Detecting virtual machine co residency in cloud computing with active traffic analysis
Download as pptx, pdf3 likes1,243 views
Summary description of research project involving a simple technique that can be used to detect virtual machines (VMs) that reside on the same physical host. Detection of co-resident VMs is one possible goal for an attacker conducting reconnaissance. If detected, an attacker could then attempt to gain access to VM memory andor other VM resources and possibly steal data or inject malware. Since cloud-based services utilize virtual infrastructures the ability to detect co-resident VMs has important implications for security in a virtual machine environment.
More Related Content
What's hot (20)
Similar to Detecting virtual machine co residency in cloud computing with active traffic analysis (20)
Recently uploaded (20)
Detecting virtual machine co residency in cloud computing with active traffic analysis
- 1. September 4, 2015 James A. Savage Tennessee State University Computer and Information Systems Engineering Advisor: Dr. Sachin Shetty AFRL Research Presentation
- 2. Agenda Virtualization and Cloud Computing Virtual Machines and Co-Residency Virtual Machine Side-Channel Vulnerability Watermarking network traffic Attempts to Reproduce Published Research Results Implications for Production Environments
- 3. What is Virtualization? A virtual machine is an instance of an operating system that runs in a software “container” that provides all of the hardware-related components the operating system expects, using software emulation for the machine’s instruction set. Virtual machine technology allows a single computer to host multiple virtual machines, each potentially running a different operating system. The hypervisor, or virtual machine monitor (VMM) is the only software running in kernel mode; it provides multiple copies of the actual hardware to the virtual machines. The operating system running in a virtual machine is called a “guest” operating system.
- 4. What is Virtualization? Image: http://software.intel.com/en-us/articles/creating-a-virtual-machine-on-vmware-tutorial
- 5. Virtualization is the Foundation of Cloud Computing Image: http://modelschoolscnyric.pbworks.com/w/page/39729119/Cloud%20Computing
- 6. Virtual Infrastructure in the Cloud Image: http://www.cisco.com/ DRS: Distributed Resource Scheduler HA: High Availability
- 7. Virtual Machine Co-Residency Image: http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/ucs-m81kr-virtual-interface-card/white_paper_c11-618838.html
- 8. Problem: Side-Channel Attack Image: http://docs.openstack.org/security-guide/content/ch052_devices.html
- 9. References “Detecting Co-Residency” paper: A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, and K. Butler, "Detecting Co-Residency with Active Traffic Analysis Techniques," in CCSW’12 (Cloud Computing Security Workshop), October 19, 2012, Raleigh, North Carolina, USA.
- 10. Co-Residency Attack Model Two colluding hosts: Client (e.g., a browser on the Internet) Flooder (injects UDP packets) A victim: Web Server Capture the network flow from the web server to client
- 11. Co-Residency Attack Model Client contacts server (e.g., web server) Requests web page (HTTP request) Server responds (HTTP response) Flooder injects UDP packets into network flow Network packet arrivals are captured and analyzed for co-location Image: http://www.oracle.com/technetwork/java/tutorial-138750.html
- 12. Co-Residency Attack Model Server and Flooder reside on the same virtual host and network “Active” traffic analysis Network Interface Card (NIC)
- 13. Packet Arrivals at the Client 0 50 100 150 200 250 0.000036637 0.000044260 0.000051883 0.000059506 0.000067129 0.000074752 0.000082375 0.000089998 0.000097621 0.000105244 0.000112867 0.000120490 0.000128113 0.000135736 0.000143359 0.000150982 0.000158605 0.000166228 0.000173851 0.000181474 0.000189097 0.000196720 0.000204343 0.000211966 0.000219589 0.000227212 0.000234835 0.000242458 0.000250081 0.000257704 0.000265327 0.000272950 0.000280573 0.000288196 0.000295819 0.000303442 0.000311065 0.000318688 0.000326311 0.000333934 0.000341557 0.000349180 0.000356803 0.000364426 0.000372049 0.000379672 0.000387295 0.000394918 Frequency – Approximate Poisson Distribution
- 14. Network Traffic Analysis Injected UDP packets create an intermittent delay in Server’s network traffic flow Delay creates an intermittent pattern resulting in two distinct packet distributions Distinct packet distributions act like a “beacon” to test for co-location
- 15. Flooding Creates “Watermark” Distinctive network traffic pattern from flooding creates a type of “watermark” – to easily identify co- residency Hypothesis test can be applied to identify flooding traffic (Kolmogorov-Smirnov – KS - test) Allows for detection of co-residency when KS test fails
- 16. Packet Arrivals at the Client
- 17. Packet Arrivals at the Client No Flooding (i.e., Normal Traffic) With Flooding (i.e., Co-Resident Traffic)
- 18. Packet Arrivals at the Client With Flooding No Flooding
- 19. Experimental Configuration VMware Workstation 9.0 host environment: Apache 2 httpd server VM (Server) Ubuntu 14.04 VM (Flooder), using Packit network injection Web application uses AJAX and JSON to request/return data from large file to client Windows 7 Professional – not a VM (Client) .NET 4.5 C# Forms application (Client application) PERL (Flooder socket application) and C (Flooder flooding application) All nodes are on the same network (subnet)
- 22. Why Weren’t Bates’ Results Reproduced? Network Interface Card (NIC) capacity: Greater capacity (1000 Mbps) may result in less latency All machines on same subnet (network): Locating client on a different subnet may increase latency Hypervisor differences: Xen versus VMware versus Hyper-V Dynamic nature of TCP/IP network traffic Congestion algorithm
- 23. Congestion Algorithm • The Congestion Algorithm dynamically manages network traffic flow • Graph shows data transferred per iteration • Traffic flow changes based on window size of client and server
- 24. Traditional Packet Management in Virtual Environment Image: PCI-SIG SR-IOV Primer (Intel)
- 25. Traditional Packet Management in Virtual Environment
- 26. Single Root I/O Virtualization (SR-IOV) Image: PCI-SIG SR-IOV Primer (Intel)
- 27. Benefits of Research Explore feasibility of simple co-residency detection techniques Demonstrate relative ease of attack deployment Demonstrate simplicity of co-residency detection technique Deployment in physical and cloud environments (data centers)
- 28. Implications for Production Environments Attack detection – internal and external environments Co-residency snooping from inside the organization – may be the largest threat Simple reconnaissance tool Detection of potential side-channel attack victims
- 29. Attack Detection Firewall detection of outbound UDP packet flooding (e.g. for cloud-based web server) Intrusion Prevention Systems (IPS) to detect UDP packet floods in data center traffic Machine Learning to sample network traffic for pattern identification (similar to email spam detection) Network sniffing of data center traffic to detect UDP packets with same data payload (could be randomized to avoid detection)
- 30. Future Work Introduce one or more subnets to separate client and server/flooder virtual machines (introduce router latency) Migrate the system to different virtual platforms (i.e., eliminate hypervisor differences) Analyze network flow for other statistical distribution characteristics that may support Bates’ results