Uploading without linking
– Simple HTTPS request https://dl-clientXX.dropbox.com/store
Evaluation
Time until (hidden) chunks get deleted: • Random data in multiple
files • Hidden upload: at least 4
weeks • Regular upload: unlimited
undelete possible (> 6 months)
Popular files on Dropbox: • thepiratebay.org
Top 100 Torrent files • Downloaded copyright-free
content (.sfv, .nfo, ...) • 97 % (n = 368) were
retrievable • 20 % of torrents were less
than 24 hours old
Interpretation: • At least one of the seeders
uses Dropbox
Solutions
• Aftermath – Dropbox fixed the flaws
– HTTPS Up-/Download Attack
– Host ID is now encrypted
– No more client-side deduplication
• Proof of ownership
• Take down notice
Victim using Dropbox
Attackers PC
1. Steal hashes2. Send hashes to Attacker
3. Link hashes with
fake client
4. Download all files
of the victim
Access Control Structures
• Requirements on access control structures:
– The access control structure should help to express your desired access control policy.
– You should be able to check that your policy has been captured correctly.
• Access rights can be defined individually for each combination of subject and object.
• For large numbers of subjects and objects, such structures are cumbersome to manage. Intermediate levels of control are preferable.
Access Control Matrix
• Notation
– S … set of subjects
– O … set of objects
– A … set of access operations
• Access control matrix: M = (Mso)sS,oO, MsoA.
• The entry Mso specifies the operations subject s may perform on object o.
Alice
Bob
-
{read,write}
bill.doc
{exec}
{exec}
edit.exe
{exec,read}
{exec,read,write}
fun.com
Access Control Matrix ctd.
• The access control matrix is
– an abstract concept
– not very suitable for direct implementation
– not very convenient for managing security
• How do you answer the question: Has your security policy been implemented correctly?
• Bell LaPadula (and Orange Book): access control matrix defines discretionary access control (DAC).
Capabilities
• Focus on the subject
– access rights are stored with the subject
– capabilities rows of the access control matrix
• Subjects may grant rights to other subjects. Subjects may grant the right to grant rights.
• Problems:
– How to check who may access a specific object?
– How to revoke a capability?
• Distributed system security has created renewed interest in capabilities.
Alice edit.exe: {exec} fun.com: {exec,read}
Access Control Lists (ACLs)
• Focus on the object
– access rights are stored with the object
– ACLs columns of the access control matrix
• Access rights are often defined for groups of users.
– Unix: owner, group, others
– VMS: owner, group, world, system
• Problem: How to check access rights of a specific subject?
• ACLs are typical for secure operating systems of Orange Book class C2.
fun.com Alice: {exec} Bill: {exec,read,write}
Intermediate Controls
• Intermediate controls facilitate better security management.
• To deal with complexity, introduce more levels of indirection.
users
roles
procedures
data types
objects
Groups and Negative Permissions
• Groups are an intermediate layer between users and objects.
• To deal with special cases, negative permissions withdraw rights
users
groups
objects
users
groups
objects
Role Based Access Control (RBAC)
• Several intermediate concepts can be inserted between subjects and objects – Roles: collection of procedures assigned to users; a user
can have more than one role and more than one user can have the same role.
– Procedures: ‘high level’ access control methods with a more complex semantic than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts.
– Data types: each object is of a certain data type and can be accessed only through procedures defined for this data type.
RBAC continued
• RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users.
• Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types and object-oriented programming.
• Examples: user profiles in IBM’s OS/400; global groups and local groups in Windows NT.
RBAC
• NIST model of RBAC (shown in Sandhu et al., 2000) is organized into four levels of increasing functional capabilities
• flat RBAC
• hierarchical RBAC
• constrained RBAC
• symmetric RBAC.
Hierarchical RBAC
User Role Permission
* *
membership authorization
* *
*
Session
* *activation
User:Session: 1:n
+super-role 1 +sub-role*
Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• https://s.whatsapp.net/client/
iphone/u.php?cc=countrycode&me
=phonenumber&s=statusmessage
On vacation
Sleeping
at work but not doing shit
Nicaragua in
4 days!!
Heartbroken
Missing my love!
At work ... Bleh.
On my way to Ireland!
I’m never
drinking
again
Summary
• Authentication protocols: 6 out of 9 similar applications had the same problems
• Unintended use (reverse hash in Dropbox)
• Trust in client application
• Missing input validation
• Everything you should learn in Security 101
• Software Obfuscation as possible temporary solution
Questions?
DBSec 2013 – March 1
ARES 2014 Submission Deadline – March 1 http://www.ares-conference.eu/conf/
IPICS Summerschool – contact me personally (new Website not yet available)
What can you do?
• Analyze communication protocols
• Reverse engineering of applications
• Make guesses on how something could have been implemented and try to confirm / refute it