Remembrance of Data Passed: A Study of Disk Sanitization Practices
IEEE Security and Privacy
On the security of public key protocols
On the security of public key protocols
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
Symbian OS Platform Security
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Opening black boxes: using semantic information to combat virtual machine image sprawl
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Perspectives: improving SSH-style host authentication with multi-path probing
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Programming amazon web services
Programming amazon web services
Secure control of portable images in a virtual computing utility
Proceedings of the 1st ACM workshop on Virtual machine security
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
Proceedings of the 16th ACM conference on Computer and communications security
Managing security of virtual machine images in a cloud environment
Proceedings of the 2009 ACM workshop on Cloud computing security
Automating Disk Forensic Processing with SleuthKit, XML and Python
SADFE '09 Proceedings of the 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering
Security audits of multi-tier virtual infrastructures in public infrastructure clouds
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
The Case for Content Search of VM Clouds
COMPSACW '10 Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications Conference Workshops
Security and Privacy Challenges in Cloud Computing Environments
IEEE Security and Privacy
Always up-to-date: scalable offline patching of VM images in a compute cloud
Proceedings of the 26th Annual Computer Security Applications Conference
A look to the old-world_sky: EU-funded dependability cloud computing research
ACM SIGOPS Operating Systems Review
Whispers in the hyper-space: high-speed covert channel attacks in the cloud
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Towards a richer model of cloud app markets
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
Protecting grids from cross-domain attacks using security alert sharing mechanisms
Future Generation Computer Systems
A survey of security issues in hardware virtualization
ACM Computing Surveys (CSUR)
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
The TClouds platform: concept, architecture and instantiations
Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing
Appinspect: large-scale evaluation of social networking apps
Proceedings of the first ACM conference on Online social networks
Client-controlled cryptography-as-a-service in the cloud
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
DupLESS: server-aided encryption for deduplicated storage
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services. Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users. In this paper we consider security and privacy aspects of real-life cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them. Our Amazon Image Attacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes no assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances. Following the maxim "security and privacy by design" we show how our automated tools together with changes to the user interface can be used to mitigate our attacks.