SlideShare uma empresa Scribd logo

UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing

Vincent Giersch
Vincent Giersch

University of Kent 2013 - CO899 System security Presentation of the article: Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001

Tecnologia
1 de 44
Baixar para ler offline
Original Article by Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001 Analyzing the security of Windows 7 and Linux for cloud computing Vincent Giersch - vg66
Contents •Authors •Main points of the article •Introduction to the cloud computing •Infrastructure as a Service (IaaS) •Authentication •Authorization •Network security •Accounting •Privacy and encryption •Conclusion •Criticism and improvements
Authors background •Khaled Salah Electrical and Computer Engineering Department, Khalifa University of Science Technology and Research (United Arab Emirates) •Jose M. Alcaraz Calero Department of Computer Science, Engineering Technical School, University of Valencia (Spain) •Jorge Bernal Bernabé and Juan M. Marín Perez Cloud and Security Lab, HewlettePackard Laboratories, Stroke Gifford, Bristol (UK) •Sherali Zeadally Department of Computer Science and Information Technology, University of the District of Columbia, Washington (USA)
Introduction to CLOUD COMPUTING
Virtual IT infrastructures Pay as you go
IaaS
IaaS solutions
IaaS solutions HypervisorS
Physical resources for guest operating systems Hypervisors CPU RAM Disk Network
OS images configured by the cloud provider or the user Cloud providers
OS images configured by the cloud provider or the user Cloud providers
Customer perspective •Usage a third-part infrastructure •Full control by the cloud provider •Customer want to keep his security and privacy
This article analyseS Fedora Core 15 with a 2.6.38 kernel Windows 7 Ultimate Edition
Authentication
Verify that a user is really who he claims to be.
Windows Authentication Architecture Windows Authentication (Local Security Authority) Win Logon MSV1_0 Kerberos CredSSP NTLM DigestSSP Interactive authentication Main component which use AP and SSP • Authentication Packages (AP) : • DLL which encapsulate authentication logic • Perform the logon in the OS • Security Support Providers (SSP) : • DLL which implement the SSPI • SSPI also provides non-interactive authentication
Linux Authentication Architecture Linux Authentication Login pam_unix pam_guest pam_kbr5 pam_radius Login processus (/bin/login) interacts with the libpam (Pluggable Authentication Modules). All the modules implements the PAM abstraction layer and are build and load as dynamic libraries.
cloud providers OS Images • Usually cloud providers modify OS image to configure the authentication (e.g. add SSH keys) • High security threat: the provider has access to the content of the VM • No possibility of encryption: adding keys would be impossible
Usage of an IDM • Windows and Linux provide authentication abstraction mechanisms • Utilisation of an Identity Management System (IdM) • Separation of the authentication from the image file system • Should be managed by the tenant organization • Example: Kerberos, OpenID, SAML • Problem: a fake IdM could be use if an attacker has access to file system or RAM
Authorization
Authorization: access control • Manages privileges granted for an authenticated user • Checks ands enforce these privileges when user perform actions over securable objects.
access control on Windows 7 Different access control subsystems executed simultaneously at runtime First access control: • Controls all resources managed in the OS e.g. a file, directory, process, registry key, windows service, printer, etc. • Each securable object has a security descriptor • This descriptor manage 2 ACL: • Discretionary Access Control List (DACL) • System Access Control List (SACL)
access control on Windows 7 Second access control, Mandatory Integrity Control (MAC): • Controls the access to securable objects • Addition to the discretionary access control (DAC) • Each user / securable object has a security level low, medium, high, system • To access to an object: user need a higher security level than required • Otherwise access is denied even it is authorized by another AC system
access control on Windows 7 Third access control, AppLocker: • Controls the execution of the processes • A Windows Service (Application Identity service) intercepts the execution • This service checks if the user has required right to execute the application • AppLocker policy uses application attributes Signed certificate, vendor name, application name and version • Advantage: The policy persists after application updates • Can be manually configured or using the Group Policy Management
access control on LINUX Linux provides different access control mechanisms First access control: • Secure every object in the file system Regular file, directory, device and process • Associated with an access right mask and a user and a group • User and group that execute a process are used to check rights while accessing to secured • When a user execute a process, it stores this user and group, there are used when the process access to secure objects • 3 permissions: read, write, execute with 3 levels: user, group, other.
access control on LINUX In modern distributions, this authorization model is extended with an ACL:
access control on LINUX Recent Linux distributions have additional access control mechanism, Mandatory Access Control (MAC). There are multiple implementation of this MAC: • AppArmor • TOMOYO • SELinux • GRSecurity After comparing these implementation, the authors chose SELinux.
Authorization • Windows and Linux authorization mechanisms store AC information inside the securable file objects • The system need at least one admin user, it usually true in case of IaaS • Problem: file that belongs to users who are not registered in the OS, for example an external IdM • This is an approach followed by AppLocker, which protects agains external intruders and cloud provider from executing undesired code in the guest OS.
Network security
Network security • All network can potentially be monitored Man-in-the-middle, or by the cloud provider (hypervisors, routing equipments, etc.) • Usually the possibility of network configuration are limited Hard to reproduce a particular networking topology or configuration • IPs addresses provided by the cloud provider Already used before ? How ? Blocked by some firewalls ? • MAC addresses uses in firewalls: virtualized adapters MAC addresses are managed by the cloud provider and change when using IaaS features • Create policies based on hostnames instead of IP addresses Windows: Still not possible with Windows firewall (possible using Zone-Alarm) Linux: Possible with Netfilter and IPTables • New issue: DNS poisoning and spoofing DNSSec can be used to validate and trust DNS responses
Accounting
Accounting • Logs are usually stored unencrypted in local file system • Can be accessed by the attacker and potentially modified • Could be destroyed when using snapshots, images, etc. • Logs must be stored in a separated logging system • These logs should be ciphered by the source OS if this logging system is provided by the cloud provider • So we have similar problems than the provisioning of user credentials: the initial configuration and provisioning of the VM
Privacy and encryption
Privacy of ram memory Could be protected by different methods: • Address Space Layout Randomization (ASLR) • Used in Linux 2.6.38 and Windows 7 • Loads critical application execution code into random memory location every time the system boot • Randomizes locations of the stack, heap, Process Environment Block and Thread Environment Block • Hard to extract sensible information from a dump of the memory • Disabling FireWire port This kind of port enables direct access without security restrictions to the memory Potential vulnerability highlighted: “Recently, all tools using AES-based encryption are being rapidly cracked by mean of the extraction of the AES keys when memory dumps are available.” → Use memory encryption at run-time For example on Linux, METAL (Memory Encryption and Transparent Aegis Library)
Disk encryptiON • Windows: BitLocker Supports only the Cipher Block Chaining (CBC) using IV derived from the sector number • Linux 2.6.38: dm-crypt / LUKS dm-crypt supports IEEE P1619 standards, for example XTS-AES • Encrypt the complete disk, all partitions and hibernate files • Place a bootable software in the MBR which request the decryption key • Two-factor authentication by USB or TPM (Trusted Platform Module) • Based on AES symmetric encryption Still vulnerable on runtime: The file system decryption key is located at some point of the memory.
Network encryptiON Windows 7 • DirectAccess, an easy and secure way of establishing VPNs Automatic bi-directional connection using IPv6 and IPsec Able to encapsulate IPv6 traffic into IPv4 with 6to4 or Teredo Able to use IP over HTTPs in case of firewall or proxy Linux • Openswan, a popular IPsec implementation • OpenVPN, the most used VPN over SSL solution All DirectAccess features are available in Linux but the configuration and the management of DirectAccess is more easy and intuitive
conclusion
As a IaaS customer, only trust yourself
conclusion • Use your own OS images • Externalise your IdM • Externalise your logs encrypted • Encrypt all your communications • Encrypt your volumes • Use memory encryption at run-time
Criticisms & improvements
Criticisms • “IaaS cloud provider use different solutions such as Openstack, Cloudstack, Amazon EC2 [...]” Amazon EC2 is a IaaS cloud provider itself, not a solution for IaaS provider. • “[...] it requires the cloud provider to allow customers to manage DNS servers to resolve the hostnames inside the virtual infrastructure.” Anyone can create and manage their own DNS servers and DNS zones, customer just needs the possibility to customize DNS reverses. • Some advises have a limited application (e.g. FireWire, USB, TPM) • No explanations of the choice of SELinux
Areas for Improvement • Differences between public and private cloud infrastructure • Isolation in public cloud • Generalisation to other UNIX systems
Questions ?

Recomendados

CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 

Recomendados

CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsSam Bowne
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows AzureHaddy El-Haggan
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 

Mais conteúdo relacionado

Mais procurados

CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsSam Bowne
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 

Mais procurados (20)

CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code Scanner
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 

Destaque

Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows AzureHaddy El-Haggan
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
 
Window Security Solutions Presentation
Window Security Solutions PresentationWindow Security Solutions Presentation
Window Security Solutions Presentationvickylysons
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Report of Advance car security system major project
Report of Advance car security system major projectReport of Advance car security system major project
Report of Advance car security system major projectAmi Goswami
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Titas Ahmed
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e businessRahul Kumar
 
security issue in e-commerce
security issue in e-commercesecurity issue in e-commerce
security issue in e-commercePalavesa Krishnan
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 

Destaque (20)

Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows Azure
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Window Security Solutions Presentation
Window Security Solutions PresentationWindow Security Solutions Presentation
Window Security Solutions Presentation
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Linux vs windows
Linux vs windowsLinux vs windows
Linux vs windows
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 
Report of Advance car security system major project
Report of Advance car security system major projectReport of Advance car security system major project
Report of Advance car security system major project
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
Linux v/s Windows
Linux v/s WindowsLinux v/s Windows
Linux v/s Windows
 
Security issues in e business
Security issues in e businessSecurity issues in e business
Security issues in e business
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
security issue in e-commerce
security issue in e-commercesecurity issue in e-commerce
security issue in e-commerce
 
Network security
Network securityNetwork security
Network security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Web Security
Web SecurityWeb Security
Web Security
 

Semelhante a UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing

Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptxssuser0fc2211
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Anne Starr
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
InfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingInfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingMark Hinkle
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
IntroductorytocomputingAnne Starr
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 

Semelhante a UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing (20)

Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_security
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
InfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingInfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud Computing
 
Chapter08
Chapter08Chapter08
Chapter08
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
Introductorytocomputing
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Basics of cloud
Basics of cloudBasics of cloud
Basics of cloud
 

Último

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing

  • 1. Original Article by Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001 Analyzing the security of Windows 7 and Linux for cloud computing Vincent Giersch - vg66
  • 2. Contents •Authors •Main points of the article •Introduction to the cloud computing •Infrastructure as a Service (IaaS) •Authentication •Authorization •Network security •Accounting •Privacy and encryption •Conclusion •Criticism and improvements
  • 3. Authors background •Khaled Salah Electrical and Computer Engineering Department, Khalifa University of Science Technology and Research (United Arab Emirates) •Jose M. Alcaraz Calero Department of Computer Science, Engineering Technical School, University of Valencia (Spain) •Jorge Bernal Bernabé and Juan M. Marín Perez Cloud and Security Lab, HewlettePackard Laboratories, Stroke Gifford, Bristol (UK) •Sherali Zeadally Department of Computer Science and Information Technology, University of the District of Columbia, Washington (USA)
  • 6.
  • 10. Physical resources for guest operating systems Hypervisors CPU RAM Disk Network
  • 11. OS images configured by the cloud provider or the user Cloud providers
  • 12. OS images configured by the cloud provider or the user Cloud providers
  • 13. Customer perspective •Usage a third-part infrastructure •Full control by the cloud provider •Customer want to keep his security and privacy
  • 14. This article analyseS Fedora Core 15 with a 2.6.38 kernel Windows 7 Ultimate Edition
  • 16. Verify that a user is really who he claims to be.
  • 17. Windows Authentication Architecture Windows Authentication (Local Security Authority) Win Logon MSV1_0 Kerberos CredSSP NTLM DigestSSP Interactive authentication Main component which use AP and SSP • Authentication Packages (AP) : • DLL which encapsulate authentication logic • Perform the logon in the OS • Security Support Providers (SSP) : • DLL which implement the SSPI • SSPI also provides non-interactive authentication
  • 18. Linux Authentication Architecture Linux Authentication Login pam_unix pam_guest pam_kbr5 pam_radius Login processus (/bin/login) interacts with the libpam (Pluggable Authentication Modules). All the modules implements the PAM abstraction layer and are build and load as dynamic libraries.
  • 19. cloud providers OS Images • Usually cloud providers modify OS image to configure the authentication (e.g. add SSH keys) • High security threat: the provider has access to the content of the VM • No possibility of encryption: adding keys would be impossible
  • 20. Usage of an IDM • Windows and Linux provide authentication abstraction mechanisms • Utilisation of an Identity Management System (IdM) • Separation of the authentication from the image file system • Should be managed by the tenant organization • Example: Kerberos, OpenID, SAML • Problem: a fake IdM could be use if an attacker has access to file system or RAM
  • 22. Authorization: access control • Manages privileges granted for an authenticated user • Checks ands enforce these privileges when user perform actions over securable objects.
  • 23. access control on Windows 7 Different access control subsystems executed simultaneously at runtime First access control: • Controls all resources managed in the OS e.g. a file, directory, process, registry key, windows service, printer, etc. • Each securable object has a security descriptor • This descriptor manage 2 ACL: • Discretionary Access Control List (DACL) • System Access Control List (SACL)
  • 24. access control on Windows 7 Second access control, Mandatory Integrity Control (MAC): • Controls the access to securable objects • Addition to the discretionary access control (DAC) • Each user / securable object has a security level low, medium, high, system • To access to an object: user need a higher security level than required • Otherwise access is denied even it is authorized by another AC system
  • 25. access control on Windows 7 Third access control, AppLocker: • Controls the execution of the processes • A Windows Service (Application Identity service) intercepts the execution • This service checks if the user has required right to execute the application • AppLocker policy uses application attributes Signed certificate, vendor name, application name and version • Advantage: The policy persists after application updates • Can be manually configured or using the Group Policy Management
  • 26. access control on LINUX Linux provides different access control mechanisms First access control: • Secure every object in the file system Regular file, directory, device and process • Associated with an access right mask and a user and a group • User and group that execute a process are used to check rights while accessing to secured • When a user execute a process, it stores this user and group, there are used when the process access to secure objects • 3 permissions: read, write, execute with 3 levels: user, group, other.
  • 27. access control on LINUX In modern distributions, this authorization model is extended with an ACL:
  • 28. access control on LINUX Recent Linux distributions have additional access control mechanism, Mandatory Access Control (MAC). There are multiple implementation of this MAC: • AppArmor • TOMOYO • SELinux • GRSecurity After comparing these implementation, the authors chose SELinux.
  • 29. Authorization • Windows and Linux authorization mechanisms store AC information inside the securable file objects • The system need at least one admin user, it usually true in case of IaaS • Problem: file that belongs to users who are not registered in the OS, for example an external IdM • This is an approach followed by AppLocker, which protects agains external intruders and cloud provider from executing undesired code in the guest OS.
  • 31. Network security • All network can potentially be monitored Man-in-the-middle, or by the cloud provider (hypervisors, routing equipments, etc.) • Usually the possibility of network configuration are limited Hard to reproduce a particular networking topology or configuration • IPs addresses provided by the cloud provider Already used before ? How ? Blocked by some firewalls ? • MAC addresses uses in firewalls: virtualized adapters MAC addresses are managed by the cloud provider and change when using IaaS features • Create policies based on hostnames instead of IP addresses Windows: Still not possible with Windows firewall (possible using Zone-Alarm) Linux: Possible with Netfilter and IPTables • New issue: DNS poisoning and spoofing DNSSec can be used to validate and trust DNS responses
  • 33. Accounting • Logs are usually stored unencrypted in local file system • Can be accessed by the attacker and potentially modified • Could be destroyed when using snapshots, images, etc. • Logs must be stored in a separated logging system • These logs should be ciphered by the source OS if this logging system is provided by the cloud provider • So we have similar problems than the provisioning of user credentials: the initial configuration and provisioning of the VM
  • 35. Privacy of ram memory Could be protected by different methods: • Address Space Layout Randomization (ASLR) • Used in Linux 2.6.38 and Windows 7 • Loads critical application execution code into random memory location every time the system boot • Randomizes locations of the stack, heap, Process Environment Block and Thread Environment Block • Hard to extract sensible information from a dump of the memory • Disabling FireWire port This kind of port enables direct access without security restrictions to the memory Potential vulnerability highlighted: “Recently, all tools using AES-based encryption are being rapidly cracked by mean of the extraction of the AES keys when memory dumps are available.” → Use memory encryption at run-time For example on Linux, METAL (Memory Encryption and Transparent Aegis Library)
  • 36. Disk encryptiON • Windows: BitLocker Supports only the Cipher Block Chaining (CBC) using IV derived from the sector number • Linux 2.6.38: dm-crypt / LUKS dm-crypt supports IEEE P1619 standards, for example XTS-AES • Encrypt the complete disk, all partitions and hibernate files • Place a bootable software in the MBR which request the decryption key • Two-factor authentication by USB or TPM (Trusted Platform Module) • Based on AES symmetric encryption Still vulnerable on runtime: The file system decryption key is located at some point of the memory.
  • 37. Network encryptiON Windows 7 • DirectAccess, an easy and secure way of establishing VPNs Automatic bi-directional connection using IPv6 and IPsec Able to encapsulate IPv6 traffic into IPv4 with 6to4 or Teredo Able to use IP over HTTPs in case of firewall or proxy Linux • Openswan, a popular IPsec implementation • OpenVPN, the most used VPN over SSL solution All DirectAccess features are available in Linux but the configuration and the management of DirectAccess is more easy and intuitive
  • 39. As a IaaS customer, only trust yourself
  • 40. conclusion • Use your own OS images • Externalise your IdM • Externalise your logs encrypted • Encrypt all your communications • Encrypt your volumes • Use memory encryption at run-time
  • 42. Criticisms • “IaaS cloud provider use different solutions such as Openstack, Cloudstack, Amazon EC2 [...]” Amazon EC2 is a IaaS cloud provider itself, not a solution for IaaS provider. • “[...] it requires the cloud provider to allow customers to manage DNS servers to resolve the hostnames inside the virtual infrastructure.” Anyone can create and manage their own DNS servers and DNS zones, customer just needs the possibility to customize DNS reverses. • Some advises have a limited application (e.g. FireWire, USB, TPM) • No explanations of the choice of SELinux
  • 43. Areas for Improvement • Differences between public and private cloud infrastructure • Isolation in public cloud • Generalisation to other UNIX systems