Vulnerabilities in SaaS Layer of Cloud

Computing

Clinton D SouzaRafael Santana

Arizona State University

Introduction

Cloud Computing Overview

Research

Results

Conclusion

Discussion

Future work

Q & A

Overview

Research funded by Fulton Undergraduate Research Initiative (FURI).

Co-Author: Dr. Partha Dasgupta.

Purpose of research is bring to attention, existent vulnerabilities in Software as a Service layer of cloud computing.

Introduction

Cloud Computing Overview

Cloud Computing architecture is divided into three layers:

Infrastructure as a Service (IaaS) Platform as a Service (Paas) Software as a Service (SaaS)

http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png

Most common cloud computing models: Public CloudPrivate CloudHybrid Cloud

Cloud Computing Models

Simple Cloud Security Structure

Two main points of entry into SaaS layer: User Point of Entry

o Most common point of attack in a SaaS model

Provider Point of Entry

An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be:

 

Research

<?php

// $uid: ' or uid like '%admin%$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';";

// $pwd: hehehe', trusted=100, admin='yes$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE...;";

?>

To connect to the uploaded SaaS application, user will have to use a client/user portal which uses a web service interface that is vulnerable to a variety of attacks, some of which include:

Research

Buffer Overflow

SQL Injection

Cross Site Scripting

Denial of Service

The most common attacks associated with SaaS model in a public cloud infrastructure.

They are divided into the following four groups:

Result

Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011) Attacker can execute arbitrary code by exploiting the flaw if

victim visits a malicious page or open the file.

Common Vulnerability Scoring System score it to be 9 out of 10 maximum.

Method will accept commands that are passed to a function that simply executes them without authentication.

McAfee SaaS includes:Email Protection (Protection against viruses and spam)McAfee Integrated Suites (Protection against viruses, web

threats, etc…)

Patch released in August 2011.

Discussion

http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml

Two main points of entry into SaaS layer:User Point of Entry

o Most common point of attack in a SaaS model

Provider Point of Entry

Conclusion

Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved.

Propose a suitable solution for how to minimize the intensity of the penetration attack.

Document resultant effects and extent of the exploit and compare with other research projects/paper results.

Document and explore the extent to which data can be exploited.

Future Work

Q & A

References: [1] GoGrid Cloud Hosting, “Cloud Infrastructure”, http://pyramid.gogrid.com/#/,

2010

[2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012

[3] Verizon Bussiness, “2012 Data Breach Investigations Report” http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf, 2012

[4] The PHP Group,”SQL Injection”, http://php.net/manual/en/security.database.sql-injection.php, 2001-2012

http://www.butyoudontlooksick.com/wpress/wp-content/uploads/2010/09/cloudy-question.jpg