A Security Analysis of File Hosting and Virtual Images on ...gesbert/presentations/swiss... · Data...
Transcript of A Security Analysis of File Hosting and Virtual Images on ...gesbert/presentations/swiss... · Data...
AA S Security ecurity AAnalysis of nalysis of FFile ile HHosting and osting and
VVirtual irtual IImages on the mages on the CCloudloud Davide Balzarotti
Networking and Security
Post-doctoral fellows– Antonio Barbuzzi– Erik-Oliver Blass– Matteo Dell’Amico– Andrea Lanzi– Marco Milanesio– Melek Önen
Ph. D. Students– Francesco Albanese– Davide Canali– Jinbang Chen– Heng Cui– Marco Balduzzi– Leucio A. Cutillo– Kaoutar Elkhiyaoui– Aymen Hafsaoui– Sabir Idrees– Jelena Isacenkova– Paul Kaluvuri
Professors– Davide Balzarotti– Ernst Biersack – Marc Dacier *– Aurélien Francillon– Patrick Loiseau– Pietro Michiardi– Refik Molva– Yves Roudier– Marko Vukolic
Visiting Scientists– Damiano Carra– Yong-Quan Fu– Zhen Huang– Tobias Lauinger– Luciana Marconi– Sevil Sen– Yan-Qiang Sun
– Mehdi Khalfaoui– Changlin LIU– Chi Anh La – Thomas Mager– Mario Pastorelli – Giancarlo Pellegrino– Louis Plissonneau– Giuseppe Reina – Theodor Scholte – Hendrik Schweppe– Gabriel Serme– Xialoan Sha
Topics
System & Software Security
Malware Collection, Detection and Analysis
Web Security
System Security Aspects of Social Networks
Security of Critical Infrastructure
Smartphone Security
Security in Embedded Systems
Security Protocols and Applied Crypto
Networking
Distributed Systems
Topics
System & Software Security
Security Protocols and Applied Crypto
Trust and Privacy in Social Networks
Privacy and Usage Control
Security and Privacy for Cloud Computing
Security Protocols for Wireless Devices
Secure Software Design
Security in Automotive Systems
Networking
Distributed Systems
Topics
System & Software Security
Security Protocols and Applied Crypto
Networking
Peer-to-Peer Based Applications
Quality of User Experience and Internet Trouble shooting
Network Measurement and Stochastic Modeling
Game Theory and Network Economics
Distributed Systems
Topics
System & Software Security
Security Protocols and Applied Crypto
Networking
Distributed Systems
Scalable Algorithm Design
Parallel Processing Systems
Distributed Data Stores
The Cloud (from a System Security Perspective)
Security is one of the main barriers that threaten the adoption of cloud computing
From a research point of view, “the field primarily manifests as a blend of existing topics”*
Data outsourcing and protection, Web, Virtual machines, ...
Many cloud computing security problems are -not- new
but they often require new solutions in terms of specific mechanisms
User's data is located somewhere else, often giving a false sense of security
*”What’s New About Cloud Computing Security?”
Outline
Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy
An Analysis of Cloud Virtual Images
Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation
An Analysis of File Hosting Services
Outline
Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy
An Analysis of Cloud Virtual Images
Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation
An Analysis of File Hosting Services
A Security Analysis of Amazon’s EC2
General Goal: Explore the general security risks associated with the use of virtual server images from the public catalog of a cloud service provider
Specific Goal: Instantiate and test all the public images (Linux and Windows) available on Amazon Elastic Compute Cloud (EC2)
Amazon EC2
Infrastructure-as-a-Service cloud platform where users can rent virtualized servers (called instances) on an hourly base
Amazon offers an online catalog where users can choose between a large number of machine images (AMIs) that come pre-installed with common services
Some are provided by companies
Some are freely shared by single individuals,
and some are created by the Amazon team itself
Images run in 5 data centers US East, US West, Europe, Singapore, Tokio
Amazon EC2
The instance’s maintenance is completely under the responsibility of the user
Problem: pre-installed and pre-configured machines may communicate the wrong message:
Easy-to-use “shortcut” for users that do not have the skills or the time to configure and setup a complex server
In reality, we found that properly securing an image could be even more complex than setting it up in the first place
The Threats Landscape
1) Securing the Image against external attacks
2) Securing the Image against malicious image providers
3) Sanitizing the Image to protect the privacy of the image provider
Experiments
24 tests grouped in 4 categories General – system information, log files and data collection
Network – shared directories, open sockets, running servers
Privacy – history files, file-system analysis, forgotten data
Security – vulnerable applications, rootkit & malware detection, hidden processes
Analysis of the entire Amazon catalog (end of 2010) 8,448 Linux Images
1,202 Windows Images
Analysis completed for 5,303 AMIs
Software Vulnerabilities
Vulnerability analysis (limited to the Critical vulnerabilities) 98% of Windows and 58% of Linux AMIs affected
Leftover Credentials
Affect 21% of the AMIs Password-protected accounts that allow remote login
External SSH keys in the main user's authorized_keys file
84% of them provide access to superuser privileges (through sudo, password, or administrator accounts)
Probably left on the images by mistake, and without a malicious intent
The existence of these potential backdoors was first reported in April 2011
Privacy Risks
Leftover data 67 unprotected Amazon API Keys
can immediately be used to start images on the cloud at the expense of the key’s owner
56 private SSH keys used to login to other machines
54 of which where not protected with a passphrase ! IP of other machines available in the logs :)
74 credentials (usernames and passwords) retrieved from the bash history
Disk Analysis
Block-based bundling methods are vulnerable to file undelete
We randomly selected 1,100 Linux AMIs in 4 regions
We used the extundelete utility to analyze the filesystem
98% of the AMIs had undeleted files
Amazon AWS keys
SSH and PGP keys
Password files
Machine Fingerprinting
Problem: given a running image on Amazon EC2, how can you find the corresponding AMI ?
Perfect solution: SSH host key Should be regenerated upon instantiation by the cloud-init script But that is not always the case...
Approximate solutions: Service Banners and Webapps versions
We scanned with NMAP the entire Amazon IP space and collected info for 233K running images
Over 14K uniquely identified
Over 100K reduced to a set of 50 possible AMI candidates
Long Story Short
Prepare your own image :)
Otherwise: Immediately update the software (with the firewall up)
Regenerate the SSH host key
Delete any user, password, and ssh key
Check the configuration files of the services you plan to run
Check for suspicious connections
… did I tell you to prepare your own image?
If you plan to release a public image Use a file-based bundle mechanism (or shred all sensitive files)
Delete logs and history files
Outline
Securing the Image against external attacksSecuring the Image against malicious image providersSanitizing the Image to protect the image provider's privacy
An Analysis of Cloud Virtual Images
Sequential and Predictable IdentifiersHoneyDocuments and real Exploitation
An Analysis of File Hosting Services
File Hosting Services
Cloud-storage for the masses Share files with other users Security through obscurity access-control Sharing personal documents as well as pirated files
Lifecycle of a file
Alice decides to shares some files through a FHS
The FHS...
1. receives the file
2. stores it on its Cloud
3. generates a unique identifier
4. binds the identified to the uploaded file
5. returns to the user a URI to access the file:
http://www.easy-share.com/1916472551/noctambus.pdf
The URI is then shared by the user depending on the nature of the file
Our Research
We studied 100 popular FHSs We tested the way they generate unique “secret”
identifiers
Removed 12 that had search/browse capabilities
Random but short
Brute-force short random identifiers
Length Charset #Tries #Files Found
6 Numeric 617,169 728
6 Alphanumeric 526,650 586
8 Numeric 920,631 332
Status…
File hosting services are not privacy-aware Sequential identifiers Weak non-sequential identifiers Bugs in their source code
Do attackers know about this?
Honeyfiles experiment
Honeyfiles promising valuable contentPhished_paypal_details.html
Paypal_account_gen.exe
Sniffed_email1.doc
Each file connects back to our monitor server when opened
<img/> in HTML files embedded HTML in doc files TCP socket in executables Attempt to open page in pdf files
Carding forum
One of the decoy files contained valid credentials for our fake forum
card3rz_reg_details.html
Honeypot experiment: results
Monitoring all sequential FHSs for 30 days 275 honeyfiles accesses on 7 FHSs
4 of which did not have any official or unofficial search functionality
More than 80 unique IP addresses
Accesses from all around the world
93 login attempts to our card website
Login credential for our fake website found on Russian underground forums