You Are Here Home Science laboratory technology project topics Cloud Infrastructure Attack Vectors

Cloud Infrastructure Attack Vectors

youssra 0

Get Complete Project Material File(s) Now! »

Background

 Introduction

Continuous and ground-breaking developments in technology have led to the emer-gence of cloud computing. Unfortunately, cyber criminals have managed to keep up with the pace of technology developments, and even more advanced criminal attacks have occurred over time. Forensic investigators are left wanting when cybercrime is committed as the latter have also become increasingly advanced. Cloud computing is one such technology that complicates digital forensic investigations. In the current chapter some background information on cloud computing, which covers the cloud architecture, cloud security and characteristics of the cloud that pose challenges to the investigation of forensics cases in cloud environments are presented.In recent years, the incidence of cybercrime has increased hugely. Unfortunately the advent of technologies such as cloud computing is aggravating the situation as the same technology is used to commit even more complex kinds of cybercrime. In fact, technology nowadays can be used to commit extremely serious crimes such as human trafficking and drug trafficking. For this reason, perpetrators of cybercrime have to be brought to book. This is where the role of digital forensics comes into play. Due to the developments in technology, digital forensics as a research fields is itself facing challenges. In this chapter a background on cloud computing, digital forensics and the challenges faced by digital forensics in general and also while investigating cloud environments therefore presented.The chapter is organised as follows: Section 2.2 contains a background on cloud computing and its architectures. Section 2.3 depicts the attack vectors which can be utilised by attackers to gain access and do malicious damage in the cloud. It is these damages that prompt a need for digital forensic investigation in cloud environments. Once attackers have compromised the cloud, investigations need to be carried out and Section 2.4 is dedicated to the unique attributes of the cloud that make investigating it an uphill battle.Section 2.5 is devoted to a discussion of live forensics, network forensics and digital forensic readiness. Challenges in digital forensics are presented in Section 2.6, and Section 2.7 concludes the chapter.

Background on Cloud Computing

Cloud computing provides computing resources on a pay-per-use basis. It is based on five principles: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service [98, p.49]. On-demand self-service means that a cloud user can create (for example) a virtual machine or virtual instance and pay for it for the duration of its use, after which the virtual machine or instance can be terminated if it is no longer needed. Such services are referred to as measured services, because users are billed per usage. Cloud computing can be defined as highly scalable computing resources provided as an external service via the Internet on a pay-as-you-go basis [84]. This means that service consumers in the cloud pay for services as they use them. Cloud resources need to be accessible to customers irrespective of geographical location, hence the requirement for broad network access. Resource pooling refers to computational resources that are published in a cluster for consumption by customers on demand. When a hardware resource is no longer in use, it is made available to other users.Resources in the cloud can be scaled up and down according to user needs. This pro-cess is referred to as rapid elasticity. In a cloud environment, cloud service providers (CSPs) offer infrastructure or hardware, a platform and software as services that can be accessed by consumers over the Internet [138]. The availability of such services eases the burden on vendors as they no longer need to own physical infrastructures (such as servers) for computational needs. A cloud model can offer a solution to resource-constrained SMMEs in developing countries.The cloud architecture can be viewed as a pyramid consisting of the three CSP services, namely cloud application, cloud platform and cloud infrastructure from top to bottom. These respective layers are referred to as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) [84].Cloud users participate as consumers or as providers of these services in the cloud. The responsibilities of the service providers and service consumers differ as they move up the cloud stack. This is important for digital forensic investigators to understand, as it helps to limit the scope of an investigation in the case of an incident scene. An IaaS provider is responsible for the vulnerability patches and configurations manage-ment of the systems, networks, hosts and application owned by the service provider and helps to manage the infrastructure [70, 88]. A vulnerability is defined as a “ is a mistake in software that can be directly used by a hacker to gain access to a system or network”[34]. The IaaS provider is therefore responsible for patching the vulnerabilities on any of the components that they manage.PaaS providers are IaaS customers and thus also responsible for the management of vulnerabilities, patches and configurations of the virtual resources allocated to them by the IaaS providers. They are likewise responsible for the management of the platforms that they provide as services, such as operating systems, application servers, web servers, databases, etc. SaaS providers are responsible for managing the applications that they offer as services in the cloud.
The cloud can be deployed in four different forms, namely the private cloud, com-munity cloud, public cloud and hybrid cloud [55]. A private cloud is deployed to be used within an organisation and the entire cloud infrastructure, including hardware resources, is owned by the organisation. A community cloud is a cloud shared by organisations with a common business interest. A public cloud is a cloud deployed for the purpose of being used by both public and private organisations, regardless of their business interests. A hybrid cloud is a combination of any of the previous cloud models.In the cloud, hardware, platforms and software that were traditionally installed in the vicinity of the user are now offered as services by a third party [26, 84]. These services include storage and processing hardware, software platforms such as Java Virtual Machines (JVM), and software platforms such as human resource manage-ment systems. A third party may be another company within the national borders or a company outside the national borders. In all of these scenarios, the effort that would be required to carry out a digital forensic investigation differs. The costs, for example, will differ when a need arises to collaborate with international law enforce-ment agencies versus when collaboration is not required. This is one of the challenges faced by digital forensic investigators in a cloud environment.Virtual machines as one of the services hosted in the cloud can be used to commit cybercrime in the cloud in the same way that a criminal can use a physical desktop. In [109], the authors define cloud crime as “any crime that involves cloud computing where the cloud can be the object, subject or tool of crimes”. It is when such crimes are committed in the cloud that the services of a forensic expert will be required.
Encryption is a method used to address data security in the cloud and it is used widely by cloud consumers and cloud service providers to address confidentiality. However, encryption itself faces challenges as adversaries use the same computing power of the cloud to decrypt data. The other aspects of security, namely availability and integrity of the data in the cloud, still depend on the IaaS provider. In most cases the IaaS is hosted by a third party. For incidences requiring digital forensic investigation, collaboration with an IaaS provider would be required in most cases.The next section presents cloud attack vectors that can be utilised by adversaries to compromise the cloud.

Cloud Infrastructure Attack Vectors

Depending on whether a cloud service provider (CSP) offers IaaS, PaaS or SaaS, or whether a cloud service consumer (CSC) consumes IaaS, PaaS or SaaS; there are different attack vectors that can be exploited by attackers. Attack vectors are defined as “a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome”[112]. This section explores a high-level view of the common attacks vectors to which cloud users can fall victim.

 IaaS attack vectors

READ  Data Clustering in Non-stationary Environments using a Local Network Neighbourhood Artificial Immune System 

In a cloud environment, IaaS providers make use of hypervisors to expose logical partitions of their hardware as services. Management and access to these services is through Application Program Interfaces (APIs), which expose web consoles or Se-cure Shell (SSH) consoles. SSH consoles however require more enhanced technical skill, which most cloud administrators and clients may not have. SSH consoles are vulnerable as pre-shared keys are subject to being stolen if an adversary were to gain access to the client machine. This is so because private key management — gen-eration, storage and distribution — is also an open research issue[159]. The more user-friendly interface is the web console that is used in most cloud platforms. Web consoles therefore are vulnerable to most web application attacks such as SQL in-jections, cross-site scripting, distributed denial of service, broken authentication and session management[96]. IaaS comprises physical servers that run hypervisors on which client virtual machines and cloud management virtual machines. IaaS is there-fore vulnerable to attacks that exploit virtualisation technologies such as through memory leaks and CPU caches as proved by researchers in [158].In the next section, PaaS attack vectors are presented.

 PaaS attack vectors

Platform as a Service embraces computing software environments that enable service consumers to deploy and run their applications on the Internet. The platform as a service can be a virtual machine instance running selected applications such as database servers and compilers.To sign in so as to deploy applications in these virtual machines, clients use SSH tokens with pre-shared keys as one method to connect to the remote cloud service. Web consoles are also used for the purpose. SSH becomes an attack vector as hackers may steal these tokens and insert malicious code into the deployed application or the deployed image instance. If software platforms running on the remote virtual machine are not properly updated, they can be vulnerable to attacks. If for example, the platform consumed by the client runs a publicly available application server, it may have published vulnerabilities of which attackers can take advantage.
In the next section, attack vectors on IaaS vectors are presented.

SaaS attack vectors

Software as a Service in the cloud is an extension of Web applications. Web appli-cations have known threats as published and updated by the Open Web Application Security Project (OWASP) [96] and other authoritative sources such as Common Vulnerabilities and Exposures (CVE)[34]. These threats take advantage of the vul-nerabilities in Web applications. The published threats include among others, SQL injection, cross-site request forgery and cross-site scripting. As an extension of Web applications, SaaS is vulnerable to comprise from these attacks.
In the next section, unique attributes of the cloud that lead to difficulty in inves-tigating it are presented.

Unique Cloud Attributes

This section presents unique cloud attributes that contribute towards the difficulty in conducting digital forensics in cloud environments. The attributes discussed here include the distributed nature of the cloud, encrypted data, multi-tenancy, fragmented data and volatile data.

Distributed

Physical resources of the cloud are often distributed geographically. For reasons of high data availability, IaaS providers have their infrastructure data centres located in different regions. Having data centres in different regions ensures that if a single data centre should be subjected to natural or unnatural disasters, services would still be available through the unaffected datacentre. The distributed nature means that when an investigation has to be conducted, law enforcement agencies from the jurisdictions concerned will have to be involved. Such collaborations would extend the investigation time and costs. In addition to the administrative issues of time and costs, the involvement of multiple jurisdictions also introduces legal challenges. Some countries such as the European Union countries have strict policies on migration of electronic data to countries that are perceived to have inadequate data protection measures [14]. A cloud based investigation may therefore be hindered if it involves these European Union jurisdictions.
For example, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 [43] prohibits transfer of data from the European Union (EU) member countries to non-EU member countries that are perceived to have inadequate level of data protection. If a digital forensic investigation is carried out by a country that is perceived to have inadequate level of data protection, this would be a challenge for investigators if the data involved in the investigation is hosted in the EU zone if cloud data that can be obtained through the cloud user’s client device is insufficient. Examples of such data are audit logs that may only be accessible to a cloud service provider. In such a case a digital forensic investigation would be hindered.

 Encryption

Encryption is the main security measure that is implemented by cloud vendors to address security issues[15, 101, 113, 143]. There are a number of encryption layers in the cloud and the basic ones are used by the cloud service client and the cloud service provider. At the first layer, a cloud service client encrypts its data before deploying it in the cloud. At the second layer a cloud service provider further encrypts the client’s data before storing it. For this reason, even if investigators would be able to obtain evidence data, it would still be difficult to process such data in its encrypted state unless the warrant asked for the decryption of the same data.

Multi-tenancy

On the cloud service provider’s side, data from multiple clients are co-hosted on a single physical storage server. In conventional digital forensic processes where an incident scene host is required to be powered off (such as [94]), this becomes a chal-lenge. Powering off the host would disrupt services belonging to tenants that are not concerned with the investigation. Isolating tenant data in such a scenario is also a research issue brought to light by Decker in [35].

Fragmented Data

In cloud environments, hardware resources are utilised according to availability. If data belonging to a cloud service is stored on a specific storage server, and the server runs out of space, the remaining data are stored on an additional server that has available space. In this way data obviously becomes fragmented. Data fragmentation can however also be implemented as a security measure or for easier processing [13, 42]. When only fragments of the data are obtained by investigators during an investigation, no sense can be made of the obtained data and thus this is a challenge to investigators.

Volatile

The basic principles of the cloud involve self-service and service on demand [1]. This means that cloud service consumers create data or service instances in the cloud as and whenever they need to utilise the services. When the service instances or data is no longer needed, cloud service consumers delete the service instance or data from the cloud. This gives investigators limited time to conduct their investigations as by the time they have obtained authorisation to acquire data from the cloud, the perpetrator may have deleted it already.In the next section, digital forensic background is presented.

Background on Digital Forensics

Digital forensics can be defined as a discipline that combines elements of law and computer science to collect and analyse data from computer systems, networks, wire-less communications, and storage devices in a way that makes this data admissible as evidence in a court of law [103]. According to Zimmerman and Glavach [160], a digital forensic process can be divided into four distinct phases:

  • Collection of artefacts (both digital evidence and supporting material) that are considered of potential value</li
  • Preservation of original artefacts in a way that is reliable, complete, accurate and verifiable
      • Filtering analysis of artefacts for the removal or inclusion of items that are considered of value
        • Presentation phase in which evidence is presented to support the investigation

This is a basic process that is facing compounded challenges due to the advent of new technologies. More detailed digital forensic processes and their evaluation are presented in Chapter 3.This thesis’s ultimate goal is to study digital forensics in a cloud computing en-vironment. Investigating cloud environments requires a focus on live forensics and network forensics which are dealt with in the subsections that follow. Digital forensic readiness is one important aspect of digital forensics.

Related Posts

Finite element model for three-dimensional compressible turbulent flows

CALIBRATION SYSTEM OF STEAM FLOWMETERS

Challenges for thermal diagnosis on building walls in situ

Postseismic creep along the North Anatolian Fault

Measurement of the trap oscillation frequencies

Affective values in human decision-making