Cloud security

On demand self service
Broad or wide network access
Resource pooling or sharing
Measured service
Rapid elasticity

SaaS, PaaS, IaaS
Software as a servicd: use the provider’s applications running on a cloud infrastructure
Platform as a service: consumer-created applications using programming languages and tools supported by the provider
Infrastructure as a service: Capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources

Key Issues:
Trust, multi-tenancy, encryption, compliance
Clouds are massively complex systems
Simple primitives and common functional units

Cloud security challenges
– trusting vendor’s security model
– Customer inability to respond to audit findings
– Obtaining support for investigations
– Indirect administrator accountability
– Proprietary implementations can’t be examined
– Loss of physical control

Primary Technology
-Virtualization
-Grid technology
-Service Oriented Architectures
-Distributed Computing
-Broadband Networks

Hypervisor has higher privilege than guest kernel
Security VM is separated from User VM

User = application + data (encrypt)

Frequency Analysis Attack
connect data with public information
Optimization Attack

Big Data security

Machine Learning Review
y = f(x)
output, prediction function, training/testing example

test image -> image features -> learned model -> prediction
raw pixels, histograms, gist descriptors

Decision Tree: Determining which attribute is best
Entropy(E) is the minimum number of bits needed represent the examples according to their class labels

There is no perfect way of labelling data, therefore there is really no perfect IDS dataset.

(flag = S0, service = http),(flag = S0, service = http) -> (flag = S0, service = http)[0.6, 2s]

Bitcoin Operation

Info from the public blockchain + Owner’s secret signing key
So it’s all about key management!

Simplest approach: store key in a file, on your computer or pphone
device compromised -> key leaked -> coins stolen

Hot storage: online convenient but risky
Cold storage: offline archival but safer

Generate a big batch of addresses/keys, transfer to hot beforehand

generateKeyHier -> address gen info -> genAddr -> ith address
-> private key gen info -> genKey -> ith key

block chain

linked list with hash pointers = “block chain”

Cryptocurrencies
CreateCoin[ uniqueCoinID ]
signed by pk (scret signing key)
-> Goofy coin

A coin’s owner can spend it – using cryptographic operations

signed by pk
Pay to pkalice:()

signed by pk
CreateCoin[ uniqueCoinID ]

Scrooge coin
A designated entity publishes an append-only ledger containing the history of all the transactions that have happened.
All transactions be written to the ledger before they are accepted.

DNS Thread

White: complete trust in this IP address
Black: No trust in this IP address
Grey: This IP address is not directly involved in spamming but is associated with spam-like behaviors
Yellow: This IP address is known to produce spam and non-spam email
NoBL: This IP address does not send spam, and should not be blacklisted. But it is not fully trustworthy.

SPAM ip address is black listed.
New IP addresses are trusted with the static blacklist model.
Static Blacklist Model: Innocent until proven guilty

Need a dynamic, comprehensive reputation system outputs reputation scores for domains
Extra temporal and statistical features from DNS traffic, compute/learn models

Kopis: Passive monitoring in the upper levels of the DNS hierarchy; internet-visibility

h(w) = (length of word w) mod 5
Given H(m), no easy way to find m
one-way function

Hash pointer contains:
-pointer to where some info is stored
-(cryptographic) hash of the info

Hash pointe
Hash of the data, Pointer to data

Botnet Detection

A Bot is often called a zombie because it is a compromised computer controlled by malware without the consent and knowledge of the user.

A Botnet is a network of bots controlled by a Bot Master

It is a key platform for fraud and other for-profit exploits.

Traditional Anti-Virus Tools, Traditional IDS/IPS, Honeypot

Bots are stealthy on the infected machines
Bot infection is usually a multi-faceted and multi-phased process
Bot are dynamically evolving
Botnets can have very flexible design of C&C channels

Recursive DNS Monitoring at ISP
Analyze DNS traffic from internal hosts to a recursive DNS server of the network

HTTPS

send password – encrypted- e.g. “Xu587Fyis)” -Encrypted – Receives password

-create a sesure channel over an insecure network
-is reasonable protection against man-in-the-middle attacks
-can still provide security even when only one side of the communiction is secure

Crypto slow down web server
some ad-networks do not support HTTPS
– reduced revenue for publishers

Request URL, Query parameters, Headers, Cookies

SSL/TLS
You need to buy an SSL certificate
Mixed modes issue-loading insecure content on a secure site
Proxy caching problems-public caching cannot occure

Upgrade from HTTP to HTTPS
forged certs

mobile device
– smart phone held by person, self driving car, robot

Session Management

A sequence of requests and responses from one browser to one site
– session can be long or short
– without session management, users would constantly re-authenticate

Storing session tokens
-browser cookie, embed in URL, hidden form field

Content Security Policy

Prevent and limit damage of XSS
->
XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content

Approach: restrict resource loading to a white-list
script-src, connect-src, font-src, frame-src, img-src, media-src, object-src, style-src, default-src

CSP will allow third party widgets(e.g. Google +1 button) to be embedded on your site

Cross origin resource sharing
-A technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume content from a different origin.
-server can inspect origin header and respond with Access-Control-Allow-Origin header

definition of an origin
A combination of URI(UniformResource Identification) scheme hostname, and port number.

Same origin policy for DOM.

Cryptographic Checksums
generate tag: T MACsign(k, SID || name || value)

Web Threat Model

Malware Attacker:
Attacker escapes browser isolation mechanisms and runs separately under control of OS
Browsers may contain exploitable bugs
often enable remote code execution by web site
even if browsersd were bug-free, still lots of vulnerabilities on the web
XSS, SQLi, CSRF, …

Web Threat Models
Malware Attacker, Network Attacker, Web Attacker

Basic Execution Model
1. Loads content
2. Renders
Processes HTML and scripts to display the page. May involve images, subframes, etc.
3. Response to event

Frame Security
windows may contain frames from different sources
Frame:Rigid division as part of frameset
iFrame: floating inline frame

readCookie, writeCookie

Browsing Context
-A frame with its DOM
-A web worker, which does not have a DOM

Modern structuring mechanisms
-HTML5 iframe sandbox
-content security policy
-cross-origin resource sharing
-HTML5 web workers
-sub resource integrity