Sebastian Biedermann

Improving security of virtual machines during live migrations

Live migration of virtual machines (VMs) enables the transfer of a running VM to a new hardware component with minimal and hardly noticeable interruption. In cloud architectures, users are almost not able to detect live migrations of their VMs nor can they prevent them from happening. Nevertheless, if a VM is live migrated to a distant data center crossing national borders, security and privacy problems arise. This way, internal data can become subject to new national legislation without even notifying the owner of the live-migrated VM. In this paper, we propose methods to detect live migrations from the inside of an affected VM. Furthermore, we analyze how the live migration procedure can be delayed and how the additional gained time can be used to take security measures before the live migration is finished. We developed a “live migration defence framework” (LMDF) which can be used for security policy enforcement within a VM. We evaluated the proposed methods and techniques in our cloud setup and partially in the Amazon Elastic Computing Cloud (EC2).

Fast dynamic extracted honeypots in cloud computing

In this paper, we describe the design, the implementation and the evaluation of a dynamic honeypot architecture which can be offered as an additional security service for cloud users in a cloud that offers Infrastructure-as-a-Service (IaaS). Honeypots can protect original systems while revealing new and unknown attacks at the same time. The proposed dynamic honeypot architecture detects potential attacks in the initial phases and delays these attacks until a new honeypot virtual machine (VM) is extracted from the original VM which is under attack. The extraction process is a modifying VM live cloning process which leaves sensible data behind and prevents internal data loss. This way, the newly created honeypot VM runs the same software in exactly the same up-to-date configuration. The honeypot controller redirects the delayed attack to the extracted honeypot VM and analyses its impact without risking the integrity of the original target VM. The proposed architecture benefits from the flexibility and adaptability of the cloud. It efficiently protects VMs of cloud users from contemporary network attacks while only few additional cloud resources are temporarily needed. The architecture deceives and misleads an attacker or an attacking source but does not influence the normal work-flow of the original VMs in the cloud. Based on a defined reporting format, cloud users can learn from attacks which have targeted their VMs and discover current misconfigurations and unknown vulnerabilities.

Lightweight energy consumption-based intrusion detection system for wireless sensor networks

Wireless sensor networks are increasingly used in industrial settings and in safety-critical applications, generating a financial and social impact. Complementing to cryptographic means to protect the communication, it is desirable to monitor the performance of the system and detect attackers during operation. However, existing intrusion detection systems are too resource-demanding. In this paper, we propose a lightweight, energy-efficient system, which makes use of mobile agents to detect intrusions based on the energy consumption of the sensor nodes as a metric. A linear regression model is applied to predict the energy consumption. Simulation results indicate that denial-of-service attacks, such as flooding, can be detected with high accuracy, while keeping the number of false-positives very low.

Covert channels using mobile device's magnetic field sensors

This paper presents a new covert channel using smartphone magnetic sensors. We show that modern smartphones are capable to detect the magnetic field changes induced by different computer components during I/O operations. In particular, we are able to create a covert channel between a laptop and a mobile device without any additional equipment, firmware modifications or privileged access on either of the devices. We present two encoding schemes for the covert channel communication and evaluate their effectiveness.

Towards fast hardware memory integrity checking with skewed Merkle trees

Protection of a computers memorys integrity is crucial in situations where physical attacks on the computer system are a threat. Such attacks can happen during physical break in into a data center or when a mobile device is lost or stolen. Since the memory modules can be easily removed or manipulated, the integrity of their contents cannot be trusted under threat of physical attacks. To counter this, hardware memory integrity checking schemes have been proposed, and realized in a number of security microprocessor architectures. At the core of these schemes is usually some form of a Merkle tree. All previous work on security architectures, however, uses full, balanced Merkle trees. In this paper, we propose a new solution to hardware memory integrity checking based on skewed Merkel trees. Because not all memory locations are accessed equally frequently in a modern computer system, a skewed Merkle three offers better performance as the frequently accessed memory locations can be located on the leaves of the skewed Merkle tree that have shorter path to the root -- thus fewer nodes of the tree have to be accessed during integrity checks. Skewed Merkle trees offer better system performance when considering realistic memory access patterns where some page are accessed more frequently than others, they do not impact caches as much as full Merkle trees, and they do not require more storage than full, balanced Merkle trees.

Detecting computer worms in the cloud

Computer worms are very active and new sophisticated versions continuously appear. Signature-based detection methods work with a low false-positive rate, but previously knowledge about the threat is needed. Anomaly-based intrusion detection methods are able to detect new and unknown threats, but meaningful information for correct results is necessary. We propose an anomaly-based intrusion detection mechanism for the cloud which directly profits from the virtualization technologies in general. Our proposed anomaly detection system is isolated from spreading computer worm infections and it is able to detect unknown and new appearing computer worms. Using our approach, a spreading computer worm can be detected on the spreading behavior itself without accessing or directly influencing running virtual machines of the cloud.

Hard Drive Side-Channel Attacks Using Smartphone Magnetic Field Sensors

In this paper we present a new class of side-channel attacks on computer hard drives. Hard drives contain one or more spinning disks made of a magnetic material. In addition, they contain different magnets which rapidly move the head to a target position on the disk to perform a write or a read. The magnetic fields from the disk’s material and head are weak and well shielded. However, we show that the magnetic field due to the moving head can be picked up by sensors outside of the hard drive. With these measurements, we are able to deduce patterns about ongoing operations. For example, we can detect what type of the operating system is booting up or what application is being started. Most importantly, no special equipment is necessary. All attacks can be performed by using an unmodified smartphone placed in proximity of a hard drive.

Trustable outsourcing of business processes to cloud computing environments

Cloud Computing, the next generation of Internet-based services, will allow cost-effective outsourcing of applications and business processes. However, outsourcing business processes to potentially untrusted servers poses significant security and privacy problems. Despite having no direct control over the hardware platform on which the business processes run, clients still need to obtain assurance of correct execution. In this paper, we propose an architecture based on Trusted Computing technologies that allows fine-granular and policy-based remote attestation of outsourced business processes running on remote hosts. In particular, we let the provider generate, during execution of the business process, secure execution logs that allow to verify correct execution of the process at a later time by the client. Our architecture allows a cloud provider to host business processes for multiple tenants, considering at the same time multi-instance processes. We show how such an architecture can be implemented using Trusted Computing technologies, traditional virtualization technologies like Xen and the ODE process engine.

ProofBook: An Online Social Network Based on Proof-of-Work and Friend-Propagation

Online Social Networks (OSNs) enjoy high popularity, but their centralized architectures lead to intransparency and mistrust in the providers who can be the single point of failure. A solution is to adapt the OSN functionality to an underlying and fully distributed peer-to-peer (P2P) substrate. Several approaches in the field of OSNs based on P2P architectures have been proposed, but they share substantial P2P weaknesses and they suffer from low availability and privacy problems. In this work, we propose a distributed OSN which combines an underlying P2P architecture with friend-based data propagation and a Proof-of-Work (PoW) concept. ProofBook provides availability of user data, stability of the underlying network architecture and privacy improvements while it does not limit simple data sharing based on social relations.

On the Application of Supervised Machine Learning to Trustworthiness Assessment

State-of-the art trust and reputation systems seek to apply machine learning methods to overcome generalizability issues of experience-based Bayesian trust assessment. These approaches are, however, often model-centric instead of focussing on data and the complex adaptive system that is driven by reputation-based service selection. This entails the risk of unrealistic model assumptions. We outline the requirements for robust probabilistic trust assessment using supervised learning and apply a selection of estimators to a real-world dataset, in order to show the effectiveness of supervised methods. Furthermore, we provide a representational mapping of estimator output to a belief logic representation for the modular integration of supervised methods with other trust assessment methodologies.