Cloud Computing is a disruptive technology which brought enormous benefits. However, even if the benefits are countless, there are several security challenges, such as elasticity and multi-tenancy, which require an innovative approach. Indeed, traditional security tools are not suitable for Cloud Computing, since infrastructures can be very dynamic. Therefore, automation is the only answer to this pressing need. SecludIT developed Elastic Detector, a security tool which automatically adapts to the current configuration of your cloud infrastructure and continuously monitors its security level.
Unfortunately elasticity is not the only concern for cloud computing users. Multi-tenant environments, such as cloud computing platforms, can put confidential and security-sensitive data at risk. We recently gave a presentation at the RaSIEM workshop in Regensburg (Germany) in which we proposed our solution to detect access-driven side-channel attacks in the cloud environment. Our approach can be used to detect also other kinds of attacks.
In side-channel attacks, the attacker runs a virtual machine on the same physical host of the victim’s virtual machine and takes advantage of a shared physical component (e.g. the processor cache) in order to steal information (e.g. a cryptographic key) from the victim. More precisely, the attacker tries to retrieve the value of a cryptographic key by observing the activity of the processor cache. It is worth pointing out that we are assuming that the attacker managed somehow to place his virtual machine on the same physical host of the victim. Actually, this operation is not trivial and requires to launch tens of virtual machines. Moreover, after a virtual machine has been launched, a co-residency check is needed.
To the best of our knowledge, there is only one implementation of this attack: https://mexico.rsa.com/rsalabs/presentations/cross-vm-side-channels.pdf.
Our strategy consists of detecting the attack before it takes place, that is during the placement phase. Our idea can be summarized as follows: if a user launches and terminates a high number of machines, then he could be a potential attacker. In order to implement such a solution, we need two important elements:
- Logs/events: when a machine is launched or terminated, an event must be generated. This way it will be correlated to other security-relevant events.
- Correlation: logs are converted to events after being delivered. Events are then correlated to each other in order to detect attacks/threats.
We decided to use OSSIM, a well-known open source SIEM system, as correlation engine. Logs are collected by Elastic Detector, which interacts with the cloud provider by using the standard API. Logs are then delivered to OSSIM through rsyslog, an open source tool available on Linux.
The last step is the correlation phase, which is performed by OSSIM. In order to do so, we defined a plugin which takes care of converting logs delivered by Elastic Detector into events. Here is the source code of the plugin:
Once logs have been converted into events, OSSIM activates its correlation engine and checks if any of these events match one of the predefined correlation/detection rules. We defined our own correlation rule to detect side-channel attacks.
The correlation rule is triggered when a machine is launched. If 9 more machines are launched by the same user in the same region in less than 1 minute, the correlation proceeds to the second level. Finally, if the machines are terminated in less than 15 minutes, an alarm is raised and the proper countermeasure can be taken. For instance, the account of the potential attacker could be suspended or his activity could be monitored more closely.
We tested our solution on Amazon EC2. If you want to have a closer look, here is a video which summarizes all the steps we described above and shows the results.