Paper: Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Abstract:

In recent years, cloud computing has become popular as a cost-effective and efficient computing paradigm. Unfortunately, today’s cloud computing architectures are not designed for security and forensics. To date, very little research has been done to develop the theory and practice of cloud forensics. Many factors complicate forensic investigations in a cloud environment. First, the storage system is no longer local. Therefore, even with a subpoena, law enforcement agents cannot confiscate the suspect’s computer and get access to the suspect’s files. Second, each cloud server contains files from many users. Hence, it is not feasible to seize servers from a data center without violating the privacy of many other users. Third, even if the data belonging to a particular suspect is identified, separating it from other users’ data is difficult. Moreover, other than the cloud provider’s word, there is usually no evidence that links a given data file to a particular suspect. For such challenges, clouds cannot be used to store healthcare, business, or national security related data, which require audit and regulatory compliance. In this paper, we systematically examine the cloud forensics problem and explore the challenges and issues in cloud forensics. We then discuss existing research projects and finally, we highlight the open problems and future directions in cloud forensics research area. We posit that our systematic approach towards understanding the nature and challenges of cloud forensics will allow us to examine possible secure solution approaches, leading to increased trust on and adoption of cloud computing, especially in business, healthcare, and national security. This in turn will lead to lower cost and long-term benefit to our society as a whole.

Information:

Paper by Shams Zawoad, Ragib Hasan - PDF Download

Brief Discussion:

This paper does not completely bring up a new solution to an already existing problem but discusses work that has been done so far in this sector. Hence, this paper can be seen as an overview which is a good read in case you want to get an overview of the issues in this area. Overall, it strongly reminds me of our paper “Technical Issues of Forensic Investigations in Cloud Computing Environments” published 2 years ago.

Paper: Web-based Attacks on Host-Proof Encrypted Storage

Web-based Attacks on Host-Proof Encrypted Storage

Abstract:

Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing.
We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.

Information:

Paper by K. Bhargavan, A. Delignat-Lavaud – 6th USENIX Workshop on Offensive Technologies (WOOT’12) - PDF Download

Brief Discussion:

This interesting paper describes a series of attacks vs. web-based, storage-only services. In principle all data can be stored in a totally encrypted manner since server-based computation is not needed. First issues come up when the browser is involved – how should be browser treat the encrypted data received from the server?

The paper describes several attacks, which are in general known for years (CSRF etc.), how the architecture can be tricked to disclose e.g. username/password for the service. Although the attacks are not brand-new, the authors make use of them to introduce real-world attacks on well-known services. Therefore, papers like this are needed for showing the other side of the medal – Dropbox & Co bring along their own security issues.

Paper: Using the Cloud to Determine Key Strenghts

Using the Cloud to Determine Key Strenghts

Abstract:

We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric- or private-) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last years (2011) costs, more importantly it provides the tools and infrastructure to derive new data points at any time in the future, while allowing for improvements such as of new algorithmic approaches. Over time the resulting data points will provide valuable insight in the selection of cryptographic key sizes.

Information:

Paper by T. Kleinjung, A.K. Lenstra, D. Page, N.P. Smart - PDF Download

Brief Discussion:

Recently on the airplane I read this paper and totally enjoyed it. It’s not a real “cloud” paper but more focusing on cryptographic key strengths and the potential power of high scalable environments such as clouds. So basically, two main approaches dominate in order to assess cryptographic primitives: software-oriented computations and special purpose hardware coming along with substantial upfront costs. I should also mention that this is ongoing research – so check out this webpage where annually updates can be found: http://www.cs.bris.ac.uk/~nigel/Cloud-Keys/

Within the paper, the following algorithms are assessed: DES, AES, SHA-2 family, RSA and ECC. The cloud platform that is used is AWS EC2. The following techniques are used to attack the algorithms:

DES: bit-sliced implementation method of Biham
AES: traditional AES implementation due to keeping the general approach (it’s also interesting to mention that according to the authors, there is only little research in terms of AES specific hardware attacks due to the key space of 2^128)
SHA-2: parallel “distinguished points” method of van Oorschot and Wiener
RSA: Coppersmith’s variant of the Number Field Sieve (NFS) method
ECC: Pollard’s rho method

Finally, the results are interesting and can, due to the general approach, be repeated frequently. Interesting stuff – so keep in mind that even the cloud cannot solve all issues, fortunately.

Paper: Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Abstract:

Cloud computing is a rapidly evolving technological phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host its software applications, organizations are increasingly deploying the same into remote, virtualized environments, which can be hosted and manage by third party providers. This development in the IT landscape has signicant implications for digital forensic investigators, toolkit developers and corporate compliance and audit departments. Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several immediate research agendas are proposed to begin addressing these new challenges.

Information:

Paper by G. Grispos, T. Storer, and W. B. Glisson - PDF Download

Brief Discussion:

During the review of this paper it turned out that the authors pretty much focused on the applicability of different existing digital forensic frameworks in cloud environments. So the paper can be more or less be seen as an overview paper discussing the different aspects of cloud forensics. Detailed analysis of different aspects cannot be found – but the future work section lists some interesting items that should be in scope of future research activities. For me personally it’s sometimes hard to understand why people  a) use references without numbers and b) huge line shifting .

Paper: Secure Logging and Auditing in Electronic Health Records Systems: What Can We Learn from the Payment Card Industry

Secure Logging and Auditing in Electronic Health Records Systems: What Can We Learn from the Payment Card Industry

Abstract:

not available

Information:

Position paper by Jason King, Laurie Williams – HealthSec’12 – PDF Download

Brief Discussion:

I read this article because I wanted to see the differences between PCI (Payment Card Industry) and HIT (Health Information Technology)  in terms of logging requirements from an academic security perspective. The authors are quite right with their statement: “If cardholder data is breached in the PCI, payment card companies may then remove fraudulent charges from the customer’s account and/or issue the customer a new payment card. However, once a person’s PHI has been breached, the PHI has been breached forever.”

In the short paper, you can find some brief comparison of logging requirements between PCI and HIT and also find the outcome, that HIT needs to catch up with the PCI and hopefully surpass the PCI in terms of securing and protecting personal heath information. Interesting …

Paper: From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

Abstract:

This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:

(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.

(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.

(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.

(4) The “haves” and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.

Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Information:

Paper by Pete Swire – access online

Brief Discussion:

This paper discusses the effect of technical changes on likely paths for lawful access to communications information. Although none of the discussed topics are new, it is interesting to see how they are related to each other when it comes to lawful access to communications information.

The author discuss the traditional CALEA approach stating that telecommunications carriers and manufacturers of telecommunications equipment design their products and services with the intention to ensure that they could carry out a lawful order to provide government access to communications. Secondly, the impact of strong encryption mechanisms on wiretapping capabilities are discussed.

In the third chapter, the four ways for agencies to access communications information are discussed:

1. Break encryption in transit: Check out the implementation flaws of SSL/TLS implementations, basic PKI issues such as establishing trust relationships in the first instance etc.
2. Intercept before or after encryption: Very important – so basically we have to entities that come into the play here: a) the client and b) the server. The connection between a) and b) is encrypted but not the endpoints leading to item 4.
3. Assure access in unencrypted form 
4. Access after the fact, in stored form, often in the Cloud:The following statement given by the author is probably not know to the broad public but seems to be straightforward:“Similarly, because Skype interconnects with the traditional telephone network, it is required to be wiretap-ready under the 2005 FCC CALEA order, and agencies have reason to come to that company for access.”

   This whole section four is providing very good reasons why the key should never be stored at the CSP and therefore cloud-based solutions storing the encryption key right beside the ciphertext are somehow useless from a security perspective. However, the author also shares the opinion that proper encryption concepts will not be a big barrier for lawful access since a) there are still significant technical challenges for efficient search and retrieval of encrypted data and b) it is extremely risky for users to store data in the cloud without having a backup of the keys.

Eventual Consistency – High Impact on Cloud Forensics Capabilities?

Recently, I stumbled upon a paper on “Eventual Consistency: How soon is eventual? - An Evaluation of Amazon S3’s Consistency Behavior” written by David Bermbach and Stefan Tai (both KIT). Although this paper has not been directly written for security but more for economic purposes, I consider it to have a high impact on the forensic capabilities in cloud environments. This is actually pretty interesting stuff.

Eventual Consistency describes a state in which a data object has not been fully replicated throughout the whole cloud storage environment. This means, it will be replicated in the future, however this requires a) time and b) no further errors in the replication process.

The authors proposed the following basic steps in order to measure the consistency:

1. Create a timestamp.
2. Write a version number to the storage system.
3. Continuously read until the old version number is no longer returned, then create a new timestamp.
4. Calculate the difference between the write timestamp and the second timestamp (time of the last read of the previous version).
5. Repeat these steps to achieve statistical significance.

The results for S3 of AWS have been quite interesting and I can highly recommend to have a look at the paper. But what’s the impact on forensics now?

Well, first of all, the approach mentioned above is quite interesting in terms of putting more light into the cloud blackbox. In general, I can see some basic similarities to the paper published by Ristenpart et al. The intention is somehow the same – isn’t it?

Secondly, this consistency issues is interesting in terms of data remnants that could be used in potential forensic investigations.

Example: 
Let’s assume that a customer uploads a data object into the cloud storage environment and of course, due to load balancing features, the data object is only uploaded to one specific storage server based in Europe first. After a given time frame n this object will be replicated to k different storage servers around the globe. However, due to the nature of the storage environment, only one data object with a specific name can be stored (see S3) at a time.

Furthermore, we now assume that this customer is now in scope of a forensic investigation because it is assumed that the uploaded data objects contain information about potential terrorist attacks (bad example, I know ). He knows that the law enforcement agencies will come after him and therefore tries to get rid of all data objects in his cloud storage account. He knows that simple deletion is not enough and hence he decides to upload random data objects with the same name in order to overwrite the existing sensitive data (versioning is not provided by the CSP) objects. In terms of cloud forensics, the following to cases could be interesting for the forensic examiners:

Huge replication time window:
Given the case that the time n needed to replicate the random data objects to all storage servers is high, the forensic examiners could still be able to extract the sensitive data from other servers. On these server the old data object is still available.

Error in Replication Process:
The forensic examiners should consider and investigate the case that the replication to all k storage servers hasn’t been successful. There is still a chance, that only e.g. k-3 storage servers have received the new data object and the old data object is still available on 3 servers globally.

Finally, I guess this topic could be worth to be investigated further from a forensics perspective.

Paper: Securing Provenance

Securing Provenance

Abstract:

Provenance describes how an object came to be in its present state. Intelligence dossiers, medical records and
corporate financial reports capture provenance information. Many of these applications call for security, but
existing security models are not up to the task. Provenance is a causality graph with annotations. The
causality graph connects the various participating objects describing the process that produced an object’s present
state. Each node represents an object and each edge represents a relationship between two objects. This graph
is an immutable directed acyclic graph (DAG). Existing security models do not apply to DAGs nor do they easily extend to DAGs. Any model to control access to the structure of the graph must integrate with existing security models for the objects. We need to develop an access control model tailored to provenance and study how it interacts with existing access control models. This paper frames the problem and identifies issues requiring further research.

Information:

Paper by Uri Braun, Avraham Shinnar, Margo Seltzer – HotSec’08 – PDF Download

Brief Discussion:

Theoretically, provenance starts with the Big Bang and includes all activities afterwards that have an impact on a specific object. Within the research community, authors often use DAG’s to visualize provenance graphs. According to the authors, these graphs and provenance in general needs its own security model because the security requirements for the provenance data are totally different from the security requirements of the data itself. Interesting perspective …

Paper: Challenges for Provenance in Cloud Computing

Challenges for Provenance in Cloud Computing

Abstract:

Many applications which require provenance are now moving to cloud infrastructures. However, it is not widely realised that clouds have their own need for provenance due to their dynamic nature and the burden this places on their administrators. We analyse the structure of cloud computing to identify the unique challenges facing provenance collection and the scenarios in which additional provenance data could be useful.

Information:

Paper by Imad M. Abbadi and John Lyle - Proceedings of the Third USENIX Workshop on the Theory and Practice of Provenance (TaPP 2011) - PDF Download

Brief Discussion:

Within this paper, the authors try to identify the unique challenges facing provenance information in cloud environments. This is a very important topic which will definitively receive more attention during the next years since incidents/forensics in such environments will also become more important.

Though the paper is short, it discusses the specific challenges of provenance data in the cloud very well. The authors propose that all layers, sub-layers and groups of a cloud system should incorporate a mechanism to support the collection of linkable data providing the provenance of events related to a specific activity. This sounds good – however it is not discussed how this shall be achieved.

Paper: Cloud Forensics

Cloud Forensics

Abstract:

Cloud computing may well become one of the most transformative technologies in the history of computing. Cloud service providers and customers have yet to establish adequate forensic capabilities that could support investigations of criminal activities in the cloud. This paper discusses the emerging area of cloud forensics, and highlights its challenges and opportunities.

Information:

Paper by Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie – PDF Download (paywall)

Brief Discussion:

Within this paper, the emerging area of cloud forensics is discussed as well as challenges and opportunities are highlighted.

So for me the most interesting part of the paper is what the authors expect of the notion “cloud forensics”. What exactly does it mean to them?

The first phrase considering this point is stated in section 2: “Cloud forensics is a subset of network forensics.”

Well, I totally disagree. Network forensics is an important part of cloud forensics because the network is a huge part of today’s cloud environments. However, afaik it is not a good idea to reduce cloud forensics to network forensics. What about the client? What about the VM? What about the application? These components are not covered by simple network forensics.

Later on in section 2.1, the authors state that “forensic data includes client-side artifacts that reside on client premises and provider-side artifacts that are located in the provider infrastructure.” There we go – so how can we address these artifacts with simple network forensics?

Paper: Leveraging Forensic Tools for Virtual Machine Introspection

Leveraging Forensic Tools for Virtual Machine Introspection 

Abstract:

Virtual machine introspection (VMI) has formed the basis of a number of novel approaches to security in recent
years. Although the isolation provided by a virtualized environment provides improved security, software that makes
use of VMI must overcome the semantic gap, reconstructing high-level state information from low-level data sources
such as physical memory. The digital forensics community has likewise grappled with semantic gap problems in
the field of forensic memory analysis (FMA), which seeks to extract forensically relevant information from dumps
of physical memory. In this paper, we will show that work done by the forensic community is directly applicable
to the VMI problem, and that by providing an interface between the two worlds, the difficulty of developing new
virtualization security solutions can be significantly reduced.

Information:

Paper by B. Dolan-Gavitt, B. Payne, W. Lee - Technical Report - PDF Download

Brief Discussion:

Within this technical report, the authors want to show that efforts and progress done by the forensic community is directly applicable fo the virtual machine introspection (VMI) problem. Normally, this is not an easy task since high-level semantic knowledge about the guest operating system must be reconstructed based on low-level sources such as physical memory and CPU registers. The authors refer to this problem as the semantic gap.

In the paper, the authors differentiate between VMI and forensic memory analysis (FMA) – the main difference is that VMI operates at runtime whereas FMA is static and already known to the research community. However, both techniques have also something in common: They rely on physical memory in order to reconstruct states of the OS. Hence, VMI as well as FMA applications must be able to translate virtual addresses to their physical location in memory. Since VMI is a live forensic investigation, one huge difficulty comes up: The CPU and the memory state will change as analysis is performed.

The authors also discuss how forensic tools could be used for VMI – they need to access the memory of the guest VM and this can be done in two ways: attach existing forensic software to the VM or present the memory of the VM to the forensic application in a way it understands. The authors implemented both ways: filesystem interface and extension API.

Paper: Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics

Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics

Abstract:

Although it has become clear that digital forensics – the practical analysis of digital data following the acquisition of a bit-stream image of a suspect’s hard disk – suffered a setback with the wide adoption of mobile devices and the increasing use of flash memory and encryption systems, it is undoubtedly also the case that it experienced a fundamental change due to the incredible expansion of cloud computing systems. In this article, the aim is to study the jurisdictional problems that cloud computing systems cause and the possible solutions at an EU level that have been adopted by legislators and the courts of the European Union in relation to the gathering of digital evidence that may be concealed in the ‘clouds’. Particular attention must be paid to German and Italian case law experience as Courts in these countries have addressed the problem, providing different solutions to resolve the same problem.

Information:

Paper by G. Vaciago – published at CYBERLAWS 2012 - PDF Download

Brief Discussion:

Disclaimer first – this is primarily a legal paper and does hardly touch any technical aspects. However, I was directed to this paper by a lawyer and since it consists only of 6 pages, I had a quick read.

The author tried to focus on the jurisdictional problems that cloud systems cause and discussed the possible solutions at an EU level that have been adopted by legislators and the courts of the European Union. He paid particular attention to the German and the Italian case law experience.

Since I’m not a lawyer, I can’t discuss the complete paper due to missing skills of mine within this field. However, the comparison of the different approaches vs. the “loss of location” issue could be quite interesting also for engineers. Loss of location is another way of saying: Cloud environments come along with the possibility to put digital data onto a set of servers which location is not totally clear to the customer. This means, the customer could be based in one jurisdiction but his/her data that is processed e.g. on a daily basis, is located in another jurisdiction.

Within this paper, four principles are explained:

1. Territorial Principle by Virtue: The court in the place where the data is located obtains the jurisdiction.
2. Nationality Principle by Virtue: The nationality of an adversary is used to establish criminal jurisdiction.
3. Flag Principle: Crimes committed on ships, aircraft etc. are subject to the jurisdiction of the flag state.
4. Power of Disposal Approach: More information can be found here.

UPDATE: I discussed the content of this paper with a lawyer and he asked what this paper has to do with cloud computing except for the discussion of the principles? The rest of the cases that are discussed have little or nothing to do with cloud computing at all. Interesting …

Paper: Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Abstract:

Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the
identification of four initial priority research areas in virtual machine introspection including virtual machine introspectiontool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

Information:

Paper by K. Nance, B. Hay and M. Bishop - paper in Proceedings of the 2009 International Conference on Availability, Reliability and Security - PDF Download

Brief Discussion:

The paper begins with an interesting statement: Researchers and forensic practitioners base their analysis typically on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. I can totally agree – logfiles, for instance, that are stored on the compromised system, cannot be viewed as a reliable source of information. The adversary could have modified or deleted them.

The authors argue that non-quiescent (e.g. live) analysis become more common but also suffers of effects such as the observer effect: Any action performed during the live analysis process modifies the state of the system that is investigated. Virtual machine introspection tries to mitigate this issue by “investigating from remote”.

Within the paper, the authors introduce four research issues within this field: the development of forensic tools, the monitoring of active virtual machines, active monitoring and the detection of virtual machine introspection techniques from within the VM.

Btw. – I guess some parts of the LaTeX template have been forgotten to be deleted – page 2, second column:

Wherever Times is specified, Times Roman or Times New Roman may be used. If neither is available on your word processor, please use the font closest in appearance to Times. Avoid using bitmapped fonts if possible. True-Type 1 or Open Type fonts are preferred. Please embed symbol fonts, as well, for math, etc.

 

Paper: Finding File Fragments in the Cloud

Finding File Fragments in the Cloud

Abstract:

Will not be published here – please search for official release on the Internet

Information:

Paper by Dirk J Ras and Martin S Olivier (University of Pretoria) – accepted paper at Eighth Annual IFIP WG 11.9

Brief Discussion:

The paper investigates, by conducting an experiment, the feasibility of performing a digital forensic analysis on a cloud computing system – Nebula in this case. In fact, the authors focused on IaaS and pretty much omitted SaaS and PaaS. Their experiment showed that it is possible to extract meaningful information for the cloud system and in certain cases even re-start the captures VM.

The experiment was performed by putting a known string into some reference files before the different shutdown processes were initiated: controlled shutdown, uncontrolled shutdown and capture via the network. Once a node was taken offline, the hard disk drives were removed from each of the nodes used in the setup.

I pretty much like the idea and although the complete actions and results seemed to be pretty much straightforward, it is good to have someone actually trying it in practice. The results are that in general data could be fully or patially recovered and in some scenarios VMs could even be re-instantiated.

 

Paper: A Virtual Machine Introspection Based Architecture for Intrusion Detection

A Virtual Machine Introspection Based Architecture for Intrusion Detection

Abstract:

Today’s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.

Information:

Paper by Tal Garfinkel and Mendel Rosenblum (Stanford) – accepted paper at NDSS‘03 - PDF Download

Brief Discussion:

The authors propose the idea of virtual machine introspection for intrusion detection (IDS) purposes. In a virtual environment, the activity of the VM is analyzed by directly observing hardware state and inferring software state based on a priori knowledge of its structure. Although the idea is almost 10 years old, it is getting probably even more important nowadays with the advent of IaaS cloud environments.

Since the IDS running outside of a VM has normally only access to the hardware-level state (e.g. interrupts and memory accesses) and events, the authors solve this issue by using the knowledge of the OS structures inside the VM. Within this contect, the authors state that commercial anti-virus tools make use of “esoteric” methods – so true

According to the paper, the VMM has to obtain three essential capabilities: Isolation, inspection and interposition. The inspection principle is substantial to VM forensics. Furthermore,  for the IDS capability, a policy engine has been defined that states the heart of the IDS. The complete idea has been implemented and experimental results have been provided – nice read!

Paper: Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies

Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies

Abstract:

The inevitable vulnerabilities and criminal targeting of cloud environments demand an understanding of how digital forensic investigations of the cloud can be accomplished. We present two hypothetical case studies of cloud crimes; child pornography being hosted in the cloud, and a compromised cloud-based website. Our cases highlight shortcomings of current forensic practices and laws. We describe significant challenges with cloud forensics, including forensic acquisition, evidence preservation and chain of custody, and open problems for continued research. 

Information:

Paper by Alan T. Sherman and Josiah Dykstra (University of Maryland) – accepted paper at ADFSL Conference on Digital Forensics, Security and Law 2011.

Brief Discussion:

These authors emphasize in the paper that forensic investigators must understand the fact that current tools and techniques are inadequate in cloud environments. Acquisition, examination and analysis of forensic evidence differs in practice from the traditional way of digital forensics. Unfortunately, little research has been done concerning the applicability of forensics to cloud computing environments – I can totally confirm the opinion of the authors.

In two case studies, the authors reason about the state of digital forensics for cloud-related crimes. Personally I like the differentiation between the two case studies: One uses the cloud as an accessory to a crime, the other one targets the crime against the cloud. However I don’t understand the statement:

“The examiner has no way to image the virtual machine remotely since the cloud provider does not expose that functionality, and in doing so would alter the state of the machine anyway.” 

Why? By creating a snapshot of the current virtual machine running, the machine itself is not altered in any way. Of course, the ability for an external examiner to create a snapshot for a third party from remote is not implemented, but this could be performed by the CSP itself locally. As stated also in paper, the CSP can do this without the attendance of any law enforcement person and the evidence would still be valid.

Finally, one sentence has to be emphasized:

“Microsoft and Amazon declined to comment about their compliance abilities in this situation.”

Paper: The Case for Browser Provenance

The Case for Browser Provenance

Abstract:

In our increasingly networked world, web browsers are important applications. Originally an interface tool for
accessing distributed documents, browsers have become ubiquitous, incorporating a significant portion of user interaction. A modern browser now also reads email, plays media, edits documents, and runs applications. Consequently, browsers process large quantities of data, and must record metadata, such as history, to help users
manage their data. Most of the metadata that modern browsers record is actually provenance – metadata that
captures the causality and lineage of data obtained via the browser. We demonstrate that characterizing browser
metadata as provenance and then applying techniques from the provenance research community enables new
browser functionality. For example, provenance can improve both history and web search by indicating contextual and personal relationships between data items. Users can also answer complex questions about the origins of their data by querying provenance. Our initial results suggest these features are feasible to implement and could perform well in modern browsers.

Information:

Paper by Daniel W. Margo and Margo Seltzer (Harvard School of Engineering and Applied Sciences) – accepted paper at USENIX TaPP`09 - PDF Download

Brief Discussion:

When I first saw the title of the paper, I felt immediately forced to read it. Data provenance or provenance information in general is a pretty powerful tool and can provide many answers to complex questions. If you check my blog for other provenance related papers, you will realize that provenance information provides information back to the very first beginning of an item if needed and properly implemented.

The authors of this specific paper discuss interesting scenarios in which the provenance information of a browser could be useful. Just for giving an example: Lineage (provenance) information about downloads, personalizing web search and time-contextual history search.

Finally, in section 3 a very interesting question is asked: Why do modern browser do not use any graph algorithms at all? Or is this the case? To be honest, I don´t know either …

Paper: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Abstract:

During the past few years, a vast number of online file storage services have been introduced. While several of these services provide basic functionality such as uploading and retrieving files by a specific user, more advanced services offer features such as shared folders, real-time collaboration, minimization of data transfers or unlimited storage space. Within this paper we give an overview of existing file storage services and examine Dropbox, an advanced file storage solution, in depth. We analyze the Dropbox client software as well as its transmission protocol, show weaknesses and outline possible attack vectors against users. Based on our results we show that Dropbox is used to store copyright-protected files from
a popular filesharing network. Furthermore Dropbox can be exploited to hide files in the cloud with unlimited storage capacity. We define this as online slack space. We conclude by discussing security improvements for modern online storage services in general, and Dropbox in particular. To prevent our attacks cloud storage operators should employ data possession proofs on clients, a technique which has been recently discussed only in the context of assessing trust in cloud storage operators.

Information:

Paper by Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl - accepted paper at USENIX Security’11 - PDF Download

Brief Discussion:

The authors provide some information about weaknesses in cloud storage services such as Dropbox and outline possible attack vectors against users. This was primarily done by analyzing the transmission protocol and the client. Besides the fact that the idea of abusing the deduplication feature of cloud services is not new, the paper is well structured and interesting to read. It takes old ideas and accumulates them with fresh results in a pretty interesting way.

However, at first I missed a little bit the main difference to the paper by Pinkas et al. In March 2011, I had the pleasure to talk to Benny Pinkas in Zurich at IBM by myself after his talk about the deduplication design flaws in cloud storage services. The attack is quite simple – unfortunately, mitigations are not. Further information can be found in the paper by Pinkas.
Furthermore, for the section “Stolen Host ID Attack” I miss proper references. This issues has obviously been discovered by Derek Newton half a year ago, or am I wrong? A referencing link would be nice in this case.

Obviously, SBA Research followed the responsible disclosure process according to comment #134 on the blog of Derek. Thx to Tobi for this information.

Paper: Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications

Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications

Abstract:

Side channels are communication channels that were not intended for communication and that accidentally leak information. A storage side channel leaks information through the content of the channel and not its timing behavior. Storage side channels are a large problem in networked applications since the output
at the level of the protocol encoding (e.g., HTTP and HTML) often depends on data and control flow. We call such channels hidden because the output differences blend with the noise of the channel. Within a formal system model, we give a necessary and sufficient condition for such storage side channels to exist. Based on this condition, we develop a method to detect this kind of side channels. The method is based on systematic comparisons of network responses of web applications. We show that this method is useful in practice by exhibiting hidden storage side channels in three well-known web applications: Typo3, Postfix Admin, and
Zenith Image Gallery

Information:

Paper by Felix Freiling Sebastian Schinzel- accepted paper at IFIP sec2011 - PDF Download

Brief Discussion:

The authors describe a method based on systematic comparisons of network responses of web applications. This means: You through a lot of rubbish requests at a web application and figure out how the responses differ from the responses caused by requests with valid accounts/data etc. I pretty much like the idea . And obviously, the results are impressive: The authors provide 3 real world applications which are vulnerable.

By the way: Sebastian Schinzel was guest at my former chair at the RUB for the HackerPraktikum. Hence, you can watch the video of his talk here which is also about side channel attacks.

Cyber Forensics in the Cloud – Magazine Article

Cyber Forensics in the Cloud

In volume 14 of the IAnewsletter, an article about forensics in the cloud was published. Although this magazine is more focussing on industry related readers and most of the topics in the article are already known, the article by Scott Zimmermann and Dominick Glavach was quite interesting to read.

Especially the aspect of time synchronization is important, imho. All involved entities during and before an investigation have to have time synchronization. Otherwise, evidence matching will be difficult, especially in front of a court.

Another interesting topic was “tools for performing”: If you ask me, it is not possible to create ONE specific tool for cloud forensics due to the current lack of standards. In most of the cases, you have to combine several other tools in order to get your results. In the future, in case there will be ONE standard for all cloud implementations , one tool could solve a lot of forensic issues – but this will hardly be realistic.

The authors talk in the article about signature based analysis for forensic collections – I do not think that this method will be applicable in real world scenarios. The past has shown that the AV industry pretty much fails if it comes to reach the 100% detection rate. 90% reliable evidence within digital forensic investigations is not enough.

Information:

Magazine paper by Dominick Glavach and Scott Zimmermann – PDF Download