Shuttle: Intrusion Recovery in Paas

270 visualizações

Publicada em

Shuttle: Intrusion Recovery in Platform as a Service

Shuttle is an intrusion recovery system that logs the user's HTTP requests, creates request-consistent snapshots of NoSQL databases. When an intrusion happens, Shuttle loads a snapshot previous to the intrusion instant and replays the legitimate user requests.

Publicada em: Tecnologia
0 comentários
1 gostou
Estatísticas
Notas
  • Seja o primeiro a comentar

Sem downloads
Visualizações
Visualizações totais
270
No SlideShare
0
A partir de incorporações
0
Número de incorporações
3
Ações
Compartilhamentos
0
Downloads
4
Comentários
0
Gostaram
1
Incorporações 0
Nenhuma incorporação

Nenhuma nota no slide

Shuttle: Intrusion Recovery in Paas

  1. 1. Recovery from Intrusions in PaaS Dário Nascimento Miguel Correia INESC-ID Lisboa Instituto Superior Técnico University of Lisbon Portugal
  2. 2. Recovery from Intrusions in PaaS.
  3. 3. Recovery from Intrusions in PaaS.
  4. 4. Compromise: • Integrity • Availability • Confidentiality Due to: • Software Flaws(e.g. Shellshock) • Configuration and usage mistakes (malicious or accidental) • Corrupted legitimate requests (e.g. SQL-Injection)
  5. 5. Prevent is NOT enough.
  6. 6. Intrusions will Happen.
  7. 7. Wake-Up Shower Skip breakfast Wake the rest of team Connect laptop to VPN Determine intrusion causes Verify database consistency Fix exploited vulnerabilities Remove intrusion effects Recover application’s Integrity Recover application’s Availability Redeploy the application Contact angry customers Explain the reasons to your boss Listen your angry boss Blame security team Hope it never happens again Return to bed.
  8. 8. Wake-Up Shower Skip breakfast Wake the rest of team Connect laptop to VPN Determine intrusion causes Verify database consistency Fix exploited vulnerabilities Remove intrusion effects Recover application’s Integrity Recover application’s Availability Redeploy the application Contact angry customers Explain the reasons to your boss Listen your angry boss Blame security team Hope it never happens again Return to bed.
  9. 9. Recover Application’s Integrity Wake-Up Shower Skip breakfast Wake the rest of team Connect laptop to VPN Determine intrusion causes Verify database consistency Fix exploited vulnerabilities Contact angry customers Explain the reasons to your boss Listen your angry boss Blame security team Hope it never happens again Return to bed. Remove intrusion effects Make the Application Available
  10. 10. HOW?
  11. 11. Recovery Procedure.
  12. 12. does Not Exist
  13. 13. is Unknown.
  14. 14. is Not Tested.
  15. 15. Alternatives?
  16. 16. Remove intrusion effects Recover Application’s Integrity Make the Application Available
  17. 17. H1 : Terminate all instances and restart Recover Application’s Integrity
  18. 18. H1 : Terminate all instances and restart Lose all your data?! Time consuming, downtime Recover Application’s Integrity
  19. 19. Recover Application’s Integrity H2: Replication
  20. 20. Recover Application’s Integrity H2: Replication Intrusion effects are also replicated
  21. 21. Recover Application’s Integrity H3: Backup
  22. 22. Recover Application’s Integrity H3: Backup You will lose your customers data after intrusion
  23. 23. Recover Application’s Integrity H4: Remote Site Recovery Mechanism
  24. 24. Recover Application’s Integrity H4: Remote Site Recovery Mechanism Remote Site is tampered or outdated
  25. 25. Best day ever to stay in BED.
  26. 26. Intrusion Recovery / Undo Systems.
  27. 27. Intrusion Recovery System Remove unwanted actions. Keep effect of legitimate actions.
  28. 28. time Backup A Backup B User Action Malicious Action
  29. 29. Current Solutions.
  30. 30. Operating Systems: Taser, Retro Databases: ITDB, Phoenix Web applications: Goel et. al, Warp, Aire Others (Email): Undo for Operators
  31. 31. Limitations: • Max. complexity: 1 app server,1 database instance • All require setup and configuration • Cause application downtime during recovery
  32. 32. Shuttle.
  33. 33. Intrusion Recovery System for Cloud Computing: • Remove the intrusion effects • Recoverapplication’s integrity • Support applications deployed in various instances • Available without setup • Avoid application downtime • Cost efficient • Recovertimely
  34. 34. Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (Iaas)
  35. 35. Platform as a Service (PaaS) Infrastructure as a Service (Iaas) Software as a Service (SaaS)
  36. 36. DevOps? Micro-services? Containers? Automated Deployment?
  37. 37. Platform as a Service (PaaS) Cloud service to run applications Consumer develops application to run in that environment, using supported • Languages: e.g., Java, Python, Go, PHP • Components: e.g., SQL/NoSQL databases, load balancers
  38. 38. User Request Proxy Load Balancer Application Server Application Server Database Instance Database Instance
  39. 39. Integrating intrusion recovery mechanisms.
  40. 40. 1. Record all user requests 2. Load a database snapshot 3. Replay all legitimate requests
  41. 41. 1. Record all user requests 2. Load a database snapshot 3. Replay all legitimate requests
  42. 42. User Request Proxy Load Balancer Application Server Application Server Database Instance Database Instance Storage
  43. 43. Request  A Write  A=1 Request  B Read  A Request Dependency
  44. 44. User Request Proxy Load Balancer Application Server Application Server Database Instance Database Instance Manager Storage DB Proxy DB Proxy Interceptor Interceptor
  45. 45. 1. Record all user requests 2. Load a database snapshot 3. Replay all legitimate requests
  46. 46. Consistent Snapshot on NoSQL.
  47. 47. Request Consistent. Copy-on-write. No downtime.
  48. 48. More Details @ Paper
  49. 49. Replay/Recovery Process.
  50. 50. 1. Identify the malicious actions (or intrusion instant)
  51. 51. 2. Launch new application and database instances 1. Identify the malicious actions and intrusion instant Recovery Process
  52. 52. 2. Launch new application and database instances 1. Identify the malicious actions (or intrusion instant) 3. Load a snapshot previous to intrusion instant Create a new branch Recovery Process
  53. 53. Branching Users Shuttle
  54. 54. 2. Launch new application and database instances 1. Identify the malicious actions (or intrusion instant) 3. Load a snapshot previous to intrusion instant Create a new branch 4. Replay requests Database operations shall replay in same order as original Recovery Process
  55. 55. User Request Proxy Load Balancer Application Server Application Server Database Instance Database Instance Manager Storage DB Proxy DB Proxy Replay Instances Interceptor Interceptor
  56. 56. 2. Launch new application and database instances 1. Identify the malicious actions (or intrusion instant) 3. Load a snapshot previous to intrusion instant Create a new branch 4. Replay requests Database operations shall replay in same order as original 5. Block incoming requests; replay last requests Recovery Process
  57. 57. 2. Launch new application and database instances 1. Identify the malicious actions (or intrusion instant) 3. Load a snapshot previous to intrusion instant Create a new branch 4. Replay requests Database operations shall replay in same order as original 5. Block incoming requests; replay last requests 6. Change branch Recovery Process
  58. 58. 2. Launch new application and database instances 1. Identify the malicious actions (or intrusion instant) 3. Load a snapshot previous to intrusion instant Create a new branch 4. Replay requests Database operations shall replay in same order as original 5. Block incoming requests; replay last requests 6. Change branch Recovery Process
  59. 59. Full-Replay Replay every operation after snapshot Selective-Replay Replay only affected (tainted) operations
  60. 60. Serial Replay all requests sequentially Clustered Independent clusters are replayed concurrently
  61. 61. Evaluation.
  62. 62. Amazon EC2, c3.xlarge instances, Gigabit Ethernet Ask Q&A application; data from Stack Exchange WildFly (formely JBoss) application servers Voldemort database
  63. 63. Performance overhead in normal execution 50% Read 50% Insert 95% Read 5% Insert ops/sec latency (ms) ops/sec latency (ms) Shuttle 6325 5.78 15 346 3.62 No Shuttle 7148 5.07 17 821 3.01 overhead 13% 14% 16% 20%
  64. 64. Accuracy: Intrusion Scenarios: 1. Malicious requests 2. Software vulnerabilities 3. External channels (e.g. SSH due to Shellshock) # Intrusion # tainted # Selective Replay # Full Replay 1a 106 0 < 605 > 38 620 1b 58 14 < 379 > 38 620 1c 48 52 < 253 > 38 620 2a 4 338 0 - > 38 620 2b 18 286 1 278 - > 38 620 3 > 2 000 - - > 38 620
  65. 65. Recovery Time 1 million requests
  66. 66. Restrain Duration
  67. 67. Need it faster?
  68. 68. Scalability.
  69. 69. Scalability
  70. 70. Storage Bill.
  71. 71. # objects Size (MB) Shuttle Storage: Requests 1 million 212 Response 1 million 8 767 Start/End timestamps 2 million 16 Keys 137 million 488 Total 9 648 MB Database node: Version List 14 593 1.4 Operation List 9 million 277 Total 282 MB Manager Graph 1 million 718 MB Storage Overhead 1 million requests
  72. 72. $47 per month if 20 Million requests per day.
  73. 73. Conclusion.
  74. 74. New intrusion recovery service be integrated in PaaS Supports applications running in various instances backed by distributed databases Leverages resource elasticity and pay-per-use model to reduce the recovery time and costs
  75. 75. Accomplishing intrusion recovery without service downtime using a branching mechanism Globallytransaction-consistent snapshot for NoSQL databases Remove intrusions by redeploying the applications
  76. 76. Future Work.
  77. 77. Preventintrusions from spreading Client side applications Handle database replication and fault-tolerance Deliver as a commercialsolution Integrate with Micro-services Architecture
  78. 78. References [Taser] A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara, “The taser intrusion recovery system,” in SOSP.ACM, 2005. [Retro] T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek, “Intrusion recoveryusing selective re-execution.” USENIX, 2010. [ITDB] P.Liu, J.Jing, P.Luenam and Y.Wang, “The design and implementation of a self healing database system,” JIIS 2004. [Goel] I. Akkus and A. Goel, “Data recoveryfor web applications,” in DSN. IEEE, Jun. 2010, pp. 81–90 [Warp] R. Chandra, T. Kim, and M. Shah, “Intrusion recoveryfor database-backed web applications,” in SOSP. ACM, 2011. [Aire] R.Chandra, T.Kim and N.Zeldovich, “Asynchronous intrusion recoveryfor interconnected web services,” in SOSP. ACM, 2013. [UndoForOperators]A. B. Brown and D. A. Patterson, “Undo for operators: Building an undoable e-mail store,” in USENIX ATC, 2003.
  79. 79. More  details MsC Thesis on Distributed, Cloud and Mobile Applications Recovery from Security Intrusions in Cloud Computing Dario Nascimento, Miguel Pupo Correia, Instituto Superior Tecnico, 2015
  80. 80. Thank you for your attention dario.nascimento@tecnico.ulisboa.pt miguel.p.correia@tecnico.ulisboa.pt Shuttle: Intrusion Recovery for PaaS

×