Upgrade to Pro — share decks privately, control downloads, hide ads and more …

About being the Tortoise or the Hare? Making Cl...

About being the Tortoise or the Hare? Making Cloud Applications too Fast and Furious for Attackers

Cloud applications expose - beside service endpoints - also potential or actual vulnerabilities. And attackers have several advantages on their side. They can select the weapons, the point of time and the point of attack.
Very often cloud application security engineering efforts focus to harden the fortress walls but seldom assume that attacks may be successful. So, cloud applications rely on their defensive walls but seldom attack intruders actively. Biological systems are different. They accept that defensive "walls" can be breached at several layers and therefore make use of an active and adaptive defense system to attack potential intruders - an immune system. This position paper proposes such an immune system inspired approach to ensure that even undetected intruders can be purged out of cloud applications. This makes it much harder for intruders to maintain a presence on victim systems. Evaluation experiments with popular cloud service infrastructures (Amazon Web Services, Google Compute Engine, Azure and OpenStack) showed that this could minimize the undetected acting period of intruders down to minutes.

Nane Kratzke

March 19, 2018
Tweet

More Decks by Nane Kratzke

Other Decks in Programming

Transcript

  1. 8th International Conference on Cloud Computing and Services Science (CLOSER

    2018); Funchal, Madeira, Portugal, 2018 About being the Tortoise or the Hare? A Position Paper on Making Cloud Applications too Fast and Furious for Attackers Nane Kratzke
  2. The next 15 minutes are about ... • Some scary

    considerations on zero- day exploits • Moving target defense • The idea to (permanently) jangle attackers nerves • Some evaluation results • Conclusions and open issues Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 2 Paper URL Presentation URL Speaker Deck
  3. How to defense against unknown vulnerabilities? Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 3 Reported in January 2018. Mainly x86 microprocessors with out-of-order execution and branch-prediction affected since 1995 (says Google). CVE-2017-5754 CVE-2017-5715 CVE-2017-5753
  4. Moving Target Defense (MTD) ACM Moving Target Defense Workshops 2014

    - 2017 Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 4 • The static nature of current computing systems has made them easy to attack and harder to defend. • The idea of moving-target defense (MTD) is to impose the same asymmetric disadvantage on attackers by making systems dynamic (harder to explore and predict). • Moving target defense reduces the need for threat detection.
  5. We need a reactive component as well Biological systems are

    different. Defensive “walls” can be breached at several layers. An additional active defense system is needed to attack potential successful intruders - an immune system. Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 5
  6. We build a transferability solution ... Prof. Dr. rer. nat.

    Nane Kratzke Praktische Informatik und betriebliche Informationssysteme 6 Operate application on current provider. Scale cluster into prospective provider. Shutdown nodes on current provider. Cluster reschedules lost container. Migration finished. Quint, P.-C., & Kratzke, N. (2016). Overcome Vendor Lock-In by Integrating Already Available Container Technologies - Towards Transferability in Cloud Computing for SMEs. In Proceedings of CLOUD COMPUTING 2016 (7th. International Conference on Cloud Computing, GRIDS and Virtualization). … mainly, to avoid Vendor Lock-In: • Make use of elastic container platforms to operate elastic services being deployable to any IaaS cloud infrastructure. • Transfer of these services from one private or public cloud infrastructure to another at runtime. Kratzke, N. (2017). Smuggling Multi-Cloud Support into Cloud-native Applications using Elastic Container Platforms. In Proceedings of the 7th Int. Conf. on Cloud Computing and Services Science (CLOSER 2017) (pp. 29–42).
  7. Most systems rely on their defence walls and just wait

    to be attacked Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 7 Successfully breached node (lateral movement)
  8. How long can presence be maintained? Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 8 Answer: Surprisingly long!
  9. Let us make the game more challenging for the attacker

    Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 9 We can create a race between a manual (time-intensive) breach and a fully automatic (and fast) regeneration. Regenerated node (randomly chosen at some point in time) Successfully breached node (lateral movement)
  10. Runtime to regenerate one node Prof. Dr. rer. nat. Nane

    Kratzke Computer Science and Business Information Systems 10 Request a node Adjust Security Groups Join Node 0 100 200 300 400 500 600 700 AWS OpenStack GCE Azure Runtimes (median values in seconds) Creation Secgroup Joining Termination Adjust Security Group Terminate Node
  11. Conclusion, open issues and limitations • The presented approach means

    for attackers that their time being „undetected“ drops from months down to minutes . • Can we reduce regenerations without increasing own efforts? • What is about exploits/attacks that are adaptable to bio-inspired systems? • How to protect the regeneration mechanism against attackers? • Biology inspired solutions come with downsides like • fever (too many nodes in regeneration at the same time, system runs hot) • auto-immune disease (healthy nodes are attacked too often) Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 11
  12. Acknowledgement • Rabbit, Tortoise: Pixabay (CC0 Public Domain) • Fortress:

    Pixabay (CC0 Public Domain) • Bowman: Pixabay (CC0 Public Domain) • Definition: Pixabay (CC0 Public Domain, PDPics) • Railway: Pixabay (CC0 Public Domain, Fotoworkshop4You) • Air Transport: Pixabay (CC0 Public Domain, WikiImages) Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 12 Picture Reference This research is partly funded by German Federal Ministry of Education and Research (13FH021PX4). Paper URL Presentation URL Speaker Deck
  13. About Prof. Dr. rer. nat. Nane Kratzke Computer Science and

    Business Information Systems 13 Nane Kratzke CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke Blog: http://www.nkode.io Twitter: @NaneKratzke GooglePlus: +NaneKratzke LinkedIn: https://de.linkedin.com/in/nanekratzke GitHub: https://github.com/nkratzke ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke SlideShare: http://de.slideshare.net/i21aneka