Vulnerabilities in SaaS layer of cloud computing

Download Vulnerabilities in SaaS layer of cloud computing

Post on 09-Jun-2015

2.505 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 1. Vulnerabilities in SaaSLayer of Cloud Computing Clinton D SouzaRafael Santana Arizona State University

2. Overview Introduction Cloud Computing Overview Research Results Conclusion Discussion Future work Q&A 3. Introduction Research funded by Fulton Undergraduate ResearchInitiative (FURI). Co-Author: Dr. Partha Dasgupta. Purpose of research is bring to attention, existentvulnerabilities in Software as a Service layer of cloudcomputing. 4. Cloud Computing Overview Cloud Computing architecture isdivided into three layers: Infrastructure as a Service (IaaS) Platform as a Service (Paas) Software as a Service (SaaS)http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png 5. Cloud Computing Models Most common cloud computing models: Public Cloud Private Cloud Hybrid Cloud 6. Simple Cloud Security Structure 7. Research Two main points of entry into SaaS layer: User Point of Entryo Most common point of attack in a SaaS model Provider Point of Entry An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be: 8. Research To connect to the uploaded SaaS application, user willhave to use a client/user portal which uses a webservice interface that is vulnerable to a variety ofattacks, some of which include: Buffer Overflow Cross Site Scripting SQL Injection Denial of Service 9. Resultw The most commonDenial of ServiceAvailability Account lockout attacks associated with Buffer-over-flo SaaS model in a publicCross-site scrip ng cloud infrastructure. Data Security Access control weakness Privilege escala on They are divided into theNetwork Penetra on Network SecuritySession Hijacking following four groups:Data Packet Intercep onIden ty Management Authen ca on Weakness Insecure TrustSaaS (Software as a Service) vulnerabilities 10. Discussion Zero-Day Vulnerability Found in McAfees SaaS Products (April 2011) Attacker can execute arbitrary code by exploiting the flaw ifvictim visits a malicious page or open the file. Common Vulnerability Scoring System score it to be 9 out of 10maximum. Method will accept commands that are passed to a function thatsimply executes them without authentication. McAfee SaaS includes: Email Protection (Protection against viruses and spam) McAfee Integrated Suites (Protection against viruses, web threats, etc) Patch released in August 2011.http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml 11. Conclusion Two main points of entry into SaaS layer: User Point of Entry o Most common point of attack in a SaaS model Provider Point of Entry wDenial of Service Availability Account lockoutBuffer-over-floCross-site scrip ngData Security Access control weaknessPrivilege escala onNetwork Penetra onNetwork SecuritySession HijackingData Packet Intercep on Iden ty Management Authen ca on WeaknessInsecure Trust SaaS (Software as a Service) vulnerabilities 12. Future Work Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved. Propose a suitable solution for how to minimize the intensity of the penetration attack. Document resultant effects and extent of the exploit and compare with other research projects/paper results. Document and explore the extent to which data can be exploited. 13. Q&A 14. References: [1] GoGrid Cloud Hosting, Cloud Infrastructure, http://pyramid.gogrid.com/#/, 2010 [2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6thed. USA: CRS Press. 2012 [3] Verizon Bussiness, 2012 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf, 2012 [4] The PHP Group,SQL Injection, http://php.net/manual/en/security.database.sql-injection.php, 2001-2012 http://www.butyoudontlooksick.com/wpress/wp-content/uploads/2010/09/cloudy-question.jpg

Recommended

View more >