detecting virtual machine co residency in cloud computing with active traffic analysis
TRANSCRIPT
PowerPoint Presentation
Detecting Virtual Machine Co-Residency in Cloud Computing With Active Traffic Analysis
September 4, 2015
James A. Savage
Tennessee State UniversityComputer and Information Systems EngineeringAdvisor: Dr. Sachin Shetty
AFRL Research Presentation
Agenda
Virtualization and Cloud Computing
Virtual Machines and Co-Residency
Virtual Machine Side-Channel Vulnerability
Watermarking network traffic
Attempts to Reproduce Published Research Results
Implications for Production Environments
What is Virtualization?
A virtual machine is an instance of an operating system that runs in a software container that provides all of the hardware-related components the operating system expects, using software emulation for the machines instruction set.
Virtual machine technology allows a single computer to host multiple virtual machines, each potentially running a different operating system.
The hypervisor, or virtual machine monitor (VMM) is the only software running in kernel mode; it provides multiple copies of the actual hardware to the virtual machines.
The operating system running in a virtual machine is called a guest operating system.
What is Virtualization?
Image: http://software.intel.com/en-us/articles/creating-a-virtual-machine-on-vmware-tutorial
Virtualization is the Foundation of Cloud Computing
Image: http://modelschoolscnyric.pbworks.com/w/page/39729119/Cloud%20Computing
Virtual Infrastructure in the Cloud
Image: http://www.cisco.com/DRS: Distributed Resource SchedulerHA: High Availability
HA High Availability (form of redundancy)
DRS Distributed Resource Scheduler6
Virtual Machine Co-Residency
Image: http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/ucs-m81kr-virtual-interface-card/white_paper_c11-618838.html
Problem: Side-Channel Attack
Image: http://docs.openstack.org/security-guide/content/ch052_devices.html
References
Detecting Co-Residency paper:
A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, and K. Butler, "Detecting Co-Residency with Active Traffic Analysis Techniques," in CCSW12 (Cloud Computing Security Workshop), October 19, 2012, Raleigh, North Carolina, USA.
Adam Bates, PhD student, and colleagues at CIS Dept, University of Oregon9
Co-Residency Attack Model
Two colluding hosts:
Client (e.g., a browser on the Internet)
Flooder (injects UDP packets)
A victim:Web Server
Capture the network flow from the web server to client
UDP User Datagram ProtocolTCP Transmission Control Protocol10
Co-Residency Attack Model
Client contacts server (e.g., web server)
Requests web page (HTTP request)
Server responds (HTTP response)
Flooder injects UDP packets into network flow
Network packet arrivals are captured and analyzed for co-location
Image: http://www.oracle.com/technetwork/java/tutorial-138750.html
Co-Residency Attack Model
Server and Flooder reside on the same virtual host and network
Active traffic analysis
Network Interface Card (NIC)
Packet Arrivals at the Client
Network Traffic Analysis
Injected UDP packets create an intermittent delay in Servers network traffic flow
Delay creates an intermittent pattern resulting in two distinct packet distributions
Distinct packet distributions act like a beacon to test for co-location
Flooding Creates Watermark
Distinctive network traffic pattern from flooding creates a type of watermark to easily identify co-residency
Hypothesis test can be applied to identify flooding traffic (Kolmogorov-Smirnov KS - test)
Allows for detection of co-residency when KS test fails
Packet Arrivals at the Client
Packet Arrivals at the Client
No Flooding (i.e., Normal Traffic)With Flooding(i.e., Co-Resident Traffic)
Packet Arrivals at the Client
With FloodingNo Flooding
Experimental Configuration
VMware Workstation 9.0 host environment:
Apache 2 httpd server VM (Server)
Ubuntu 14.04 VM (Flooder), using Packit network injection
Web application uses AJAX and JSON to request/return data from large file to client
Windows 7 Professional not a VM (Client)
.NET 4.5 C# Forms application (Client application)
PERL (Flooder socket application) and C (Flooder flooding application)
All nodes are on the same network (subnet)
Why Werent Bates Results Reproduced?
Network Interface Card (NIC) capacity:Greater capacity (1000 Mbps) may result in less latency
All machines on same subnet (network):Locating client on a different subnet may increase latency
Hypervisor differences:Xen versus VMware versus Hyper-V
Dynamic nature of TCP/IP network trafficCongestion algorithm
Congestion Algorithm
The Congestion Algorithm dynamically manages network traffic flow
Graph shows data transferred per iteration
Traffic flow changes based on window size of client and server
Traditional Packet Management in Virtual Environment
Image: PCI-SIG SR-IOV Primer (Intel)
Traditional Packet Management in Virtual Environment
Single Root I/O Virtualization (SR-IOV)
Image: PCI-SIG SR-IOV Primer (Intel)
Benefits of Research
Explore feasibility of simple co-residency detection techniques
Demonstrate relative ease of attack deployment
Demonstrate simplicity of co-residency detection technique
Deployment in physical and cloud environments (data centers)
Implications for Production Environments
Attack detection internal and external environments
Co-residency snooping from inside the organization may be the largest threat
Simple reconnaissance tool
Detection of potential side-channel attack victims
Attack Detection
Firewall detection of outbound UDP packet flooding (e.g. for cloud-based web server)
Intrusion Prevention Systems (IPS) to detect UDP packet floods in data center traffic
Machine Learning to sample network traffic for pattern identification (similar to email spam detection)
Network sniffing of data center traffic to detect UDP packets with same data payload (could be randomized to avoid detection)
Future WorkIntroduce one or more subnets to separate client and server/flooder virtual machines (introduce router latency)
Migrate the system to different virtual platforms (i.e., eliminate hypervisor differences)
Analyze network flow for other statistical distribution characteristics that may support Bates results
QuestionsImage: http://www.cedar-rapids.org/government/departments/police/PublishingImages/Question-Mark.jpg