vulnerabilities in saas layer of cloud computing

Download Vulnerabilities in SaaS layer of cloud computing

Post on 09-Jun-2015




0 download

Embed Size (px)


  • 1. Vulnerabilities in SaaSLayer of Cloud Computing Clinton D SouzaRafael Santana Arizona State University

2. Overview Introduction Cloud Computing Overview Research Results Conclusion Discussion Future work Q&A 3. Introduction Research funded by Fulton Undergraduate ResearchInitiative (FURI). Co-Author: Dr. Partha Dasgupta. Purpose of research is bring to attention, existentvulnerabilities in Software as a Service layer of cloudcomputing. 4. Cloud Computing Overview Cloud Computing architecture isdivided into three layers: Infrastructure as a Service (IaaS) Platform as a Service (Paas) Software as a Service (SaaS) 5. Cloud Computing Models Most common cloud computing models: Public Cloud Private Cloud Hybrid Cloud 6. Simple Cloud Security Structure 7. Research Two main points of entry into SaaS layer: User Point of Entryo Most common point of attack in a SaaS model Provider Point of Entry An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be: 8. Research To connect to the uploaded SaaS application, user willhave to use a client/user portal which uses a webservice interface that is vulnerable to a variety ofattacks, some of which include: Buffer Overflow Cross Site Scripting SQL Injection Denial of Service 9. Resultw The most commonDenial of ServiceAvailability Account lockout attacks associated with Buffer-over-flo SaaS model in a publicCross-site scrip ng cloud infrastructure. Data Security Access control weakness Privilege escala on They are divided into theNetwork Penetra on Network SecuritySession Hijacking following four groups:Data Packet Intercep onIden ty Management Authen ca on Weakness Insecure TrustSaaS (Software as a Service) vulnerabilities 10. Discussion Zero-Day Vulnerability Found in McAfees SaaS Products (April 2011) Attacker can execute arbitrary code by exploiting the flaw ifvictim visits a malicious page or open the file. Common Vulnerability Scoring System score it to be 9 out of 10maximum. Method will accept commands that are passed to a function thatsimply executes them without authentication. McAfee SaaS includes: Email Protection (Protection against viruses and spam) McAfee Integrated Suites (Protection against viruses, web threats, etc) Patch released in August 2011. 11. Conclusion Two main points of entry into SaaS layer: User Point of Entry o Most common point of attack in a SaaS model Provider Point of Entry wDenial of Service Availability Account lockoutBuffer-over-floCross-site scrip ngData Security Access control weaknessPrivilege escala onNetwork Penetra onNetwork SecuritySession HijackingData Packet Intercep on Iden ty Management Authen ca on WeaknessInsecure Trust SaaS (Software as a Service) vulnerabilities 12. Future Work Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved. Propose a suitable solution for how to minimize the intensity of the penetration attack. Document resultant effects and extent of the exploit and compare with other research projects/paper results. Document and explore the extent to which data can be exploited. 13. Q&A 14. References: [1] GoGrid Cloud Hosting, Cloud Infrastructure,, 2010 [2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6thed. USA: CRS Press. 2012 [3] Verizon Bussiness, 2012 Data Breach Investigations Report, 2012 [4] The PHP Group,SQL Injection,, 2001-2012