Digital Forensics for Eucalyptusby Faiza Anwar, Zafarullah and Dr. Zahid AnwarNational University of Sciences and Technology (NUST)

FIT Conference, Comsats Day 2 : Tuesday, December 20, 2011 Session 10: Scalable Computing Sheesh Mehal 1

OUTLINE Cloud Computing Eucalyptus Cloud Forensics Challenges Cloud Vulnerabilities and Attacks How to find Eucalyptus Logs for Forensics?

Cloud Computing Cloud Computing is a software computing model not for individual PCs but for the Internet. For accessing processing, storage services Pay-as-you-go for what resources the user has used no upfront costs, highly elastic/scalable and on-demand provisioning

Types of clouds Public, Community, Private & Hybrid clouds

Cloud Delivery Models SAAS, PAAS & IAAS

Eucalyptusacronym for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems .

Eucalyptus Is a open source software platform for private and hybrid clouds Based on Web services-based architecture that enables Eucalyptus to export a variety of APIs towards users via client tools.

Implements Infrastructure as a Service delivery model using virtualization Exports a user interface compatible with the Amazon EC2 and S3 services. Runs on Ubuntu, RHEL, CentOS, openSUSE, Debian and Fedora. It can host major Linux distributions and also MS Windows virtual images. Use a variety of virtualization technologies including VMware, Xen and KVM hypervisors to implement the cloud abstractions

Eucalyptus Architecture

Cloud Forensics Technical Challenges Forensics relies on log analysis for identifying & prosecuting crime suspect however: Cloud apps store log on multiple servers & multiple file formats each layer in application stack generates logs, the network, the operating system, the applications, databases, network services, etc, which are difficult to collect and correlate. the volatile nature of these resources causes log to be available only for a certain period of time. Logging may not be automatically enabled in all applications cloud providers are not interested in implementing particular logging use case which conflict its business goals.

Cloud Forensics Administrative Challenges (2) Security in cloud computing is only as good as the security of the provider Identifying computational & storage structures relevant is nontrivial Systems and services cannot be seized as this would require cessation of unrelated services across cross jurisdictional boundaries Large data volumes defy easy seizure or duplication. May at times require breaking the Location Transparency abstraction so understanding location(s) of data may determine ability to seize data & help identify cloud attacks. Establishing a complete understanding of an event s dependencies Even once logs are collected, they need to be kept around for a specific time either for regulatory reasons or to support forensic investigations. But cloud providers often do not make logs available to their platform users at all (e.g. Amazon does not make the load balancer logs available to their users And finally, critical components cannot or are not instrumented correctly to generate the logs necessary to answer specific questions.

Cloud Forensics Challenges (3) Integrity How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it? Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Difficult to audit data held outside organization in a cloud Forensics also made difficult since now clients don t maintain data locally Who is responsible for complying with regulations (e.g., SOX, HIPAA, GLBA)? If cloud provider subcontracts to third party clouds, will the data still be secure?

Availability

Auditability and forensics

Legal Compliance and transitive trust issues

Our Methodology: Forensics Log Analysis for Eucalyptus Installing Eucalyptus on a Experimental Test bed Attacking Eucalyptus against known and possible vulnerabilities of cloud paradigm & Eucalyptus software Finding logs that are generated by default and identifying possible Eucalyptus tuning for more detailed logs

Installation Steps Followed Eucalyptus installed on virtual machines Windows XP running on Intel 2.0 Ghz CPU, 2 GB RAM and 360 GB HDD Three VMWare based VMs running Linux CentOS 5 32 Bit Two VMs hosted Eucalyptus (Eucalyptus Frontend & Eucalyptus Node) Third VM was Eucalyptus client machine, another client was host physical Win XP Machine

Evaluation HTTP DDoS Bots Used Used windows VB script on a host physical Win XP machine to send multiple streams of HTTP requests to Eucalyptus cloud front end (refresh rate = 1 ms) node Used bash script in VM Eucalyptus Client node for similar purpose

Resulting Effect on Cloud Victim DoS attacks chock the communication channel and considerably slow Eucalyptus response, exhausting frontend node s CPU & memory Eucalyptus cannot start the virtual instance even though it is shown as available due to lack of resources The attack could be launched from inside cloud by renting space from cloud operator making this attack more devastating

Log Analysis Relevant logs were identified in /var/eucalyptus/jetty-request-05-09-xx file which shows attacking machine IP, browser type and content requested. Using the log information SNORT or other IDS signature can be developed to filter attack traffic at the edge of the cloud network

Future Work XML based DOS/DDOS attack e.g. coercive parsing attack could be implemented Correlation rules for cloud attacks may be developed for automatic Log Analysis Tools such as OSSIM to improve detection

10msccsazafarullah@seecs.edu.pk or zahid.anwar@seecs.edu.pk