Description
Date depot: 1 janvier 1900
Titre: Toward characterization of cloud execution environments
Directeur de thèse:
Refik MOLVA (Eurecom)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini
Resumé:
{{{(In)Security of the Cloud}}}
An increasing number of Internet services rely on Cloud infrastructure. Storage services such as DropBox rely on the cloud storage of Amazon S3. Major Internet sites such as Netflix rely on the Infrastructure as a Service (IaaS) of Amazon AWS. Technicolor considers using the cloud for media related applications.
Despite its commercial success, it is commonly accepted that delegating the execution of a task or storage of data to the Cloud comes with security issues.
The abstraction layers provided by the cloud model hide the actual execution environment such as the hardware, the hypervisor used... It is not always clear which technology and architecutre is actually hidden behind cloud products, even for products with specific security features (e.g. Amazon VPC, Amazon dedicated instance, dome9 SaaS firewalls).
As a consequence, an administrator has little information about the execution environment of its virtual machines, processes and tasks and may have difficulties to evaluate the security issues that might arise.
The question that an administrator might want to ask can be as follows:
On which hypervisors are my virtual machines running? Is it the latest version of the hypervisor? Where is the host machine located? In the U.S, Europe, India? What type of hardware is it running on? Which drivers are used? Is my virtual network properly isolated? Which are the other machines on my virtual network? Are there other virtual machines running on the same hypervisor? etc.
A precise characterization of cloud execution environments is necessary. This characerization should be considered from a security perspective, thus take into account possible attacks, subsequent corrective actions and countermeasures.
During this PhD we propose to investigate this characterization, following these items:
-* Evaluate the actual variability in security of existing cloud execution environments.
-* Propose and evaluate fingerprinting methods that characterize cloud technologies and architectures from inside and outside the cloud.
-* Propose and evaluate adaptive actions or countermeasures once the execution environment has been fingerprinted.
These items and a methodology on how to address them are described in greater detail in the following sections.
{{{Evaluate the variability}}}
On paper, the cloud computing services proposed by the different cloud vendors are similar. However, in practice they rely on different technologies and the service provided may vary from a performance and security perspective from one cloud provider to another. Recent work [5, 6] show that important performance and cost variations exist between cloud providers and also within a single cloud provider. These works only considered performance and cost aspects but not security.
We propose to characterize the variability in security of existing cloud execution environments. This step encompasses a measurement period where we observe architectural aspects of cloud deployments, such as n-tier isolation or DNS and firewall services provided by the cloud service providers. The observations will be conducted from different point of views: from a network point of view, virtualization point of view, physical machines etc.
A partial map of the cloud infrastructure may be constructed from these observations, relying on observations such as traceroutes, port scans, fingerprinting of network elements etc.
This approach differs from related work [1, 2, 4, 3] by the fact that we consider more architectural aspects and that we are interested in highlighting the differences in security between different cloud providers.
{{{Propose and evaluate fingerprint methods}}}
Fingerprinting is the action of gathering information about objects such as machines or drivers in order to identify them.
Our objective is to design fingerprinting methods that can identify the technologies and architecutres used within a given cloud. A process or machine running in the cloud should be able to determine in which environment it is executed just by gathering some observable characteristics of its execution environment.
Fingerprinting often relies on machine learning algorithms. In this work we also adopt a machine learning approach by (i) clustering (unsupervised learning) a set of observed characteristics and (ii) labeling a observations in a learning dataset and classify an object of the cloud thanks to its observed characteristics (supervised learning). The datasets used will be based on the previously conducted measurements.
We will carefully evaluate the accuracy of the fingerprinting methods proposed, and also consider to which extend the methods can be attacked.
One of the characteristics that may be used to fingerprint the physical machine and the hypervisoris the behavior of the clock skew based on work of Kohno et al. [9]. Chen et al. [13] observed that virtualized hosts have a more perturbed clock skew behavi
Doctorant.e: Maurice Clementine