research-article

How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces

Authors:

Mario Heiderich,

Frederic Schulz,

Jörg SchwenkAuthors Info & Claims

CCSW '15: Proceedings of the 2015 ACM Workshop on Cloud Computing Security Workshop

Pages 5 - 16

https://doi.org/10.1145/2808425.2808432

Published: 16 October 2015 Publication History

Abstract

The security gateway between an attacker and a user's private data is the Cloud Control Interface (CCI): If an attacker manages to get access to this interface, he controls the data. Several high-level data breaches originate here, the latest being the business failure of the British company Code Spaces. In such situations, using a private cloud is often claimed to be more secure than using a public cloud. In this paper, we show that this security assumption may not be justified: We attack private clouds through their rich, HTML5-based control interfaces, using well-known attacks on web interfaces (XSS, CSRF, and Clickjacking) combined with novel exploitation techniques for Infrastructure as a Service clouds.

We analyzed four open-source projects for private IaaS cloud deployment (Eucalyptus, OpenNebula, OpenStack, and openQRM) in default configuration. We were able to compromise the security of three cloud installations (Eucalyptus, OpenNebula, and openQRM) One of our attacks (OpenNebula) allowed us to gain root access to VMs even if full perimeter security is enabled, i.e. if the cloud control interface is only reachable from a certain segment of the company's network, and if all network traffic is filtered through a firewall.

We informed all projects about the attack vectors and proposed mitigations. As a general recommendation, we propose to make web management interfaces for private clouds inaccessible from the Internet, and to include this technical requirement in the definition of a private cloud.

References

[1]

AngularJS Home Page. {online} http://www.angularjs.org/.

[2]

BeEF Home Page. {online} http://beefproject.com/.

[3]

DevStack Home Page. {online} http://devstack.org/.

[4]

Eucalyptus FastStart. {online} https://www.eucalyptus.com/install.

[5]

Eucalyptus Home Page. {online} http://www.eucalyptus.com/.

[6]

Howto: Install openQRM 5.1 on Debian Wheezy. {online} http://openqrm-enterprise.com/resources/documentation-howtos/howtos/install-openqrm-51-on-debian-wheezy.html.

[7]

NoScript Home Page. {online} http://noscript.net/.

[8]

noVNC Home Page. {online} http://kanaka.github.io/noVNC/.

[9]

OpenNebula Home Page. {online} http://opennebula.org/.

[10]

OpenNebula on Ubuntu 14.04 and KVM. {online} http://docs.opennebula.org/4.6/design_and_installation/quick_starts/qs_ubuntu_kvm.html.

[11]

OpenQRM Home Page. {online} http://www.openqrm-enterprise.com/.

[12]

OpenStack Home Page. {online} http://openstack.org/.

[13]

Gorka Irazoqui Apecechea, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. Fine grain cross-vm attacks on xen and vmware are possible! IACR Cryptology ePrint Archive, 2014:248, 2014.

[14]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Obsoleted by RFCs 7230, 7231, 7232, 7233, 7234, 7235, updated by RFCs 2817, 5785, 6266, 6585.

Digital Library

[15]

International Organization for Standardization. Information technology -- cloud computing -- overview and vocabulary. ISO 17788:2014, ISO, Geneva, Switzerland, 2014.

[16]

Nils Gruschka and Luigi Lo Iacono. Vulnerable cloud: Soap message security validation revisited. In Web Services, 2009. ICWS 2009. IEEE International Conference on, pages 625--631. IEEE, 2009.

Digital Library

[17]

Marjan Gusev, Sasko Ristov, and Aleksandar Donevski. Security vulnerabilities from inside and outside the eucalyptus cloud. In Proceedings of the 6th Balkan Conference in Informatics, pages 95--101. ACM, 2013.

Digital Library

[18]

M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. Scriptless attacks--stealing the pie without touching the sill. In ACM Conference on Computer and Communications Security (CCS), 2012.

Digital Library

[19]

Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang. mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In ACM Conference on Computer and Communications Security (CCS), 2013.

Digital Library

[20]

Jann Horn. AngularJS Sandbox Bypasses. {online} https://code.google.com/p/mustache-security/wiki/AngularJS#Sandbox_Bypasses.

[21]

Martin Johns. Code Injection Vulnerabilities in Web Applications-Exemplified at Cross-site Scripting. PhD thesis, University of Passau, 2011.

[22]

Mathias Karlsson. AngularJS 1.2.19--1.2.23 / > 1.3.0-beta.14. {online} https://code.google.com/p/mustache-security/wiki/AngularJS#AngularJS_1.2.19--1.2.23_/_%3E_1.3.0-beta.14.

[23]

Amit Klein. DOM based cross site scripting or XSS of the third kind. http://www.webappsec.org/projects/articles/071105.shtml, 2005.

[24]

Peter Mell and Tim Grance. The NIST definition of cloud computing. NIST Special Publication 800--145, 2011.

Digital Library

[25]

Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Avi Patel, and Muttukrishnan Rajarajan. A survey on security issues and solutions at different layers of cloud computing. The Journal of Supercomputing, 63(2):561--592, 2013.

Digital Library

[26]

Marcus Niemietz and Jörg Schwenk. Ui redressing attacks on android devices. Black Hat Abu Dhabi, 2012.

[27]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In ACM Conference on Computer and Communications Security (CCS), pages 199--212. ACM, 2009.

Digital Library

[28]

Sasko Ristov, Marjan Gusev, and Aleksandar Donevski. Openstack cloud security vulnerabilities from inside and outside. In CLOUD COMPUTING 2013, The Fourth International Conference on Cloud Computing, GRIDs, and Virtualization, pages 101--107, 2013.

[29]

Peter Sempolinski and Douglas Thain. A comparison and critique of eucalyptus, opennebula and nimbus. In CloudCom, pages 417--426, 2010.

Digital Library

[30]

Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. All Your Clouds are Belong to us -- Security Analysis of Cloud Management Interfaces. In The ACM Cloud Computing Security Workshop (CCSW), October 2011.

Digital Library

[31]

Kuniyasu Suzaki, Kengo Iijima, Toshiki Yagi, and Cyrille Artho. Memory deduplication as a threat to the guest os. In Proceedings of the Fourth European Workshop on System Security, page 1. ACM, 2011.

Digital Library

[32]

Venkatanathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas Ristenpart, and Michael M Swift. Resource-freeing attacks: improve your cloud performance (at your neighbor's expense). In ACM Conference on Computer and Communications Security (CCS), pages 281--292. ACM, 2012.

Digital Library

[33]

Luis Von Ahn, Manuel Blum, and John Langford. Telling humans and computers apart automatically. Communications of the ACM, 47(2):56--60, 2004.

Digital Library

[34]

William Zeller and Edward W. Felten. Cross-site request forgeries: Exploitation and prevention. https://www.eecs.berkeley.edu/ daw/teaching/cs261-f11/reading/csrf.pdf, 2008.

[35]

Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Cross-vm side channels and their use to extract private keys. In ACM Conference on Computer and Communications Security (CCS), pages 305--316. ACM, 2012.

Digital Library

Cited By

Tissir NElKafhali SAboutabit N(2021)How Much Your Cloud Management Platform Is Secure? OpenStack Use CaseInnovations in Smart Cities Applications Volume 410.1007/978-3-030-66840-2_85(1117-1129)Online publication date: 13-Feb-2021
https://doi.org/10.1007/978-3-030-66840-2_85
Rossi FCalheiros RDe Rose C(2017)A Terminology to Classify Artifacts for Cloud InfrastructureResearch Advances in Cloud Computing10.1007/978-981-10-5026-8_4(75-92)Online publication date: 28-Dec-2017
https://doi.org/10.1007/978-981-10-5026-8_4

Index Terms

How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Comparing public and private iaas cloud models
RIIT '14: Proceedings of the 3rd annual conference on Research in information technology

To better understand the advantages and disadvantages of deploying a private cloud or employing a public cloud for computing resources, a fully featured private cloud of infrastructure as a service (IaaS) was built from bare metal servers using Xen ...
Creating Your Own Private Cloud: Ezilla Toolkit -- For Coordinated Storage, Computing, and Networking Services
CCGRID '12: Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012)

As Cloud computing-based technology has grown, so have the number of services offered over the Cloud. Due to this rapid growth in Cloud-based technology, service providers must be able to deploy Cloud service environments very quickly and very easily. ...
Energy optimised resource scheduling algorithm for private cloud computing

In universities, IT infrastructure is usually non-centralised. Setting up a private cloud setup in academic institutes has an edge over the traditional approach of IT infrastructure distribution to its various departments, schools and centres etc. This ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '15: Proceedings of the 2015 ACM Workshop on Cloud Computing Security Workshop

October 2015

84 pages

ISBN:9781450338257

DOI:10.1145/2808425

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Florian Kerschbaum
SAP, Germany
,
Cristina Nita-Rotaru
Purdue University, USA
,
Publications Chairs:
Xiaofeng Wang
Indiana University, USA
,
Kui Ren
SUNY Buffalo, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCSW '15 Paper Acceptance Rate 6 of 21 submissions, 29%;

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
927
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)1

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tissir NElKafhali SAboutabit N(2021)How Much Your Cloud Management Platform Is Secure? OpenStack Use CaseInnovations in Smart Cities Applications Volume 410.1007/978-3-030-66840-2_85(1117-1129)Online publication date: 13-Feb-2021
https://doi.org/10.1007/978-3-030-66840-2_85
Rossi FCalheiros RDe Rose C(2017)A Terminology to Classify Artifacts for Cloud InfrastructureResearch Advances in Cloud Computing10.1007/978-981-10-5026-8_4(75-92)Online publication date: 28-Dec-2017
https://doi.org/10.1007/978-981-10-5026-8_4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten