A Private Cloud Computing Environment - IEEE Xplore

7 downloads 267408 Views 295KB Size Report
Cloud entities including cloud users, service providers and ... number of security threats due to the amalgamation of ... database files unless reference to a specific file is required. II. ..... Section V presented an illustration of what an attacker.
2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11

User Privacy Issues in Eucalyptus: A Private Cloud Computing Environment Adeela Waqar

Asad Raza

Haider Abbas

Department of Information Security, MCS National University of Sciences and Technology (NUST) Islamabad, Pakistan [email protected], [email protected], [email protected]

Apart from the standard security protocols and encryption algorithms which are used for securing data during transit and storage, our main concern here is about privileged access to users’ data and metadata.

Abstract— The highly scalable nature of Cloud Computing enables its users to utilize distributed computational resources and access large amounts of data using different interfaces. Cloud entities including cloud users, service providers and business partners share the available resources at different levels of technological operations. However, the Cloud Computing framework is inherently susceptible to a great number of security threats due to the amalgamation of different computing technologies that make it a complex architecture. Among all the potential threats, those targeting the users’ data are significantly important and must be thwarted in precedence to facilitate effective cloud functionality. This paper focuses on the potential threats to users’ cloud resident data and metadata and suggests possible solutions to prevent these threats. We have used UEC (Ubuntu Enterprise Cloud) Eucalyptus, which is a popular open source cloud computing software, widely used by the research community. In this work, we have simulated some of the potential attacks to users’ data and metadata stored in Eucalyptus database files in order to provide the intended reader with the requisite information to be able to anticipate the grave consequences of violation of cloud users’ data privacy.

In this work, we have used UEC (Ubuntu Enterprise Cloud 10.04) which is a complete open source Eucalyptuspowered Cloud Computing framework, popular in academic organizations. It allows the users to run and control virtual machine instances, store and retrieve data using the WALRUS Data Storage Service and create and manage volumes and snapshots using Block Storage Service [5]. The focus of our research work is to identify some of the critical users’ data privacy issues that could exist in a typical Private Cloud Computing environment, by taking WALRUS storage service as an example. In this paper, we will be using the term ‘cloud database’ to refer to any of the Eucalyptus database files unless reference to a specific file is required. II.

The preservation of cloud users’ data privacy is one of the major challenges to be considered in a typical private cloud environment. We can classify Eucalyptus cloud users’ data into three major categories;

Keywords - Cloud Computing; Ubuntu Enterprise Cloud; Eucalyptus; Walrus; Buckets; Objects

I.



Cloud users’ personal information such as login names, passwords, and personal identification data requested by the cloud provider for users’ subscription



Metadata of the cloud users’ data residing in the cloud



Cloud users’ cloud resident data created VM images called EMIs )

INTRODUCTION

Cloud Computing and Virtualization Technology help organizations go beyond physical restrictions and expand their IT infrastructure, thus making it possible for them to provide more flexible IT services to their users than Managed Service Providers (MSPs) [1]. But Cloud Service Providers must learn from MSPs model and ensure that their users’ applications and data are kept secure. The involvement of various different technologies like databases, networks, virtualization, operating systems etc in Cloud Computing gives rise to many security concerns [2]. Therefore, the security challenges of these technologies are inadvertently inherent in Cloud Computing as well. One of the major security concerns about Cloud Computing security is that the owner may not have control over his data or metadata which in turn raises the issue of users’ data privacy [3]. Private Clouds provide the facility of on-site virtualized data storage in order to maximize resource utilization. Therefore, it is very important that the users’ data and metadata is protected from malicious insiders (mainly administrators) and is available to authorized users only [14]. 978-0-7695-4600-1/11 $26.00 © 2011 IEEE DOI 10.1109/TrustCom.2011.128

DATA PRIVACY ISSUES IN PRIVATE CLOUDS

(including user

The prospective attacks pertinent to a private cloud environment include attacks from external sources (typically an organization’s business competitors, cloud’s legitimate and illegitimate users and external computing systems) as well as internal sources (typically administration and technical staff) [18]. Among all possible attack sources, the cloud’s administrators stand the greatest chance of violating the users’ data privacy [3] [17]. Having physical access to the cloud machines, privileged cloud access rights and most importantly cloud administration expertise, the cloud administrators can deliberately compromise the cloud users’ data privacy to their own advantages [19]. For instance, an administrator could conspire to disclose an organization’s 927

cloud resident data to other competing organizations, or an administrator could modify important forensic data (e.g. object access log files) leading to erroneous legal convictions for personal monetary gains. Not only can the administrator have privileged access to the users’ data but he can also impersonate the user completely and make the auditing process more difficult. The list of administrators’ stimuli behind violating the cloud users’ data privacy could be endless. Hence, it is imperative to confine the administrators’ control over users’ data strictly based on their need-to-know while still ensuring that the cloud’s indispensable functionality requirements are not being compromised. In addition to the administrator, any external/internal attacker is capable of posing threats of equivalent magnitude to the cloud users’ data if he is able to get access to some of the important database files.

buckets can be accessed by the users for the following two services; For storing and managing Eucalyptus VM images (termed as ‘EMIs’-Eucalyptus Machine Images)



For storing and managing cloud users’ data

The web interface of Eucalyptus installation supports two types of accounts; ‘administrator’ account (called ‘admin’ by default) with privileged access rights and ‘user’ accounts (named by the users themselves). A successful user registration process with a Eucalyptus supported cloud provider supplies the registered users with X509 certificates (a credentials zip file named ‘euca2-username-x509’) and two query interface credentials namely Query ID and Secret Key. On decompression, the credentials zip file provides the users with their RSA public and private keys, X509 certificates of the cloud provider and the certification authority and a file named ‘eucarc’ comprising of all the vital user credentials needed by the users to use the cloud services [12].

One of the fundamental security concerns in relation to the cloud database is achieving a reasonable balance between the users’ roles and rights [20]. Private Cloud environments are much more complex and different from simple corporate environments in the sense that their services are based on virtualization technology and are susceptible to same attacks that afflict the physical deployments as well as new threats that exploit the weaknesses in virtualized environments. Consequently, in case of security breaches, unlike simple corporate environments, private cloud environments possess a greater degree of difficulty in holding specific people accountable. Thus, it is of utmost importance to ensure that the cloud users’ data privacy is preserved anticipating all possible threats from all potential threat sources.

Third party tools like CloudBerry Explorer for Amazon S3, RightScale, Boto, s3curl, s3cmd and s3fs can be used for interacting with WALRUS. Users can use these graphical interface and command line tools for streaming data in and out of WALRUS and accessing the S3 buckets as local directories. We have used s3curl for interacting with WALRUS; it adds security parameters as curl headers. Using s3curl, users can create/delete/list buckets, put/get/delete objects, set object/bucket access control policies, enable/disable object/bucket access logging and obtain MD5 checksums and last modification date and time for objects and buckets [9].

The first step towards preserving the users’ data privacy is getting to know how this critical data is usually stored in private clouds. Relational databases are normally used for storing users’ personal data and the metadata associated with their cloud resident data. While using databases to store users’ data and metadata, the database table and object definitions must be scrutinized to avoid any side channel inference attacks, users’ authentication credentials should be encrypted/hashed and then stored into the database and database entries should be continually reviewed to make sure that database components like query optimizers do not expand the users’ search space beyond their need to know. Recapitulating the above discussion, we can say that an effectual privacy preserving technique must be integrated into the schema design of the databases used to store cloud users’ data in order to prevent against the utmost threats to the users’ data privacy posed by both the authorized and unauthorized users. III.



WALRUS implements ACLs (access control lists) for limiting users’ access to buckets and objects. A Eucalyptus user has to provide his SECRET KEY and ACCESS KEY while requesting access to buckets and objects. Once the user is authenticated, read and write permissions are granted over standard HTTP. WALRUS uses MD5 hashing technique in order to provide consistency to the stored data.

EUCALYPTUS-WALRUS STORAGE SERVICE

WALRUS is the data storage service of Eucalyptus which allows users to store persistent data in the form of buckets and objects. WALRUS is interface compatible with Amazon’s S3 (Simple Storage Service) for accessing user buckets and objects. WALRUS system options can be modified via the administrator web interface under “WALRUS Configuration” section [4] [8]. The WALRUS

Figure 1.

928

User Interaction with Eucalyptus-WALRUS

An architectural diagram of WALRUS is given in Figure 1 indicating the various third party tools using which the user can access WALRUS storage via REST/SOAP over HTTP while the cloud controller provides access control to WALRUS objects using ACLs and user credentials. The next section describes the Eucalyptus cloud database architecture. This description will help to explain the privacy issues more precisely. IV.

A. Bucket Related Attacks The usernames and users’ Query Interface credentials, namely EC2_ACCESS_KEY and EC2_SECRET_KEY, are stored in the catalog eucalyptus_auth.script’s table AUTH_USERS under the attribute names AUTH_USER_NAME, AUTH_USER_QUERY_ID and AUTH_USER_SECRETKEY respectively as evident in Figure 2. This particular attack involves making use of the ‘eucarc’ file along with the above mentioned attribute values as extracted from the catalog eucalyptus_auth.script.

EUCALYPTUS DATABASE FILES

There are five file system locations that are critical to ensure the efficiency of a Eucalyptus installation. These include the ‘Configuration File’ (/etc/eucalyptus/eucalyptus.conf), the ‘Database Files’ ( /var/lib/eucalyptus/db/eucalyptus_*.script/log/properties), the ‘Cryptographic Keys’ (/var/lib/eucalyptus/keys), the ‘Walrus Buckets’ ("Buckets path" in Web configuration, by default /var/lib/eucalyptus/bukkits) and the ‘Storage Controller Volumes’ ("Volumes path" in Web configuration, by default /var/lib/eucalyptus/volumes). A complete cloud restoration capability can be embedded into the system by regularly backing up these critical file system locations and taking measures to protect them from malicious insiders. Two of these file system locations, namely ‘Database Files’ and ‘WALRUS Buckets’, are used by Eucalyptus to store cloud users’ data. The ‘Database Files’ are used to store cloud users’ personal information and metadata of cloud users’ data and ‘WALRUS Buckets’ are used to store cloud users’ data itself and the image files (parts of kernel, ramdisk and root file system images in encrypted form along with the respective manifest files) of users’ custom images as well as the UEC installed images [5]. A Eucalyptus supported cloud consists of seven distinct HSQL based catalogs (databases) solely comprising of ‘memory’ type tables. The schema, table definitions, database objects definitions and the data for these ‘memory’ type tables are stored in ‘*.script’ files, which are used with ‘*.log’ and ‘*.properties’ files to reconstruct the database in memory every time a request to open the database is received by the database engine [10]. Of the seven database files namely (eucalyptus_auth, eucalyptus_config, eucalyptus_dns, eucalyptus_general, eucalyptus_images, eucalyptus_storage, eucalyptus_walrus).log/properties/script, eucalyptus_auth.script, eucalyptus_general.script and eucalyptus_walrus.script will be the focus of our paramount interest throughout this paper owing to the fact that these files contain the critical cloud users’ personal information and the meta data of cloud users’ data. V.

Figure 2. Table Definitions-eucalyptus_auth.script

The attacker simply needs to create a new ‘eucarc’ file with S3_URL set as the IP Address of the Cloud Controller and the values of EC2_ACCCESS_KEY and EC2_SECRET_KEY (as highlighted in Figure 3) set as AUTH_USER_QUERY_ID and AUTH_USER_SECRETKEY as derived from the catalog eucalyptus_auth.script.

PRIVACY ISSUES IN EUCALYPTUS DATABASE Figure 3. Credentials Zip File Constituent - ‘eucarc’

A Eucalyptus powered private cloud can be operationally effective only when the cloud database, being the repository for critical cloud users’ data, is protected from all prospective external/internal attack sources as discussed above. In the following subsections, we have formulated some of the critical cloud database attacks in a Eucalyptus supported private cloud environment.

The rest of the elements in ‘eucarc’ file may be ignored as they are not needed during the bucket related attacks. Once the eucarc file is ready, the attacker simply needs to source this new eucarc file and run the s3curl commands to create a new bucket impersonating the user whose credentials are used or to obtain a list of all the buckets owned by the user whose credentials are used. For instance,

929

once the attacker is in possession of the list of user owned buckets, he can use the following s3curl command to list the contents of those buckets.

user owned object, deleting a user owned bucket, getting the access control policy for a user’s bucket and getting the contents of a user owned bucket can be performed by the ‘admin’ using its own set of credentials with no reliance on acquiring the users’ credentials. The attacker can also directly access the users’ objects by exploring the directory path maintained in the attribute STORAGE_DIR of the table WALRUS_INFO contained in the catalog eucalyptus_walrus.script.

The attacker can also use the same credentials to delete a bucket owned by the user. In short, once the attacker is in possession of a user’s Query ID and Secret Key, he can interact with the WALRUS S3 buckets in exactly the same way in which the real bucket owner interacts with his buckets and objects.

C. Access Control List Related Attacks Each WALRUS bucket and object has an ACL attached to it as a subresource. To launch access control list related attacks on buckets/objects, the attacker first needs to get hold of their respective ACL subresources. One way of getting hold of the ACL is by using the s3curl command to read the ACL of an object or a bucket into a *.acl file. Once the ACL has been read into a *.acl file, the attacker can make all the desired modifications to this file. Alternatively, the attacker can create a new *.acl file containing his preferred access control rights granted to his selected grantees. Now, the attacker simply needs to set the modified file or the newly created file as the access control list of the target object/bucket using s3curl commands. This approach is especially helpful when the attacker’s aim is to assign different access control rights to different grantees. There exists yet another attack avenue for the attacker where he can assign specific access control rights to the entire group of the cloud’s registered users. Depending on his preferences, he can simply set the values of any of the attributes GLOBAL_READ, GLOBAL_READ_ACP, GLOBAL_WRITE and GLOBAL_WRITE_ACP to TRUE in the tables BUCKETS and OBJECTS contained in the catalog eucalyptus_walrus.script as shown in Figure 4. This will automatically change the *.acl file of the target object/bucket to include access grants for the entire group of users. ACL attacks are not considered to be very sophisticated attacks as the bucket/object owners can easily find out about the designated grantees and their authorized access control rights on their buckets and objects using the respective ACL subresources.

B. Object Related Attacks Before launching object related attacks, the attacker needs to know the exact bucket name in which the target object is located. There are two ways of finding out the exact bucket name. One involves using the catalog eucalyptus_walrus.script. This particular catalog stores the parent buckets’ names, the names of their constituent objects and the bucket owners’ names in the table ‘Objects’ under the attribute names BUCKET_NAME, OBJECT_KEY and OWNER_ID respectively as encircled in Figure 4. After getting hold of this information, the attacker simply needs to make a new eucarc file with the query interface credentials of his victim, source this file and run s3curl commands to put an object into the victim’s bucket, get the MD5 checksum, size and modification time of a victim’s object, read the victim’s object into a file or delete a victim’s object. The second method involves using the bucket related attacks as mentioned in subsection A. These attacks can be used by the attacker to first list all the buckets owned by the victim and then list the constituent objects of these buckets to identify his target object.

D. Log File Related Attacks Eucalyptus enables the users to generate access log files for the buckets that they own. These files can be delivered to any one of the user owned buckets depending on the owner’s preferences. After the access logs have been delivered to the target bucket, they can be treated as ordinary objects which the owners can read, list, and delete at their own ease. The user buckets’ logging information is stored in the catalog eucalyptus_walrus.script’s table BUCKETS under the attributes LOGGING_ENABLED, TARGET_BUCKET and TARGET_PREFIX. If the value of the ‘Boolean’ attribute LOGGING_ENABLED is set to TRUE, the attribute TARGET_BUCKET will contain the name of the user specified bucket where the access log files will be stored and the attribute TARGET_PREFIX will contain the user specified prefix to be appended to the system generated names of the log files. In all computing attack scenarios, the

Figure 4. Table Definitions-eucalyptus_walrus.script

The bucket related attacks do require the ‘admin’ to have the possession of users’ credentials but unfortunately, actions like putting an object into a user’s bucket, getting the MD5 checksum, size and last modification time for a user owned object, getting the object from a user’s bucket, deleting a

930

access log files are objects of particular interest to the attackers since they provide the attackers with the opportunity to remove their attack traces. While working on the WALRUS, once the attacker has extracted all necessary information from the catalog eucalyptus_walrus and gained access to the bucket storing the access log files, he can liberally use these log files in any preferred way. Another attack avenue for the attacker can be to read the ‘logging’ subresources of the victim’s buckets into *.logging files, make the desired modifications to the selected subresource in order to forge the real information contained in the log files and finally set the modified file as the ‘logging’ subresource of the target bucket.

that they store users’ data at multiple geographical locations and the users are themselves not aware of the physical location of their data, thus limiting users’ control over their own data. In this scenario, private clouds are often mistakenly perceived to serve as a superior alternative capable of preserving users’ data privacy due to the fact that their on-site storage facilities let their users be fully aware of the physical location of their data. This overstated perception of private cloud users’ complete control over their data often makes the interested organizations overlook the downside of adopting this approach. It is very important to understand that unlike public clouds’ almost fully automated functionality which requires only minimal human intervention, private clouds require immense human administration for effective operativeness and maintenance. That is why, it should be of significant importance for organizations aiming for the deployment of a private cloud to realize the associated threats and risks posed by the ‘couldbe’ malicious insiders. The use of a privacy preservation technique for protecting the users’ data could be investigated as a possible solution. As an implementation perspective, formulation of a novel technique or a hybrid of the various already existing techniques based on anonymization, perturbation, or anatomization and permutation [15] are under consideration in our research. This will help in preservation of users’ data privacy, and its practical application will provide an acceptable level of security against the attacks mentioned in section V. The main idea behind the use of a privacy preservation technique in the context of users’ data is to enable the user and restrict the attacker to access users’ cloud resident data even if the critical database files have been compromised by the attackers. In our research, we intend to carry out a detailed analysis of the database schema (tables, their attributes, primary keys, foreign keys, indices etc), test the suitability of techniques under analysis and their application with respect to the type of data stored in the database using various information and performance metrics and finally select and implement the most appropriate technique. A successful execution of the subtasks outlined in the agenda for incorporation of a privacy preservation technique into private cloud systems can definitely enhance organizations’ trust and assurance in using private cloud platforms and play an important role in the fulfillment of their business goals.

E. User Password Related Attacks Ubuntu Enterprise Cloud (UEC) supports a minimal web interface intended to provide registration services to its users and nominal graphical interface based cloud management functionality to the cloud administrators. During the registration process, users supply their personal information (full name, address, email id, contact phone numbers etc) along with their preferred user name and password to the cloud provider. The users’ usernames and passwords (in encrypted form) are stored in the catalog named eucalyptus_general.script in the table USERS under the attributes USER_NAME and USER_B_CRYPTED_PASSWORD respectively. The encrypted passwords are returned as ‘strings’ by the function getBCryptedPassword( ) and then stored into the attribute USER_B_CRYPTED_PASSWORD. The password encryption function getBCryptedPassword( ) takes as input the user’s password in plaintext and a random string of alphanumeric characters called ‘salt’ used for salting the password. It makes use of ‘MD5’ encryption scheme to encrypt the salted password and the resulting ciphertext is then stored as USER_B_CRYPTED_PASSWORD in the catalog named eucalyptus_general.script’s table USERS. The getBCryptedPassword( ) function includes adding salt to plaintext passwords in order to ensure that same passwords do not lead to same hashes. Unfortunately, UEC encrypts user passwords by making a getBCryptedPassword( ) function call passing plaintext user’s password as the first parameter and a null string as salt. This is semantically equivalent to encrypting unsalted passwords. Consequently, same passwords yield the same MD5 hashes. This makes the system susceptible to the famous dictionary based attacks, which can be easily launched using freely available dictionary based password cracking tools. VI.

VII. CONCLUSIONS & FUTURE WORK This paper presents security analysis of cloud pertinent data privacy of users’ cloud resident data and metadata. It identifies the potential attack sources, prospective attacks originating from these sources and possible measures to prevent these conceivable attacks. During this research, it was tried to achieve a detailed exploration of the spectrum of realizable attacks using WALRUS storage service as an example. As a result of investigating this paradigm, it was observed that a reasonable number of areas need substantial level of security, in order to ensure preservation of users’ data privacy and thus guarantee the sustainability of an effectively operational private cloud system. As an ultimate objective of this research and future work, we aim to work

DISCUSSION & ANALYSIS

Section V presented an illustration of what an attacker can do after getting hold of the cloud database files. UEC Eucalyptus offers a promising solution to organizations aspiring to exploit their fullest infrastructural potential. A Eucalyptus based private cloud deployment, however, must be weighed in the light of prospective benefits and imminent risks. Public clouds are normally considered to be incapable of providing reliable guarantees in relation to the preservation of their users’ data privacy owing to the fact

931

on embedding some privacy preserving technique into the data storage mechanism of a Eucalyptus powered cloud that will definitely help to make its services more secure and thus more efficient. Specifically it will be focusing on preservation of user and his data’s ‘Association Privacy’ [13] [16]. The possibility of implanting a ‘Presence Privacy’ [13] [16] preservation technique can also be investigated as next level of research.

[9] [10] [11]

[12]

REFERENCES [1] [2]

[3]

[4]

[5] [6]

[7]

[8]

[13]

J. W. Rittinghouse and J. F. Ransome, Cloud Computing Implementation, Management and Security, CRC Press, 2010. K. Beaty, A. Kochut and H. Shaikh, “Desktop to Cloud Transformation Planning”, 23rd IEEE International Symposium on Parallel and Distributed Processing, 2009. B. R. Kandukuri, R. Paturi V and Dr. A. Rakshit., “Cloud Security Issues”, IEEE International Conference on Services Computing, 2009. D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Youseff and D. Zagorodnov, “The Eucalyptus Open-source Cloudcomputing System ”, 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, 2009. Eucalyptus User’s Guide (2.0), http://open.eucalyptus.com/wiki/EucalyptusUserGuide_v2.0 W. Itani, A. Kayssi and A. Chehab, “Privacy as a Service: PrivacyAware Data Storage and Processing in Cloud Computing Architectures”, Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, 2009. J. Wang, Y. Zhao, S. Jiang and J. Le, “Providing Privacy Preserving in Cloud Computing”, International Conference on Test and Measurement, 2009. J. Peng, X. Zhang, Z. Lei, B. Zhang, W. Zhang and Q. Li, “Comparison of Several Cloud Computing Platforms”, Second

[14]

[15]

[16]

[17]

[18]

[19] [20]

932

International Symposium on Information Science and Engineering, 2009. S3-Compatible Tools- s3curl, http://open.eucalyptus.com/wiki/s3curl HyperSQL User Guide HyperSQL Database Engine (HSQLDB)2.2, http://hsqldb.org/doc/2.0/guide/guide.pdf M. Yildiz, J. Abawajy, T. Ercan and A. Bernoth, “A Layered Security Approach for Cloud Computing Infrastructure”, 10th International Symposium on Pervasive Systems, Algorithms, and Networks, 2009. Eucalyptus Beginner’s Guide UEC Edition, http://cssoss.files.wordpress.com/2010/06/book_eucalyptus_beginner s_guide_uec_edition1.pdf H. (Wendy) Wang, “Ambiguity: Hide the Presence of Individuals and Their Privacy with Low Information Loss”, International Conference on Management of Data COMAD, 2008. C. Wang, Q. Wang, K. Ren and W. Lou, “Ensuring Data Storage Security in Cloud Computing”, 17th IEEE International Workshop on Quality of Service, 2009. B. C. M. Fung, K. Wang, R. Chen and P. S. Yu, Privacy-Preserving Data Publishing: A Survey on Recent Developments, ACM Computing Surveys (CSUR), vol. 42, 2010. H. Wang, Privacy-Preserving Data Sharing in Cloud Computing, Journal of Computer Science and Technology, vol. 25(3) :401-414, 2010. F. Rocha, “Lucy in the Sky without Diamonds: Stealing Confidential Data in the Cloud”, First International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments (DCDV 2011) in conjunction with 41st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2011. W. Dawoud, I. Takouna and C. Meinel, “Infrastructure as a Service Security: Challenges and Solutions”, 7th International Conference on Informatics and Systems (INFOS), 2010. K. Popovi and Ž. Hocenski, “Cloud Computing Security Issues and Challenges”, MIPRO, 2010. S. Ramgovind, M.M. Eloff and E. Smith, “The Management of Security in Cloud Computing” ISSA, 2010.