ukc - feb 2013 - analyzing the security of windows 7 and linux for cloud computing
DESCRIPTION
University of Kent 2013 - CO899 System security Presentation of the article: Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001TRANSCRIPT
![Page 1: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/1.jpg)
Original Article by Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
Analyzing the security ofWindows 7 and Linux for cloud computing
Vincent Giersch - vg66
![Page 2: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/2.jpg)
Contents•Authors•Main points of the article• Introduction to the cloud computing• Infrastructure as a Service (IaaS)•Authentication•Authorization•Network security•Accounting•Privacy and encryption
•Conclusion•Criticism and improvements
![Page 3: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/3.jpg)
Authors background•Khaled Salah
Electrical and Computer Engineering Department,Khalifa University of Science Technology and Research (United Arab Emirates)
• Jose M. Alcaraz CaleroDepartment of Computer Science, Engineering Technical School,University of Valencia (Spain)
• Jorge Bernal Bernabé and Juan M. Marín PerezCloud and Security Lab, HewlettePackard Laboratories, Stroke Gifford, Bristol (UK)
•Sherali ZeadallyDepartment of Computer Science and Information Technology,University of the District of Columbia, Washington (USA)
![Page 4: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/4.jpg)
Introduction to
CLOUD COMPUTING
![Page 5: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/5.jpg)
Virtual IT infrastructuresPay as you go
![Page 6: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/6.jpg)
![Page 7: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/7.jpg)
IaaS
![Page 8: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/8.jpg)
IaaS solutions
![Page 9: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/9.jpg)
IaaS solutions HypervisorS
![Page 10: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/10.jpg)
Physical resources for guest operating systems
Hypervisors
CPU RAM Disk Network
![Page 11: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/11.jpg)
OS images configured by the cloud provider or the user
Cloud providers
![Page 12: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/12.jpg)
OS images configured by the cloud provider or the user
Cloud providers
![Page 13: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/13.jpg)
Customer perspective•Usage a third-part infrastructure
• Full control by the cloud provider
•Customer want to keep his security and privacy
![Page 14: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/14.jpg)
This article analyseS
Fedora Core 15with a 2.6.38 kernel Windows 7 Ultimate Edition
![Page 15: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/15.jpg)
Authentication
![Page 16: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/16.jpg)
Verify that a user is really who he claims to be.
![Page 17: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/17.jpg)
Windows Authentication Architecture
Windows Authentication (Local Security Authority)
Win Logon
MSV
1_0
Kerb
eros
Cred
SSP
NTLM
Dige
stSS
P
Interactive authentication
Main component which use AP and SSP
• Authentication Packages (AP) :• DLL which encapsulate authentication logic• Perform the logon in the OS
• Security Support Providers (SSP) :• DLL which implement the SSPI• SSPI also provides non-interactive authentication
![Page 18: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/18.jpg)
Linux Authentication Architecture
Linux Authentication
Loginpa
m_u
nix
pam
_gue
st
pam
_kbr
5
pam
_rad
ius
Login processus (/bin/login) interacts with the libpam (Pluggable Authentication Modules).
All the modules implements the PAM abstraction layer and are build and load as dynamic libraries.
![Page 19: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/19.jpg)
cloud providers OS Images
• Usually cloud providers modify OS image to configure the authentication (e.g. add SSH keys)
• High security threat: the provider has access to the content of the VM• No possibility of encryption: adding keys would be impossible
![Page 20: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/20.jpg)
Usage of an IDM
• Windows and Linux provide authentication abstraction mechanisms• Utilisation of an Identity Management System (IdM)• Separation of the authentication from the image file system• Should be managed by the tenant organization• Example: Kerberos, OpenID, SAML• Problem: a fake IdM could be use if an attacker has access to file
system or RAM
![Page 21: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/21.jpg)
Authorization
![Page 22: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/22.jpg)
Authorization: access control
• Manages privileges granted for an authenticated user• Checks ands enforce these privileges when user perform actions over
securable objects.
![Page 23: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/23.jpg)
access control on Windows 7Different access control subsystems executed simultaneously at runtimeFirst access control:• Controls all resources managed in the OS
e.g. a file, directory, process, registry key, windows service, printer, etc.• Each securable object has a security descriptor• This descriptor manage 2 ACL:• Discretionary Access Control List (DACL)• System Access Control List (SACL)
![Page 24: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/24.jpg)
access control on Windows 7Second access control, Mandatory Integrity Control (MAC):• Controls the access to securable objects• Addition to the discretionary access control (DAC)• Each user / securable object has a security level
low, medium, high, system
• To access to an object: user need a higher security level than required• Otherwise access is denied even it is authorized by another AC system
![Page 25: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/25.jpg)
access control on Windows 7Third access control, AppLocker:• Controls the execution of the processes• A Windows Service (Application Identity service) intercepts the execution• This service checks if the user has required right to execute the application• AppLocker policy uses application attributes
Signed certificate, vendor name, application name and version
• Advantage: The policy persists after application updates• Can be manually configured or using the Group Policy Management
![Page 26: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/26.jpg)
access control on LINUXLinux provides different access control mechanisms
First access control:• Secure every object in the file system
Regular file, directory, device and process• Associated with an access right mask and a user and a group• User and group that execute a process are used to check rights while
accessing to secured • When a user execute a process, it stores this user and group, there are
used when the process access to secure objects• 3 permissions: read, write, execute with 3 levels: user, group, other.
![Page 27: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/27.jpg)
access control on LINUXIn modern distributions, this authorization model is extended with an ACL:
![Page 28: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/28.jpg)
access control on LINUXRecent Linux distributions have additional access control mechanism, Mandatory Access Control (MAC).
There are multiple implementation of this MAC:• AppArmor• TOMOYO• SELinux• GRSecurity
After comparing these implementation, the authors chose SELinux.
![Page 29: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/29.jpg)
Authorization• Windows and Linux authorization mechanisms store AC information
inside the securable file objects• The system need at least one admin user, it usually true in case of IaaS• Problem: file that belongs to users who are not registered in the OS, for
example an external IdM• This is an approach followed by AppLocker, which protects agains
external intruders and cloud provider from executing undesired code in the guest OS.
![Page 30: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/30.jpg)
Network security
![Page 31: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/31.jpg)
Network security• All network can potentially be monitored
Man-in-the-middle, or by the cloud provider (hypervisors, routing equipments, etc.)• Usually the possibility of network configuration are limited
Hard to reproduce a particular networking topology or configuration• IPs addresses provided by the cloud provider
Already used before ? How ? Blocked by some firewalls ?• MAC addresses uses in firewalls: virtualized adapters
MAC addresses are managed by the cloud provider and change when using IaaS features• Create policies based on hostnames instead of IP addresses
Windows: Still not possible with Windows firewall (possible using Zone-Alarm)Linux: Possible with Netfilter and IPTables
• New issue: DNS poisoning and spoofingDNSSec can be used to validate and trust DNS responses
![Page 32: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/32.jpg)
Accounting
![Page 33: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/33.jpg)
Accounting• Logs are usually stored unencrypted in local file system• Can be accessed by the attacker and potentially modified• Could be destroyed when using snapshots, images, etc.
• Logs must be stored in a separated logging system• These logs should be ciphered by the source OS if this logging system is
provided by the cloud provider• So we have similar problems than the provisioning of user credentials:
the initial configuration and provisioning of the VM
![Page 34: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/34.jpg)
Privacy and encryption
![Page 35: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/35.jpg)
Privacy of ram memoryCould be protected by different methods:
• Address Space Layout Randomization (ASLR)• Used in Linux 2.6.38 and Windows 7• Loads critical application execution code into random memory location every time the system boot• Randomizes locations of the stack, heap, Process Environment Block and Thread Environment Block• Hard to extract sensible information from a dump of the memory
• Disabling FireWire portThis kind of port enables direct access without security restrictions to the memory
Potential vulnerability highlighted:“Recently, all tools using AES-based encryption are being rapidly cracked by mean of the extraction of the AES keys when memory dumps are available.”
→ Use memory encryption at run-timeFor example on Linux, METAL (Memory Encryption and Transparent Aegis Library)
![Page 36: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/36.jpg)
Disk encryptiON• Windows: BitLocker
Supports only the Cipher Block Chaining (CBC) using IV derived from the sector number• Linux 2.6.38: dm-crypt / LUKS
dm-crypt supports IEEE P1619 standards, for example XTS-AES
• Encrypt the complete disk, all partitions and hibernate files• Place a bootable software in the MBR which request the decryption key• Two-factor authentication by USB or TPM (Trusted Platform Module)• Based on AES symmetric encryption
Still vulnerable on runtime:The file system decryption key is located at some point of the memory.
![Page 37: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/37.jpg)
Network encryptiONWindows 7• DirectAccess, an easy and secure way of establishing VPNs
Automatic bi-directional connection using IPv6 and IPsecAble to encapsulate IPv6 traffic into IPv4 with 6to4 or TeredoAble to use IP over HTTPs in case of firewall or proxy
Linux • Openswan, a popular IPsec implementation• OpenVPN, the most used VPN over SSL solution
All DirectAccess features are available in Linux but the configurationand the management of DirectAccess is more easy and intuitive
![Page 38: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/38.jpg)
conclusion
![Page 39: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/39.jpg)
As a IaaS customer, only trust yourself
![Page 40: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/40.jpg)
conclusion• Use your own OS images• Externalise your IdM• Externalise your logs encrypted• Encrypt all your communications• Encrypt your volumes• Use memory encryption at run-time
![Page 41: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/41.jpg)
Criticisms & improvements
![Page 42: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/42.jpg)
Criticisms• “IaaS cloud provider use different solutions such as Openstack, Cloudstack,
Amazon EC2 [...]”Amazon EC2 is a IaaS cloud provider itself, not a solution for IaaS provider.
• “[...] it requires the cloud provider to allow customers to manage DNS servers to resolve the hostnames inside the virtual infrastructure.”Anyone can create and manage their own DNS servers and DNS zones, customer just needs the possibility to customize DNS reverses.
• Some advises have a limited application (e.g. FireWire, USB, TPM)• No explanations of the choice of SELinux
![Page 43: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/43.jpg)
Areas for Improvement• Differences between public and private cloud infrastructure• Isolation in public cloud• Generalisation to other UNIX systems
![Page 44: UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing](https://reader033.vdocument.in/reader033/viewer/2022051816/546e9e66b4af9fbe268b46b0/html5/thumbnails/44.jpg)
Questions ?