1. No category

Vulnerabilities in Cloud Computing

INFS 612
Spring 2013
Vulnerabilities in Cloud
Computing
Zeshan Hussain
Akshay Gummadi
George Mason University
INFS 612
Spring 2013
INFS 612
Spring 2013
Table of Contents 0. Abstract ............................................................................................................................................. 3 1. Introduction ........................................................................................................................................ 3 2. Background on Cloud Computing...................................................................................................... 3 2.1. History of Cloud Computing ....................................................................................................... 3 2.2. Cloud Computing Service Models .............................................................................................. 3 2.2.1. Infrastructure as a Service (IaaS) ....................................................................................... 3 2.2.2. Platform as a Service (PaaS) .............................................................................................. 3 2.2.3. Software as a Service (SaaS) ............................................................................................. 3 2.3. Importance of Virtual Machines in Cloud Computing ................................................................. 4 3. Security Risks that Exist in Cloud Computing ................................................................................... 4 3.1. Vulnerabilities that exist in Cloud Computing Caused by Virtual Machine Vulnerabilities.......... 4 3.1.1. Hypervisor Vulnerabilities.................................................................................................... 5 3.1.2. Denial of Service Attacks .................................................................................................... 5 3.1.3. Data Leakage ...................................................................................................................... 5 3.1.4. VM Hopping ........................................................................................................................ 5 3.1.5. VM-Based Root Kits ............................................................................................................ 5 3.2. Vulnerabilities that Exist in Virtual Machines .............................................................................. 5 4. Path Traversal Vulnerability............................................................................................................... 6 4.1. Overview .................................................................................................................................... 6 4.2. Technical Details ........................................................................................................................ 6 4.3. Implication of Attack on a Cloud Computing Environment ......................................................... 6 5. Personal Related Works ....................................................................................................................... 6
6. Experiment ........................................................................................................................................ 7 6.1. Lab Enviornement ...................................................................................................................... 7 6.1.1. Attacker Host .............................................................................................................................. 7
6.1.2 Victim Host……....…………………………………………………………………………………………8
7. Solution ……………………………………………………………………………………………………… 9
8. Conclusion ........................................................................................................................................... 9 . Works Cited ......................................................................................................................................... Table of Figures Figure 1 Cloud Computing Example [Wikipedia] ...................................................................................... 5 Figure 2 Cloud Computing Service Models [Wikipedia]............................................................................ 6 Figure 3 Vulnerability Statistics................................................................................................................. 9 Page 2 of 13
INFS 612
Spring 2013
0. Abstract
Security vulnerabilities exists in most, if not all system and infrastructure in an organization and the
monetary repercussion of just one security incident can lead an organization to turmoil. What we
intend to do in this research is to educate our readers to understand Information System known
vulnerabilities on cloud environment and how it can easily be exploited by hackers using software
bugs found within the software that make up the cloud. Our focus is mostly on virtual platform that
are used for the backbones of cloud computing and the software used to support virtual system.
The research includes education on Information System infrastructure being built based on various
cloud models. As companies are moving its data from in-house system to cloud infrastructure, the
security risk are gradually moving toward that direction as well and protection mechanism are being
slow to build. In our research we will analyze the software flaw that builds virtual environment and
demo how an exploited vulnerability using simple technique can overtake a host, which can be used
as a pivot point to compromise the entire farm of servers on the physical host. The specific
technique we will illustrate is referred to as “Buffer Overflow” vulnerability in VMware. The demo
will illustrate a buffer overflow compromise in one of the host machine and penetrates to completely
non-networked virtual machine on the same host and steal information. The lab environment will
demonstrate the ability to technically expose virtual machine that are completely secured but just
one flaw on a segregated host can lead to data leak. The concept we will demonstrate that one
virtual machine successfully exploited on cloud in a particular farm can lead to most if not all host
on the same farm to be compromised. The concept behind cloud is to reduce cost; however,
companies don’t realize that by putting their data in a cloud they trust all others on the same cloud
to have same security posture if not better as them.
.
Page 3 of 13
INFS 612
Spring 2013
1. Introduction
Since the evolution of cloud computing and the various service models it provides, more and more
companies are turning to this solution as a way to increase efficiencies at a reduced cost.
However, an important factor that must not be forgotten when considering cloud computing as a
solution is the security risks that may come with it. This paper will discuss the history of cloud
computing as well as provide an overview of the various service models provided by cloud
computing. In addition, this paper will provide an overview of the various vulnerabilities that exist in
cloud computing; however, will focus, on one specific vulnerability brought on by the use of virtual
machines to support the cloud computing architecture. The vulnerability will be reviewed from
technical point of view and steps taken to exploit the vulnerability in underline technology used to
build cloud, Virtual Machine, will demonstrate a successful exploit and breach of data. This paper
will also summarize an experiment performed, in which one of the specific virtual machine
vulnerabilities is exploited and the implication this would have on a cloud computing environment.
2. Background on Cloud Computing
This section will provide an overview of cloud computing – how it began, the service models being
provided today, as well as the importance of virtual machines within the cloud computing
architecture.
2.1.
History of Cloud Computing
Authors, Foster et.al., define cloud computing as “a large-scale distributed computing paradigm
that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamicallyscalable, managed computing power, storage, platforms, and services are delivered on demand
to external customers over the Internet” [Foster et. al, 2008]. However, this is just one of several
definitions that can be found in various articles, books, the internet, etc. Although there are many
variations of a definition for cloud computing, one common theme remains across all definitions,
that cloud computing is services (e.g. applications, hardware), delivered as a service, over the
internet. “The services themselves have long been referred to as Software as a Service
(SaaS)…The datacenter hardware and software is what we will call the cloud” [Armbrust et. al.,
2009]. Figure 1 below depicts an example of the types of services offered “in the cloud”.
Page 4 of 13
INFS 612
Spring 2013
Figure 1 Cloud Computing Example [Wikipedia]
There is no one true “inventor” of cloud computing. The fundamental ideology behind cloud
computing dates back to the 1960’s. “In fact, back in 1961, computing pioneer John McCarthy
predicted that “computation may someday be organized as a public utility”—and went on to
speculate how this might occur” [Foster et.al, 2008]. Some scholars even say that the ideology
dates back to the 1950s, when scientist “Herb Grosch (the author of Grosch's law) postulated that
the entire world would operate on dumb terminals powered by about 15 large data centers”
[Wikipedia].
In terms of vendors who played in integral role, in the commercializing of “cloud computing”, one
that stands out above all the rest is Amazon. “Amazon played a key role in the development of
cloud computing by modernizing their data centers…Having found that the new cloud architecture
resulted in significant internal efficiency improvements…Amazon initiated a new product
development effort to provide cloud computing to external customers, and launched Amazon Web
Service (AWS) on a utility computing basis in 2006” [Wikipedia]. Today there are hundreds of
vendors providing various cloud computing service models to meet their clients’ needs.
2.2.
Cloud Computing Service Models
Cloud computing providers now offer various services, and variations of the three fundamental
cloud computing service models, however, in this paper; we will focus on providing an overview of
the three fundamental models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS),
and Software as a Service (Saas). These model are served as the fundamental building block for
cloud computing. There are various model out in public but the standard one is globally accepted
by cloud provided is broken down from providing thin-client cloud computing to infrastructure
service cloud computing. Figure 2 below provides a visual depiction of the Cloud Computing
Service Models.
Page 5 of 13
INFS 612
Spring 2013
Figure 2 Cloud Computing Service Models [Wikipedia]
2.2.1.
Infrastructure as a Service (IaaS)
In the “Infrastructure as a Service” (“IaaS’) model, the service provider is offering physical
equipment, or virtual machines to support operations, including storage, hardware, servers
and networking components. “The service provider owns the equipment and is responsible
for housing, running and maintaining it. The client typically pays on a per-use basis” [Rouse,
2010]. It is important to note that although the cloud service provider is offering the
“infrastructure” to support an organization, the client organization is still responsible for
patching and maintaining the operating systems and application software installed on the
infrastructure.
2.2.2.
Platform as a Service (PaaS)
In the “Platform as a Service” (“PaaS”) model, the service provider is offering a computing
platform, and or solution stack. This typically includes an “operating system, programming
language execution environment, database, and web server” [Wikipedia]. One of the
benefits of PaaS is that most cloud providers will offer the automatic scaling of the
underlying computing and storage resources to match application demand” [Wikipedia]. It is
also important to note PaaS can be seen as “stacking” on top of IaaS, and similar to IaaS,
virtual machines can also be used to support PaaS services as well. One well known PaaS
service provider that does this is Windows Azure; Windows Azure offers highly-available
compute capacity that enables its clients to run application code in the cloud and quickly
scale their applications up or down to meet their own individual needs. With Windows Azure,
each compute instance is a virtual machine [Windows Azure 2013].
2.2.3. Software as a Service (SaaS)
In the “Software as a Service” (“SaaS”) model, the service provider is offering a software
distribution model in which applications are hosted by the service provider and made
available to customers over a network, typically the Internet [Rouse 2010]. One of the
benefits of SaaS is allowing its clients greater elasticity with the cloud application. This
Page 6 of 13
INFS 612
Spring 2013
[elasticity] can be achieved by having load balancers distribute the work over a set of virtual
machines. In other words, tasks are cloned onto multiple virtual machines at run-time to
meet the changing work demand [Wikipedia].
2.3.
Importance of Virtual Machines in Cloud Computing
As was discussed in section 2.2 above, virtual machines are a critical aspect of the IaaS cloud
service model, and can also be seen in the PaaS service model as well (as discussed with the
Windows Azure example), and even with SaaS service models, in which the SaaS provider may
be hosting the application through multiple virtual machines, to improve load balance. As such, it
can be seen that virtual machines play an integral role in all cloud computing service models, the
most well-known use of virtual machines being through the IaaS model.
3. Security Risks that Exist in Cloud Computing
While there are a number of benefits that come with cloud computing, such as scalability and cost,
organizations need to also consider the risks and vulnerabilities associated with this type of service
model. While overall governance of data and regulatory compliance become major risks when
moving to a cloud service provider the purpose of this paper is to focus more on operational
vulnerabilities that exist within cloud computing environments and specifically, how weaknesses in
virtual machines can be used to exploit these vulnerabilities.
3.1.
Vulnerabilities that exist in Cloud Computing Caused by Virtual
Machine Vulnerabilities
There are a number of vulnerabilities that virtual machines introduce to a cloud
computing environment. Though the cloud is hosted in data center but all servers are
set up similar to physical ones. The only difference is that more software is used to
support Virtual machine that make up the cloud. There have been number of
vulnerability discovered on such software and partially the one that if exploited can lead
to total compromise of the farm hosting the virtual machines. These vulnerabilities
include hypervisor vulnerabilities, vulnerable hypervisors, virtual machine-based root
kits, denial of service attacks, VM hopping, and data leakage.
3.1.1.
Hypervisor Vulnerabilities
In most implementations of virtual environments there are multiple guest operating
systems running within a single environment. Because of this, a hypervisor or virtual
machine monitor is used to isolate and control access between the guests and the
physical computing resources as depicted in Figure 4. However, should the hypervisor
be compromised, an attacker would be able to execute arbitrary code on the host with
the privileges of the hypervisor which would allow them to control all virtual machines
which are running on the host itself.
Page 7 of 13
INFS 612
Spring 2013
Figure 4: VM Implementations [Price 2010]
3.1.2.
Denial of Service Attacks
Because multiple virtual machines run on a single host, the threat of denial of service
attacks is a major concern in VM implementations. This is due to the fact that these
guests are all sharing resources from the host they reside on so that a successful denial
of service attack on one of the guest virtual machines ultimately affects all other
machines running on the same host. This is why it is critical to configure the hypervisor
properly so that it can detect this extreme resource consumption and protect against
these types of attacks.
3.1.3.
Data Leakage
Another concern with virtual machines is introduced when the VMs are suspended.
When VMs are suspended, the memory “footprint” is placed in a file and can be
searchable. Any information that is placed into the file is most likely not protected and
can be retrieved by an attacker that may have access to the host where this file resides.
3.1.4.
VM Hopping
This type of attack occurs when a hacker has access to one VM and is able to gain
access to another victim VM. Typically this type of attack can only occur when the two
VMs are running on the same host and the attacker must know the victims IP address.
Multitenancy makes the impact of VM hopping very large due to the possibility of many
VMs possibly running on the same host.
3.1.5.
VM-Based Root Kits
VM-based root kits or VMBRs install a virtual machine monitor beneath an existing
operating system and hoist it onto a virtual machine. Similar to legitimate VMMs, the
VMBRs can gain complete control of an operating system without being detected and
can also control all hardware interfaces. At this layer, the VMBR would be able to view
all keystrokes, network packets, disk states, and memory states while going completely
undetected by the operating system.
Page 8 of 13
INFS 612
3.2.
Spring 2013
Vulnerabilities that Exist in Virtual Machines
Figure 3 below depicts the number of vulnerabilities that have been identified in all VMware
products from 1999 to present. During this timeframe, 160 vulnerabilities have been identified
within the VMware suite of products and these vulnerabilities range from denial of service attacks to
memory corruption. As you can see from the figure, the top four areas where vulnerabilities were
discovered involve attacks which include denial of service, gaining privileges, buffer overflows, and
executing malicious code.
Figure 3 Vulnerability Statistics [cvedetails.com]
4. Path Traversal Vulnerability
4.1.
Overview
The Path traversal vulnerability subsists in the shared folder functionality in VMware software.
When exploited it give attacker control not only to the guest VM image but also break out to
access the host system. The shared folder within VM and host is enabled by default therefore if
not disabled we can use this method to disrupt the flow and launch a successful attack.
4.2.
Technical Details
The vulnerability is how pathname is processed to by VMware to use the API to provide shared
folder functionality. The PathName parameter is converted from a multi byte string to a wide
character string. The security hole in this process is that it doesn’t properly check for dot-dot (..)
sub-string resulting in path traversal attack. Since the validation of dot-dot substring is performed
before calling the Windows function MultiByteWideChar (maps a character string to wchar string
UTF-16) it can therefore be bypassed by passing a string that gets mapped to a Unicode UTF-16
Page 9 of 13
INFS 612
Spring 2013
of the dot-dot substring. So to trigger this vulnerability a valid UTF- 8 byte sequence can be used
that translate to dot-dot substring such as “0xc20x2e0xc20x2e” which is translated to “..”.
4.3.
Implication of Attack on a Cloud Computing Environment
As we are moving our critical infrastructure to the cloud environment we tend to overlook the
security aspect of such move. Attack such as the path traversal is one of the very few examples
on how one piece of software flaw in an important functionally can lead to devastating result if
taken advantage. One of the key selling points of cloud computing environment based on
virtualization is the promise of improved information security posture due to the isolation between
virtualization system and non-virtualized system. As we demonstrated in our demo, one security
flaw in a guest image on your virtualized system can potentially make all of your other fully
patched system vulnerable to security attacks. When the isolation of a guest and host is
compromised the entire virtualized system is at risk; therefore, consolidation is great for cost and
efficiency but lack of security can have tremendous consequences if attacks can break out of the
guest and take control of your underlying host.
5. Personal Research Works
I currently for an organization we write exploit in python for vulnerable system. As I was working on this
project I realized that we performed testing on virtual host that are treated under our cloud
infrastructure. Each year we have security audit that we performed from scanning network to testing
their security posture. We have always found those hosts that are virtualized are far less secure than
the physical server. The main component of this finding is due to lack of sufficient software guideline
used to build software that support virtual host. Our research in the organization that I work is mostly
identifying software weakness on cloud and attempting to exploit them. We have identified many buffer
overflows mostly due to weak coding within the software and not adding appropriate buffer control on
memory that lead to memory leak by the attacker.
We are currently working on developing a new vulnerability scanning program that would only
concentrate on hypervisor and other virtual environment and specifically target those to identify buffer
overflow leaks within the application. The purpose of this approach will be isolate vulnerability scanner
to cloud based environment in order to target only the virtual host.
6. Experiment
6.1.
Lab environment configuration
For this setup we utilized two physical laptops, a victim and a attacker. The attacker was used to
discover the vulnerability host that is running on Virtual machine. The victim was running an older
version of virtual workstation that is vulnerable to path traversal vulnerability. The two host were
not connected to internet but were physical wired to each other as point to point network. This
was completely isolated from the rest of the network and was done in a secure lab environment. A
virtual workstation which one “shared folder” .
Page 10 of 13
INFS 612
Spring 2013
6.1.1 Attacker Host
The attacker host was a new build window 7 machine in which we downloaded and install open
source tool such as nmap, zenmap, metasploit, and 30 days free copy of core impact. We gave
the host static IP on our newly created subnet 169.168.32.0/24 for this experiment. This laptop
is configured similar to what an attacker would have on their machine. We will run all of our
attacks from this host and monitor the behavior of our victim’s machine while recording session
thru proxy that we configured. The firewall on this host has been disabled to ensure no filtering
is done due to the sensitive of our lab environment.
6.1.2 Victim Host
The victim host is configured as virtual environment. It’s baseline operating system is configure
to be a vmware workstation which is hosting two virtual operating system, imitating, a real cloud
computing environment. The victim machine has vmware workstation 6.0 to ensure that the
exploit will successfully be launched.
6.2 Exploit in Action
The order of the exploit starts with the scanning phase where we scan our victim machine and
identity the vulnerabilities. In this case, we explored that the virtual software was running
vmware workstation 6 which is susceptible to path traversal exploit. We then attempt to
successfully execute the malicious binary onto the computer and get a revers shell. The
reverse shell allowed us to penetrate thru the victim host and any other virtual host on the
same farm. This is demonstrated in the demo we will present.
7. Solutions
While there are many solutions available but hardly you will read organization applying a
combination of them within their software. As we move toward less hardware and are pushing our
data to cloud the increase of software need that can support such task is high; therefore, a security
must be built in the starting phase. We have outlined the following four solutions that we highly
recommend all cloud computing technologies should utilize in order to identify, mitigated and
improve their vulnerable system.
7.1 Secure system Approach
As many virtual providers are hosting customer data on their cloud network they tend to
undermine the most valuable component to protecting the data. The secure system approach is
built from the beginning of your design phase; a cloud computing company should invest in building
their system in a secure manner by following security benchmarks provided by the National Institute
of Standards (NIST) which validate the security baseline of system and their integration.
Page 11 of 13
INFS 612
Spring 2013
7.2 Security Vulnerability Testing
New vulnerabilities are discovered each and every day, attackers are getting smarter and we
need to be ahead of them. By deploying vulnerability scanning on your environment you can ensure
that the known risk are not source of threat for your organization. Vulnerability scanner can be
configured to look for specific vulnerabilities within your system. The vulnerability we are exposing
was discovered by a vulnerability scanning vendor, Core Security, however most organization did
not known until attackers scanned their system and compromised it.
7.3 Security built with System Developing Lifecycle SDLC
Must implement security within the System Development Lifecycle otherwise the after fact security
will only cost more dollar, either after a compromise of data or going back and fixing the entire code.
Security should be part of testing phase within the 5 step of SDLC:
1)
2)
3)
4)
5)
Requirement analysis
Design
Implementation
Testing
Evolution
This approach can ensure that code is validated thru proper channel to ensure that security risk are
very limited, if any. Many vendors lack application security skills needed to accomplish this as
security does not have direct profit associated with it but in the long run will save money for the
company.
8. Conclusion
In this paper we discussed the history of cloud computing and the importance of virtual machines in
support the various cloud service models. With the importance of virtual machines in cloud
computing service models, we explored the various vulnerabilities that exist in cloud computing,
with a focus on the vulnerabilities that exist, as a result of leveraging virtual machines. In this paper,
we discussed in detail one specific known vulnerability that exists within an older version of VMware
software (Path Traversal Vulnerability), and discussed the disastrous impact exploiting this type of
vulnerability would have on a cloud computing service model. Security is thought of as after the
fact approach in the current market, but building it within their business process and early in the
stage of the development can lead to significant amount of saving in dollar amount. As we move
toward virtualizing our data center we need to ensure that Operating system that are being built on
software such as vmware is properly vetted thru security and withhold aggressive application
attacks.
Page 12 of 13
INFS 612
Spring 2013
Works Cited
Wikipedia. (n.d.). Cloud Computing Wiki. Retrieved March 10, 2013, from Wikipedia:
http://en.wikipedia.org/wiki/Cloud_computing
Windows Azure, Windows Azure Compute, March 10, 2013, from Windows Azure:
http://www.windowsazure.com/en-us/home/features/compute/\
Foster, Ian, et. al. “Cloud Computing and Grid Computing 360-Degree Compared”.
2008:http://arxiv.org/ftp/arxiv/papers/0901/0901.0131.pdf
Armbrust, Micheal, et. al. “Above the Clouds: A Berkeley View of Cloud Computing”. February 10,
2009: http://x-integrate.de/x-in-cms.nsf/id/DE_Von_Regenmachern_und_Wolkenbruechen__Impact_2009_Nachlese/$file/abovetheclouds.pdf
Rouse, Margaret. “Infrastructure as a Service”. August 2010:
http://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS
Price, Michael. “The Paradox of Security in Virtual Environments”. 2008: IEEE Computer Society
Tsai, Hsin-Yi, et. al. “Threat as a Service? Virtualization’s Impact on Cloud Security” February 2012:
Published by IEEE Computer Society
cvedetails.com. (n.d.). “VMWare: Vulnerability Statistics” Retrieved April 5, 2013, from
cvedetails.com: http://www.cvedetails.com/vendor/252/Vmware.html
Page 13 of 13

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz