CLOUD SECURITY

UNIT 5
( CCS 335- Cloud Computing)
WhoAmI.xml
<name> <job7>
Venkat Srinivasan travel agent scheduling trips every year
</name> </job7>
<job8>
<JOBs> clown and comedian for students
<job1> </job8>
Associate Professor <job9>
</job1> clerk to file papers
<job2> </job9>
goatherder <job 10>
</job2> Researcher
</job 10>
<job3> <job 11>
Counselor and psychologist Teacher if have time
</job3> </job11>
<job4> </JOBs>
police officer at College Varandha <Education>
</job4> B.E.(ECE)
<job5> M.E. (CSE)
banker to collect money P.hD (wireless networks)
</job5> many degrees every year from the surroundings
<job6> </Education>
politician deals with politics
</job6> 1
Please don’t hack this presentation
unit 5 (V.S) CCS335
 2

unit 5 (V.S)
CCS335
3
4
A hypervisor is a software that you can use to run multiple 5
virtual machines on a single physical machine.
A hypervisor, also known as a virtual machine monitor or VMM

unit 5 (V.S)
CCS335
6
 7

unit 5 (V.S)
CCS335
 Virtualization System Security 8

Virtualization System-Specific Attacks:

• Guest hopping,
• Attacks on the VM (delete the VM, attack on
the control of the VM, Code or file injection
into the virtualized file structure),
• VM migration attack, hyper jacking.

unit 5 (V.S)
CCS335
9
VM security issues ….
10
11
 Introduction : Virtual Threats
12
• Some threats to virtualized systems are general in nature, as they are inherent
threats to all computerized systems (such as denial-of-service, or DoS, attacks).
• Many VM vulnerabilities stem from the fact that a vulnerability in one VM system can
be exploited to attack other VM systems or the host systems, as multiple virtual
machines share the same physical hardware, as shown in Figure

unit 5 (V.S)
CCS335
 Introduction : Virtual Threats-
Some of the vulnerabilities exposed
13
Shared clipboard — Shared clipboard technology allows data to be transferred
between VMs and the host, providing a means of moving data between malicious programs
in VMs of different security realms.

Keystroke logging — Some VM technologies enable the logging of keystrokes and screen
updates to be passed across virtual terminals in the virtual machine, writing to host files
and permitting the monitoring of encrypted terminal connections inside the VM

VM monitoring from the host — Because all network packets coming from or going to a
VM pass through the host, the host may be able to affect the VM by the following:
➢ Starting, stopping, pausing, and restart VMs
➢ Monitoring and configuring resources available to the VMs, including CPU, memory, disk,
and network usage of VMs
➢ Adjusting the number of CPUs, amount of memory, amount and number of virtual disks,
and number of virtual network interfaces available to a VM
➢ Monitoring the applications running inside the VM
➢ Viewing, copying, and modifying data stored on the VM’s virtual disks

VMware VMotion brochure unit 5 (V.S)

CCS335
Introduction : Virtual Threats-
Some of the vulnerabilities exposed
14

Virtual machine monitoring from another VM — Usually, VMs

should not be able to directly access one another’s virtual disks
on the host.
However, if the VM platform uses a virtual hub or switch to
connect the VMs to the host, then intruders may be able to use a
hacker technique known as “ARP poisoning” to redirect packets
going to or from the other VM for sniffing.

Virtual machine backdoors — A backdoor, covert

communications channel between the guest and host could
allow intruders to perform potentially dangerous operations.

unit 5 (V.S)
CCS335
Introduction : Virtual Threats-
ESX Server Application Vulnerability Severity Code Definitions
15

unit 5 (V.S)
CCS335
Introduction : Virtual Threats- VM THREAT LEVELS

16
When categorizing the threat posed to virtualized environments, often the
vulnerability/threat matrix is classified into three levels of compromise:

• Abnormally terminated — Availability to the virtual machine is

compromised, as the VM is placed into an infinite loop that prevents the
VM administrator from accessing the VM’s monitor.

• Partially compromised — The virtual machine allows a hostile process

to interfere with the virtualization manager, contaminating state
checkpoints or over-allocating resources.

• Totally compromised — The virtual machine is completely overtaken

and directed to execute unauthorized commands on its host with
elevated privileges.

unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks

Hypervisor Risks 17

• The hypervisor is the part of a virtual machine that allows host resource sharing
and enables VM/host isolation.

• Therefore, the ability of the hypervisor to provide the necessary isolation during
intentional attack greatly determines how well the virtual machine can survive risk.

• One reason why the hypervisor is susceptible to risk is because it’s a software program;
risk increases as the volume and complexity of application code increases.

• Ideally, software code operating within a defined VM would not be able to

communicate or affect code running either on the physical host itself or within a
different VM; but several issues, such as bugs in the software, or limitations to the
virtualization implementation, may put this isolation at risk.

• Major vulnerabilities inherent in the hypervisor consist of rogue hypervisor rootkits,

external modification to the hypervisor, and VM escape.

unit 5 (V.S)
CCS335
 18
New Virtualization System-Specific Attacks
Rogue Hypervisors Rootkits or Hyper jacking:
❑ In a normal virtualization scenario, the guest operating system (the operating
system that is booted inside of a virtualized environment) runs like a traditional OS
managing I/O to hardware and network traffic, even though it’s controlled by the
hypervisor.

❑ VM-based rootkits can hide from normal malware detection systems by initiating a
“rogue” hypervisor and creating a cover channel to dump unauthorized code into
the system.

❑ Proof-of-concept (PoC) exploits have demonstrated that a hypervisor rootkit can

insert itself into RAM, downgrade the host OS to a VM, and make itself invisible.

❑ A properly designed rootkit could then stay “undetectable” to the host OS, resisting
attempts by malware detectors to discover and remove it.

unit 5 (V.S)
CCS335
 19
New Virtualization System-Specific Attacks
Rogue Hypervisors Rootkits or Hyper jacking:

❑This creates a serious vulnerability in all virtualized systems.

❑Detectability of malware code lies at the heart of intrusion detection

and correction, as security researchers analyze code samples by
running the code and viewing the result.

❑In addition, some malware tries to avoid detection by anti-virus

processes by attempting to identify whether the system it has infected
is traditional or virtual.

❑If found to be a VM, it remains inactivated and hidden until it can

penetrate the physical host and execute its payload through a
traditional attack vector. unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks

20
■ Rogue Hypervisors Rootkits or Hyper jacking:

–Consists of installing a rogue hypervisor

• Hyperjacking is an attack in which a hacker takes malicious control

over the hypervisor that creates the virtual environment within a
virtual machine (VM) host.
• The point of the attack is to target the operating system that is
below that of the virtual machines so that the attacker's program
can run and the applications on the VMs above it will be
completely oblivious to its presence.
• Hyperjacking involves installing a malicious, fake hypervisor that
can manage the entire server system.

• In hyperjacking, the hypervisor specifically operates in stealth

mode and runs beneath the machine, it makes more difficult to
detect and more likely gain access to computer servers where it
can affect the operation of the entire institution or company.

unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks

■ Rogue Hypervisors Rootkits or Hyper jacking: 21

–Consists of installing a rogue hypervisor

• 1. Injecting a rogue hypervisor beneath the original hypervisor;
• 2. Directly obtaining control of the original hypervisor;
• 3. Running a rogue hypervisor on top of an existing hypervisor.

• One method for doing this is overwriting pagefiles on disk that contain
paged-out kernel code
• Force kernel to be paged out by allocating large amounts of memory
• Find unused driver in page file and replace its dispatch function with
shellcode
• Take action to cause driver to be executed
• Shellcode downloads the rest of the malware
• Host OS is migrated to run in a virtual machine
–Has been demonstrated for taking control of Host OS
–Hyperjacking of hypervisors may be possible, but not yet demonstrated
• Hypervisors will come under intense scrutiny because they are such
attractive targets Known hyperjacking tools: BluePill, SubVirt, Vitriol

– unit 5 (V.S)
CCS335
 22
Virtualization System Public Exploits

CVE-2015-3456: VENOM vulnerability

• The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows
local guest users to cause a denial of service (out-of-bounds write and guest crash) or
possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2)
FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands

• VENOM refers to a security vulnerability that results from a buffer overflow in a kernel-level
driver included in many default virtualized environments.
• The VENOM vulnerability has the potential to provide attackers with access to the host
operating system and, as a result, other guest operating systems on the same host.
• VENOM, an acronym for Virtualized Environment Neglected Operations Manipulation, arises
from QEMU’s virtual Floppy Disk Controller (FDC), which carries a vulnerability that could
enable an attacker to run code by pairing one of two flawed commands related to the
controller with a buffer overflow.
• The VENOM vulnerability affects KVM, Xen and native QEMU virtual machines.
• Virtual machines running on Microsoft Hyper-V or VMware hypervisors are not affected by
VENOM.
• The VENOM vulnerability works with the default configuration of the affected virtualization
platforms, so even when the FDC drive has not been added to the platform, systemsunit are still
5 (V.S)
vulnerable. CCS335
 23
New Virtualization System-Specific Attacks
External Modification of the Hypervisor:

❑In additional to the execution of the rootkit

payload, a poorly protected or designed
hypervisor can also create an attack vector.
❑Therefore, a self-protected virtual machine may
allow direct modification of its hypervisor by an
external intruder.
❑This can occur in virtualized systems that don’t
validate the hypervisor as a regular process.

unit 5 (V.S)
CCS335
 24
New Virtualization System-Specific Attacks
VM Escape
❑Due to the host machine’s fundamentally privileged
position in relationship to the VM, an improperly
configured VM could allow code to completely bypass
the virtual environment, and obtain full root or kernel
access to the physical host
❑This would result in a complete failure of the security
mechanisms of the system, and is called VM escape.
❑Virtual machine escape refers to the attacker’s ability to
execute arbitrary code on the VM’s physical host, by
“escaping” the hypervisor.
❑VM escapes could occur through virtual machine shared
resources called VMchat, VMftp, vCAT, and VMdrag-n- unit 5 (V.S)
CCS335
Drop
 25
Case Study: Virtualization System Public Exploits
■ 36 public exploits against production virtualization systems have been
released
■ Most of these are attacks against third-party components of these
systems
■ CVE-2009-2267
–Guest OS user can gain elevated privileges on guest OS by exploiting
a bug in handling of page faults
–Affects ESX server 4 and other VMware products
–Exploit binary posted at lists.grok.org.uk

unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks
26

VM migration
–Migration attack is an attack on the network during VM migration
from one place to another. This attack is an exploit on the mobility
of virtualization.
–Since VM images are easily moved between physical machines
through the network, enterprises constantly move VMs to various
places based on their usage.
–For example, VMs from a canceled customer may be moved to a
backup data center, and VMs that need maintenance may be
moved to a testing data center for changes.
–Thus, when VMs are on the network between secured perimeters,
attackers can exploit the network vulnerability to gain unauthorized
access to VMs.
– Similarly, the attackers can plant malicious code in the VM images
to plant attacks on data centers that VMs travel between.
unit 5 (V.S)
CCS335
Migrating Virtual Machines 27

unit 5 (V.S)
CCS335
 28

VM MIGRATION explained-
Video Animation-Flipped Activity

unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks
29

VM migration-Types and Techniques

Before migration, the virtual machine must be powered off.
After doing this task, the old one should be deleted from
• Cold Migration
source host. Moreover, the virtual machine need not to be on
shared storage.

Whenever transfer OS and any application, there is no need to

• Warm Migration suspend the source host. Basically it has high demand in public
cloud.

It is the process of moving a running virtual machine without

• Live Migration stopping the OS and other applications from source host to
destination host.

unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks
■ VM migration-Types and Techniques 30

1) Pre- Copy Migration:

In this migration, the hypervisor copies all memory page from source machine to
destination machine while the virtual machine is running. It has two phases: Warm- up
Phase and stop and copy phase.

a) Warm Up Phase:
During copying all memory pages from source to destination, some memory pages
changed because of source machine CPU is active. All the changed memory pages are
known as dirty pages.
All these dirty pages are required to recopy on destination machine; this phase is called
as warm up phase.

b) Stop & Copy Phase: Warm up phase is repeated until all the dirty pages recopied on
destination machine. This time CPU of source machine is deactivated till all memory
pages will transfer another machine. Ultimately at this time CPU of both source and
destination is suspended, this is known as down time phase. This is the main thing that
has to explore in migration for its optimization.
unit 5 (V.S)
CCS335
 New Virtualization System-Specific Attacks
31
■ VM migration-Types and Techniques
2) Post- Copy Migration:
▪ In this technique, VM at the source is suspended to start post copy VM
migration.
▪ When VM is suspended, execution state of the VM (i.e. CPU state,
registers, non-pageable memory) is transferred to the target.
▪ In parallel the sources actively send the remaining memory pages of
the VM to the target.
▪ This process is known as pre-paging.
▪ At the target, if the VM tries to access a page that has not been
transferred yet, it generates a page fault, also known as network faults.
These faults are redirect to the source, which responds with the faulted
pages.
▪ Due to this, the performance of applications is degrading with number
of network faults.
▪ To overcome this, pre-paging scheme is used to push pages afterunit the
5 (V.S)
last fault by dynamically using page transmission order CCS335
 New Virtualization System-Specific Attacks
32
■ Live VM migration steps of Google Compute Engine

unit 5 (V.S)
CCS335
 33
New Virtualization System-Specific Attacks

■ VM migration
–VM migration is transfer of guest OS from one physical server
to another with little or no downtime
–Implemented by several virtualization products
–Provides high availability and dynamic load balancing

unit 5 (V.S)
CCS335
 34
New Virtualization System-Specific Attacks

■ VM migration attack
–If migration protocol is unencrypted, susceptible to man-in-the-middle attack
–Allows arbitrary state in VM to be modified
–In default configuration, XenMotion is susceptible (no encryption)
–VMware’s VMotion system supports encryption
–Proof-of-concept developed by John Oberheide at the Univ. of Michigan

unit 5 (V.S)
CCS335
Analysis of Hyper jacking Attack and Mitigation Techniques

35

unit 5 (V.S)
CCS335
 Identity and Access Management (IAM)
36
Two main user type when login
the Cloud Management Console

❑AWS Root User Account

❑AWS IAM User Account
 Identity and access management (IAM)

37
• Identity and access management (IAM or IdAM for short) is a way to
tell who a user is and what they are allowed to do.

• IAM is like the bouncer at the door of a nightclub with a list of who is allowed in, who
isn't allowed in, and who is able to access the VIP area.
• IAM is also called identity management (IdM).

identity

The three most widely used authentication factors are:

➢ Something the user knows - a piece of knowledge that only one

user should have, like a username and password combination.
➢ Something the user has - to possession of a physical token that is
issued to authorized users. (e.g) key, a USB device, or even a
smartphone.
➢ Something the user is - refers to a physical property of one's body.
Face ID, Fingerprint scanning , retina scans
Access Management

38
"Access" refers to what data a user can see and what actions they can
perform once they log in.
Once Ravi logs into his email, he can see all the emails he has sent and received. However, he
should not be able to see the emails sent and received by Tharun, his coworker.

Access management is the process of controlling and tracking access. Each

user within a system will have different privileges within that system based
on their individual needs.

Identity and Access Management (IAM) is a combination of policies and

technologies that allows organizations to identify users and provide the
right form of access as and when required
IAM .. . . . .

39
Components of IAM
•Users
•Roles
Services By IAM
•Groups
•Policies
Architecture of Identity Access Management

40
 IAM architecture . . . .

41
❖ User Management:- It consists of activities for the control and management over the
identity life cycles.
❖ Authentication Management:- It consists of activities for effectively controlling and
managing the processes for determining which user is trying to access the services
and whether those services are relevant to him or not.
❖ Authorization Management:- It consists of activities for effectively controlling and
managing the processes for determining which services are allowed to access
according to the policies made by the administrator of the organization.
❖ Access Management:- It is used in response to a request made by the user wanting to
access the resources with the organization.
❖ Data Management and Provisioning:- The authorization of data and identity are
carried towards the IT resource through automated or manual processes.
❖ Monitoring and Auditing:- Based on the defined policies the monitoring, auditing,
and reporting are done by the users regarding their access to resources within the
organization.
❖ Operational Activities of IAM:- In this process, we onboard the new users on the
organization’s system and application and provide them with necessary access to the
services and data. Deprovisioning works completely opposite in that we delete or
deactivate the identity of the user and de-relinquish all the privileges of the user.
IAM architecture ….

42
❖ Credential and Attribute Management:- Credentials are bound to an individual user
and are verified during the authentication process. These processes generally include
allotment of username, static or dynamic password, handling the password expiration,
encryption management, and access policies of the user.
❖ Entitlement Management:- These are also known as authorization policies in which we
address the provisioning and de-provisioning of the privileges provided to the user for
accessing the databases, applications, and systems. We provide only the required
privileges to the users according to their roles. It can also be used for security purposes.
❖ Identity Federation Management:- In this process, we manage the relationships
beyond the internal networks of the organization that is among the different
organizations. The federations are the associate of the organization that came together
for exchanging information about the user’s resources to enable collaboration and
transactions.
❖ Centralization of Authentication and Authorization:- It needs to be developed in order
to build custom authentication and authorization features into their application, it also
promotes the loose coupling architecture.
Shared Responsibility Model for Identity Access Management
43

Cloud Service Provider (CSP)

•Infrastructure (Global Security of the Network)
•Configuration and Vulnerability Analysis
•Compliance Validation
Customer
•Users, Groups, Roles, Policies Management and Monitoring
•Use IAM tools to apply for appropriate permissions.
•Analyze access patterns and review permissions.
four major challenges in user and access management
faced by cloud users
44

1. How can I avoid duplication of identity, attributes, and credentials and

provide a single sign-on user experience for my users? Security Assertion
Markup Language (SAML).
2. How can I automatically provision user accounts with cloud services and
automate the process of provisioning and de-provisioning? Service
Provisioning Markup Language (SPML)
3. How can I provision user accounts with appropriate privileges and manage
entitlements for my users? eXensible Access Control Markup Language -
XACML.
4. How can I authorize cloud service X to access my data in cloud service Y
without disclosing credentials? Open Authentication (OAuth)
Security Assertion Markup Language (SAML)

45

The contents of the assertion should include the

“claim set” that
includes:
• User name
• User role
• Purpose of use
• User organization
• Authorization details
• Digital signature
• Issuer
Single sign-On (SSO ) transaction steps using SAML

46

single sign-on
Service Provisioning Markup Language (SPML)

47
Service Provisioning Markup Language (SPML) is an XML-based
framework, being developed by OASIS, for exchanging user, resource and
service provisioning information between cooperating organizations.
eXensible Access Control Markup Language (XACML)

• eXtensible Access Control Markup Language (XAML) provides a48

means for organizations to implement a common authorization
method across federated clouds –

Consists of four policy components: PEP, PIP, PDP, and PAP

➢ Policy Enforcement Point (PEP) – enforces policy decisions and
admission control in response to a request for information and/or
resource
➢ Policy Information Point (PIP) – supplies data that’s used for
evaluating an authorization policy
➢ Policy Decision Point (PDP) – makes decision for entity to gain
access to resource and/or information
➢ Policy Administration Point (PAP) – creates a policy or a set of
policies
XACML Architecture

49
 XACML use case

1. The health care application manages various 50

hospital associates (the physician, registered
nurse, nurses’ aide, and health care supervisor)
accessing various elements of the patient
record. This application relies on the policy
enforcement point (PEP) and forwards the
request to the PEP.
2. The PEP is actually the interface of the
application environment. It receives the access
requests and evaluates them with the help of
the policy decision point (PDP). It then permits
or denies access to the resource (the health
care record).
 51

3. The PEP then sends the request to the PDP.

The PDP is the main decision point for access
requests. It collects all the necessary
information from available information sources
and concludes with a decision on what access to
grant. The PDP should be located in a trusted
network with strong access control policies, e.g.,
in a corporate trusted network protected by a
corporate firewall.

4. After evaluation, the PDP sends the XACML

response to the PEP.
5. The PEP fulfills the obligations by enforcing
the PDP’s authorization decision.
 SampleXACMLResponse.xml

52
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<Obligations>
<Obligation ObligationId="email">
<AttributeAssignment AttributeId="email"
DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]<
/AttributeAssignment>
</Obligation>
</Obligations>
<AssociatedAdvice>
<Advice AdviceId="email_advice" >
<AttributeAssignment AttributeId="email"
DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]</At
tributeAssignment>
</Advice>
</AssociatedAdvice>
</Result>
</Response>
OAuth (Open Authorization)
53
OAuth (Open Authorization) is an open standard protocol for
authorization of an application for using user information, in general, it
allows a third party application access to user related info like name,
DOB, email or other required data from an application like Facebook,
Google etc. without giving the third party app the user password. It is
pronounced as oh-auth.
 54

There are 3 Components in OAuth Mechanism–

1.OAuth Provider – This is the OAuth provider Eg. Google, FaceBook etc.
2.OAuth Client – This is the website where we are sharing or authenticating the
usage of our information. Eg. GeeksforGeeks etc.
3.Owner – The user whose login authenticates sharing of information.

OAuth can be implemented via google console for “Login/Sign Up with Google” on a
web app.
Pattern to be Followed –

1. Get OAuth 2.0 Client ID from Google API Console

2. Next, Obtain an access token from the Google Authorization Server to access the
API.
3. Send the request with the access token to an API .
4. Get Refresh token if longer access is required.
55