Cloud applications expose - beside service endpoints - also potential or actual vulnerabilities. And attackers have several advantages on their side. They can select the weapons, the point of time and the point of attack.
Very often cloud application security engineering efforts focus to harden the fortress walls but seldom assume that attacks may be successful. So, cloud applications rely on their defensive walls but seldom attack intruders actively. Biological systems are different. They accept that defensive "walls" can be breached at several layers and therefore make use of an active and adaptive defense system to attack potential intruders - an immune system. This position paper proposes such an immune system inspired approach to ensure that even undetected intruders can be purged out of cloud applications. This makes it much harder for intruders to maintain a presence on victim systems. Evaluation experiments with popular cloud service infrastructures (Amazon Web Services, Google Compute Engine, Azure and OpenStack) showed that this could minimize the undetected acting period of intruders down to minutes.
About being the Tortoise or the Hare? Making Cloud Applications too Fast and Furious for Attackers
1. 8th International Conference on Cloud Computing and Services Science (CLOSER 2018); Funchal, Madeira, Portugal, 2018
About being the Tortoise or
the Hare?
A Position Paper on Making Cloud
Applications too Fast and Furious for Attackers
Nane Kratzke
2. The next 15 minutes are about ...
• Some scary considerations on zero-
day exploits
• Moving target defense
• The idea to (permanently) jangle
attackers nerves
• Some evaluation results
• Conclusions and open issues
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
2
Paper URL
Presentation URL
Speaker Deck
3. How to defense against unknown
vulnerabilities?
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
3
Reported in January 2018. Mainly x86 microprocessors with out-of-order
execution and branch-prediction affected since 1995 (says Google).
CVE-2017-5754
CVE-2017-5715
CVE-2017-5753
I started my
computer science
studies in 1996!
My microprocessorprofessor told me,out-of-order
execution and
branch-prediction isone of the coolestthings on earth.
4. Moving Target Defense (MTD)
ACM Moving Target Defense Workshops 2014 - 2017
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
4
• The static nature of current computing systems has made them easy to
attack and harder to defend.
• The idea of moving-target defense (MTD) is to impose the same
asymmetric disadvantage on attackers by making systems dynamic
(harder to explore and predict).
• Moving target defense reduces the need for threat detection.
5. We need a reactive component as well
Biological systems are different.
Defensive “walls” can be
breached at several layers.
An additional active defense
system is needed to attack
potential successful intruders - an
immune system.
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
5
6. We build a transferability solution ...
Prof. Dr. rer. nat. Nane Kratzke
Praktische Informatik und betriebliche Informationssysteme
6
Operate application on current provider.
Scale cluster into prospective provider.
Shutdown nodes on current provider.
Cluster reschedules lost container.
Migration finished.
Quint, P.-C., & Kratzke, N. (2016). Overcome Vendor Lock-In by
Integrating Already Available Container Technologies - Towards
Transferability in Cloud Computing for SMEs. In Proceedings of CLOUD
COMPUTING 2016 (7th. International Conference on Cloud Computing,
GRIDS and Virtualization).
… mainly, to avoid Vendor Lock-In:
• Make use of elastic container
platforms to operate elastic
services being deployable to any
IaaS cloud infrastructure.
• Transfer of these services from one
private or public cloud infrastructure
to another at runtime.
Kratzke, N. (2017). Smuggling Multi-Cloud Support into Cloud-native
Applications using Elastic Container Platforms. In Proceedings of the 7th
Int. Conf. on Cloud Computing and Services Science (CLOSER
2017) (pp. 29–42).
7. Most systems rely on their defence walls
and just wait to be attacked
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
7
Successfully breached node (lateral movement)
8. How long can presence be maintained?
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
8
Answer: Surprisingly long!
9. Let us make the game more challenging
for the attacker
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
9
We can create a race between
a manual (time-intensive)
breach and a fully automatic
(and fast) regeneration.
Regenerated node (randomly chosen at some point in time)
Successfully breached node (lateral movement)
10. Runtime to regenerate one node
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
10
Request a
node
Adjust
Security
Groups
Join
Node
0
100
200
300
400
500
600
700
AWS OpenStack GCE Azure
Runtimes (median values in seconds)
Creation Secgroup Joining Termination
Adjust
Security
Group
Terminate
Node
Remember: The median time
being undetected in 2016 was
99 DAYS
1
minute
10
minutes
11. Conclusion, open issues and limitations
• The presented approach means for attackers
that their time being „undetected“ drops from
months down to minutes .
• Can we reduce regenerations without
increasing own efforts?
• What is about exploits/attacks that are
adaptable to bio-inspired systems?
• How to protect the regeneration mechanism
against attackers?
• Biology inspired solutions come with
downsides like
• fever (too many nodes in regeneration at the same
time, system runs hot)
• auto-immune disease (healthy nodes are attacked
too often)
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
11
12. Acknowledgement
• Rabbit, Tortoise: Pixabay (CC0 Public Domain)
• Fortress: Pixabay (CC0 Public Domain)
• Bowman: Pixabay (CC0 Public Domain)
• Definition: Pixabay (CC0 Public Domain, PDPics)
• Railway: Pixabay (CC0 Public Domain, Fotoworkshop4You)
• Air Transport: Pixabay (CC0 Public Domain, WikiImages)
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
12
Picture Reference
This research is partly funded by German Federal Ministry of
Education and Research (13FH021PX4).
Paper URL
Presentation URL
Speaker Deck
13. About
Prof. Dr. rer. nat. Nane Kratzke
Computer Science and Business Information Systems
13
Nane Kratzke
CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke
Blog: http://www.nkode.io
Twitter: @NaneKratzke
GooglePlus: +NaneKratzke
LinkedIn: https://de.linkedin.com/in/nanekratzke
GitHub: https://github.com/nkratzke
ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke
SlideShare: http://de.slideshare.net/i21aneka