NDLI: How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces

Please wait, while we are loading the content...

Side Channels in Multi-Tenant Environments

How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces

Fast Order-Preserving Encryption from Uniform Distribution Sampling

Cloud Security: The Industry Landscape and the Lure of Zero-Knowledge Protection

Return of the Covert Channel, Data Center Style

Exploring Privacy Preservation in Outsourced K-Nearest Neighbors with Multiple Data Owners

Performance Analysis of Linux RNG in Virtualized Environments

ORAM Based Forward Privacy Preserving Dynamic Searchable Symmetric Encryption Schemes

How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces

Content Provider	ACM Digital Library
Author	Schwenk, Jörg Felsch, Dennis Heiderich, Mario Schulz, Frederic
Abstract	The security gateway between an attacker and a user's private data is the Cloud Control Interface (CCI): If an attacker manages to get access to this interface, he controls the data. Several high-level data breaches originate here, the latest being the business failure of the British company Code Spaces. In such situations, using a private cloud is often claimed to be more secure than using a public cloud. In this paper, we show that this security assumption may not be justified: We attack private clouds through their rich, HTML5-based control interfaces, using well-known attacks on web interfaces (XSS, CSRF, and Clickjacking) combined with novel exploitation techniques for Infrastructure as a Service clouds. We analyzed four open-source projects for private IaaS cloud deployment (Eucalyptus, OpenNebula, OpenStack, and openQRM) in default configuration. We were able to compromise the security of three cloud installations (Eucalyptus, OpenNebula, and openQRM) One of our attacks (OpenNebula) allowed us to gain root access to VMs even if full perimeter security is enabled, i.e. if the cloud control interface is only reachable from a certain segment of the company's network, and if all network traffic is filtered through a firewall. We informed all projects about the attack vectors and proposed mitigations. As a general recommendation, we propose to make web management interfaces for private clouds inaccessible from the Internet, and to include this technical requirement in the definition of a private cloud.
Starting Page	5
Ending Page	16
Page Count	12
File Format	PDF
ISBN	9781450338257
DOI	10.1145/2808425.2808432
Language	English
Publisher	Association for Computing Machinery (ACM)
Publisher Date	2015-10-16
Publisher Place	New York
Access Restriction	Subscribed
Subject Keyword	Csrf Cloud security Infrastructure as a service Xss Cloud interface
Content Type	Text
Resource Type	Article

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in