Bugiel, Sven ; Pöppelmann, Thomas ; Nürnberger, Stefan ; Sadeghi, Ahmad-Reza ; Schneider, Thomas (2011)
AmazonIA: When Elasticity Snaps Back.
18. ACM Conference on Computer and Communications Security (CCS'11). Chicago Illinois USA (17.10.2011- 21.10.2011)
doi: 10.1145/2046707.2046753
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services. Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users. In this paper we consider security and privacy aspects of real-life cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them. Our Amazon Image Attacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes no assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances. Following the maxim "security and privacy by design" we show how our automated tools together with changes to the user interface can be used to mitigate our attacks.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2011 |
| Autor(en): | Bugiel, Sven ; Pöppelmann, Thomas ; Nürnberger, Stefan ; Sadeghi, Ahmad-Reza ; Schneider, Thomas |
| Art des Eintrags: | Bibliographie |
| Titel: | AmazonIA: When Elasticity Snaps Back |
| Sprache: | Englisch |
| Publikationsjahr: | Oktober 2011 |
| Verlag: | ACM |
| Buchtitel: | CCS '11: Proceedings of the 18th ACM conference on Computer and communications security |
| Veranstaltungstitel: | 18. ACM Conference on Computer and Communications Security (CCS'11) |
| Veranstaltungsort: | Chicago Illinois USA |
| Veranstaltungsdatum: | 17.10.2011- 21.10.2011 |
| DOI: | 10.1145/2046707.2046753 |
| URL / URN: | https://encrypto.de/papers/BNPSS11.pdf |
| Kurzbeschreibung (Abstract): | Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services. Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users. In this paper we consider security and privacy aspects of real-life cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them. Our Amazon Image Attacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes no assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances. Following the maxim "security and privacy by design" we show how our automated tools together with changes to the user interface can be used to mitigate our attacks. |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) Zentrale Einrichtungen 20 Fachbereich Informatik > EC SPRIDE 20 Fachbereich Informatik > EC SPRIDE > Engineering Cryptographic Protocols (am 01.03.18 aufgegangen in Praktische Kryptographie und Privatheit) |
| Hinterlegungsdatum: | 25 Jun 2012 13:14 |
| Letzte Änderung: | 31 Jul 2024 08:28 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum