AA S Security ecurity AAnalysis of nalysis of FFile ile HHosting and osting and

VVirtual irtual IImages on the mages on the CCloudloud Davide Balzarotti

davide.balzarotti@eurecom.fr

Networking and Security

Post-doctoral fellows– Antonio Barbuzzi– Erik-Oliver Blass– Matteo Dell’Amico– Andrea Lanzi– Marco Milanesio– Melek Önen

Ph. D. Students– Francesco Albanese– Davide Canali– Jinbang Chen– Heng Cui– Marco Balduzzi– Leucio A. Cutillo– Kaoutar Elkhiyaoui– Aymen Hafsaoui– Sabir Idrees– Jelena Isacenkova– Paul Kaluvuri

Professors– Davide Balzarotti– Ernst Biersack – Marc Dacier *– Aurélien Francillon– Patrick Loiseau– Pietro Michiardi– Refik Molva– Yves Roudier– Marko Vukolic

Visiting Scientists– Damiano Carra– Yong-Quan Fu– Zhen Huang– Tobias Lauinger– Luciana Marconi– Sevil Sen– Yan-Qiang Sun

– Mehdi Khalfaoui– Changlin LIU– Chi Anh La – Thomas Mager– Mario Pastorelli – Giancarlo Pellegrino– Louis Plissonneau– Giuseppe Reina – Theodor Scholte – Hendrik Schweppe– Gabriel Serme– Xialoan Sha

Topics

System & Software Security

Malware Collection, Detection and Analysis

Web Security

System Security Aspects of Social Networks

Security of Critical Infrastructure

Smartphone Security

Security in Embedded Systems

Security Protocols and Applied Crypto

Networking

Distributed Systems

Topics

System & Software Security

Security Protocols and Applied Crypto

Trust and Privacy in Social Networks

Privacy and Usage Control

Security and Privacy for Cloud Computing

Security Protocols for Wireless Devices

Secure Software Design

Security in Automotive Systems

Networking

Distributed Systems

Topics

System & Software Security

Security Protocols and Applied Crypto

Networking

Peer-to-Peer Based Applications

Quality of User Experience and Internet Trouble shooting

Network Measurement and Stochastic Modeling

Game Theory and Network Economics

Distributed Systems

Topics

System & Software Security

Security Protocols and Applied Crypto

Networking

Distributed Systems

Scalable Algorithm Design

Parallel Processing Systems

Distributed Data Stores

The Cloud (from a System Security Perspective)

Security is one of the main barriers that threaten the adoption of cloud computing

From a research point of view, “the field primarily manifests as a blend of existing topics”*

Data outsourcing and protection, Web, Virtual machines, ...

Many cloud computing security problems are -not- new

but they often require new solutions in terms of specific mechanisms

User's data is located somewhere else, often giving a false sense of security

*”What’s New About Cloud Computing Security?”

Outline

Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy

An Analysis of Cloud Virtual Images

Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation

An Analysis of File Hosting Services

Outline

Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy

An Analysis of Cloud Virtual Images

Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation

An Analysis of File Hosting Services

A Security Analysis of Amazon’s EC2

General Goal: Explore the general security risks associated with the use of virtual server images from the public catalog of a cloud service provider

Specific Goal: Instantiate and test all the public images (Linux and Windows) available on Amazon Elastic Compute Cloud (EC2)

Amazon EC2

Infrastructure-as-a-Service cloud platform where users can rent virtualized servers (called instances) on an hourly base

Amazon offers an online catalog where users can choose between a large number of machine images (AMIs) that come pre-installed with common services

Some are provided by companies

Some are freely shared by single individuals,

and some are created by the Amazon team itself

Images run in 5 data centers US East, US West, Europe, Singapore, Tokio

Amazon EC2

The instance’s maintenance is completely under the responsibility of the user

Problem: pre-installed and pre-configured machines may communicate the wrong message:

Easy-to-use “shortcut” for users that do not have the skills or the time to configure and setup a complex server

In reality, we found that properly securing an image could be even more complex than setting it up in the first place

The Threats Landscape

1) Securing the Image against external attacks

2) Securing the Image against malicious image providers

3) Sanitizing the Image to protect the privacy of the image provider

Experiments

24 tests grouped in 4 categories General – system information, log files and data collection

Network – shared directories, open sockets, running servers

Privacy – history files, file-system analysis, forgotten data

Security – vulnerable applications, rootkit & malware detection, hidden processes

Analysis of the entire Amazon catalog (end of 2010) 8,448 Linux Images

1,202 Windows Images

Analysis completed for 5,303 AMIs

Software Vulnerabilities

Vulnerability analysis (limited to the Critical vulnerabilities) 98% of Windows and 58% of Linux AMIs affected

Leftover Credentials

Affect 21% of the AMIs Password-protected accounts that allow remote login

External SSH keys in the main user's authorized_keys file

84% of them provide access to superuser privileges (through sudo, password, or administrator accounts)

Probably left on the images by mistake, and without a malicious intent

The existence of these potential backdoors was first reported in April 2011

Privacy Risks

Leftover data 67 unprotected Amazon API Keys

can immediately be used to start images on the cloud at the expense of the key’s owner

56 private SSH keys used to login to other machines

54 of which where not protected with a passphrase ! IP of other machines available in the logs :)

74 credentials (usernames and passwords) retrieved from the bash history

Disk Analysis

Block-based bundling methods are vulnerable to file undelete

We randomly selected 1,100 Linux AMIs in 4 regions

We used the extundelete utility to analyze the filesystem

98% of the AMIs had undeleted files

Amazon AWS keys

SSH and PGP keys

Password files

Machine Fingerprinting

Problem: given a running image on Amazon EC2, how can you find the corresponding AMI ?

Perfect solution: SSH host key Should be regenerated upon instantiation by the cloud-init script But that is not always the case...

Approximate solutions: Service Banners and Webapps versions

We scanned with NMAP the entire Amazon IP space and collected info for 233K running images

Over 14K uniquely identified

Over 100K reduced to a set of 50 possible AMI candidates

Long Story Short

Prepare your own image :)

Otherwise: Immediately update the software (with the firewall up)

Regenerate the SSH host key

Delete any user, password, and ssh key

Check the configuration files of the services you plan to run

Check for suspicious connections

… did I tell you to prepare your own image?

If you plan to release a public image Use a file-based bundle mechanism (or shred all sensitive files)

Delete logs and history files

Outline

Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy

An Analysis of Cloud Virtual Images

Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation

An Analysis of File Hosting Services

File Hosting Services

Cloud-storage for the masses Share files with other users Security through obscurity access-control Sharing personal documents as well as pirated files

Lifecycle of a file

Alice decides to shares some files through a FHS

The FHS...

1. receives the file

2. stores it on its Cloud

3. generates a unique identifier

4. binds the identified to the uploaded file

5. returns to the user a URI to access the file:

http://www.easy-share.com/1916472551/noctambus.pdf

The URI is then shared by the user depending on the nature of the file

Our Research

We studied 100 popular FHSs We tested the way they generate unique “secret”

identifiers

Removed 12 that had search/browse capabilities

Non-Sequential IDs

54 FHSs adopt non-sequential identifiers

Non-Sequential IDs

54 FHSs adopt non-sequential identifiers

Random but short

Brute-force short random identifiers

Length Charset #Tries #Files Found

6 Numeric 617,169 728

6 Alphanumeric 526,650 586

8 Numeric 920,631 332

Status…

File hosting services are not privacy-aware Sequential identifiers Weak non-sequential identifiers Bugs in their source code

Do attackers know about this?

Honeyfiles experiment

Honeyfiles promising valuable contentPhished_paypal_details.html

Paypal_account_gen.exe

Sniffed_email1.doc

Each file connects back to our monitor server when opened

<img/> in HTML files embedded HTML in doc files TCP socket in executables Attempt to open page in pdf files

Carding forum

One of the decoy files contained valid credentials for our fake forum

card3rz_reg_details.html

Honeypot experiment: results

Monitoring all sequential FHSs for 30 days 275 honeyfiles accesses on 7 FHSs

4 of which did not have any official or unofficial search functionality

More than 80 unique IP addresses

Accesses from all around the world

93 login attempts to our card website

Login credential for our fake website found on Russian underground forums

Geo-location of the bad-guys