dacsa: a decoupled architecture for cloud … › static › pdf › dacsa_cset14_ppt.pdfdacsa: a...
TRANSCRIPT
![Page 1: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/1.jpg)
Computer Science
DACSA: A Decoupled Architecture for
Cloud Security Analysis
Jason Gionta, William Enck, Peng Ning – NC State
Ahmed Azab – Samsung Ltd
Xialoan Zhang – Google Inc
![Page 2: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/2.jpg)
Computer Science
Cloud Provider Landscape
![Page 3: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/3.jpg)
Computer Science
Cloud Provider Landscape
•Degrade
•Steal
•Infect •Degrade
![Page 4: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/4.jpg)
Computer Science
Cloud Provider Landscape
•Degrade
•Steal
•Infect •Degrade
How to ask security centric questions?
![Page 5: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/5.jpg)
Computer Science
Unique Features of Cloud
Diverse Components and
Applications
Single Platform Owner
Geographically Dispersed
![Page 6: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/6.jpg)
Computer Science
Cloud Infrastructure as a Security Testbed
Security
Attributes
![Page 7: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/7.jpg)
Computer Science
How to Create a Datasource?
• Network Monitoring
– Flow analysis
– Encrypted network data
• In-Guest VM Monitoring
– Virus Scanners / Security Software
– Application Firewalls
– Resource Intensive
– Software Management
• Host Based “Out of VM” Monitoring
– Peer into VM - VMWatcher
– Record and Replay - Revirt
– Scalability
![Page 8: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/8.jpg)
Computer Science
How to Create a Datasource?
• Network Monitoring
– Flow analysis
– Encrypted network data
• In-Guest VM Monitoring
– Virus Scanners / Security Software
– Application Firewalls
– Resource Intensive
– Software Management
• Host Based “Out of VM” Monitoring
– Peer into VM - VMWatcher
– Record and Replay - Revirt
– Scalability
Decouple analysis from
attribute acquisition
![Page 9: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/9.jpg)
Computer Science
Decoupled Architecture for Analysis
Security
Attributes
Sensor Sensor Sensor
![Page 10: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/10.jpg)
Computer Science
DACSA
Security
Attributes
Sensor Sensor Sensor Context
Acquisition
Context
Acquisition
Context
Acquisition
Context
Carver
Security
Attributes
Analysis
Tools
DACSA Components
![Page 11: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/11.jpg)
Computer Science
DACSA Goals
• Limit impact to client VMs and hosts
– Enable analysis on supporting infrastructure
• Transparent to clients
• Test for security violations
– ToS
– Bots/C&C
– Malicious software development
![Page 12: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/12.jpg)
Computer Science
Context Acquisition
• Fast Memory Snapshots
– Logical memory copy of guest memory
• COW
– Limit impact to guest and host
• Reliable copies
– Pause guest
– Flush Asynchronous I/O
![Page 13: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/13.jpg)
Computer Science
Carving Memory
• Apply memory forensic techniques
– Extract security centric information
• Open ports, registry keys, processes, API hooks
• Hashes of executable pages
• Forensic tools
– Volatility
• Work directly on memory
– Interpose file I/O
![Page 14: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/14.jpg)
Computer Science
Analysis
• Clustering of system features
– Blacksheep – Bianchi et al.
• Memory based virus scanning
– Memory only malware
• Security Audit
– PCI Requirements
![Page 15: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/15.jpg)
Computer Science
Implementation
• Host – Ubuntu 12.04 64-bit
• Guests – Windows 7 SP1 64-bit
• KVM/QEMU
– Fork QEMU process
• Shared library for interposing File I/O
– Volatility
– Custom tool for parsing memory
• Window 7 GS register to walk internal data structures
• Analysis
– Scan viruses in memory
![Page 16: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/16.jpg)
Computer Science
Evaluation
• Platform
– IBM System X server Xeon E5450 Quad-core
– Guests 1GB Ram
• Impact to Guest
• Impact to Host
• Correctly identify infected processes
![Page 17: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/17.jpg)
Computer Science
Impact to Guest
• 1-15 VMs, snapshot VMs, carve process list
• Pause time
– Flush Async I/O, Fork QEMU Process, Resume
VM
– ~.2112 seconds / standard deviation .07359 sec
• Reduction in system performance
– Run Novabench in snapshotted VM
• Measure CPU Ops/Sec and Memory Ops/Sec
– 0-6% CPU, 0-3% Memory
![Page 18: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/18.jpg)
Computer Science
Impact to Host
• 1-15 VMs, snapshot VMs, carve process list
• Increased CPU and Memory Utilization
– ~3% CPU
– Negligible Memory overhead
• Write Working Set
– 100-300 MB per minute
![Page 19: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/19.jpg)
Computer Science
Carving Process Memory
• Infected VM with Cerberus RAT
– iexplore.exe host process
• Carved process memory
• Scanned memory with ClamAV
• Identified infected process
![Page 20: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/20.jpg)
Computer Science
Related Work
• Live VM Migration (Clark et al.)
– Migrations takes upwards of 90 seconds
– Performance degradation upto 20%
• Fast VM Cloning (Sun et al.)
– COW based by write protecting pages
– Technical challenges of cloning
![Page 21: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/21.jpg)
Computer Science
Conclusion
• DACSA turns clouds into a platform for
security analysis
– VMs lightweight sensors
– Minimal impact to VM and host operations
• Apply large scale analysis
• Future Work
– Deploy to Virtual Computing Lab at NC State
– Memory Scanning as a Service
![Page 22: DACSA: A Decoupled Architecture for Cloud … › static › pdf › dacsa_cset14_ppt.pdfDACSA: A Decoupled Architecture for Cloud Security Analysis Jason Gionta, William Enck, Peng](https://reader034.vdocuments.site/reader034/viewer/2022052500/5f1184efc89ba6032e0b1896/html5/thumbnails/22.jpg)
Computer Science
Questions?
• Thanks
– Reviewers insightful comments
– Eric Eide for shepherding