Cloud Computing: Security Lab [Work-in-Progress]

1 Abstract

This lab describes a few tasks with the goal of learning about some security issues when using the cloud. The lab expects the students to have read the background materials, and to be able to supply details. This is not a "let me re-do some exploits" lab.

2 Background

3 Lab Experiment

3.1 Task 1: Data Security/ Privacy/ Trust

Suppose you uploaded to a cloud storage + computing facility (CSCF) a good number (say 10,000) files (FS), small (KB) to large (TB) in size. You wish to perform some computations (CS) in the cloud on these files. The CS have been built on a trusted local machine and uploaded to the cloud. You are in the trust-but-verify mood. Outline procedures (say shell scripts) that will verify the following.

  1. CS are computing on FS. That is, how do you make sure that (i) some C in CS has not been replaced by a C'? (ii) some F is FS has not been modified? Should you re-design CS so that this is doable?
  2. How will you verify that the CSCF has not been snooping around your files? Recall the recent story about DropBox discovering pornography stashes. http://gizmodo.com/dropbox-refuses-to-explain-its-mysterious-child-porn-de-1722573363 Aug 2015
  3. Will encryption of some sort somewhere help?

There are elements of "thought-experiments" in the above. Even so, be as rigorous as possible. If there is no workable solution, say so.

3.2 Task 2: Docker Image Insecurity

Consider a Docker image of your choice (but not too small) from the official repository. It probably has the line "The image you are pulling has been verified." For this particular image, give a full verification script (in Bash, Python, Scala, or Java) that you developed knowing the contents of the image.

Read https://titanous.com/posts/docker-insecurity (2014) for a description of "content cannot be trusted" issues. According to https://blog.docker.com/2015/08/content-trust-docker-1-8/, these issues were resolved in Docker Engine version 1.8. Think of this task as your independent verification.

3.3 Task 3: Xen

3.3.1 Running QubesOS or Alternative

Use QubesOS as the environment for this section. (If you find a better alternative, please insert your suggestions in the lab report.)

3.3.2 Xen Dom0

Read the following blog http://theinvisiblethings.blogspot.com/2008/08/attacking-xen-domu-vs-dom0.html by the developer of QubesOS. This was written in 2008. Write a section in the lab report as a 2015 update for this blog.

3.3.3 Setup a New App in a VM of its own

QubesOS comes with a disposable VM running FireFox browser. Set up a similar thing for Chrome.

3.4 Task 4 Bonus: KVM

Study a recent KVM CVE, e.g., http://www.openwall.com/lists/oss-security/2015/11/10/5. Write a short section in the lab report as a tutorial on this CVE to students of this course.

3.5 Survey

[TBD This will be replaced by a Google Forms survey. Real Soon Now.]

  1. Your level of interest in this lab exercise (high, average, low);
  2. How challenging is this lab exercise? (high, average, low);
  3. How valuable is this lab as a part of the course (high, average, low).
  4. Are the supporting materials and lectures helpful for you to finish the lab/ project? (very helpful, somewhat helpful, not helpful). Make concrete suggestions for improvement.
  5. How useful was this lab to your understanding of virtualization?
  6. How many hours (approximately) did you spend on Task 1? 2? 3? 4?
  7. Do you feel confident on applying the skills learned in the lab to solve other problems with Spark? (low, average, high)

3.6 Turn In

  1. L6Report.pdf should be written as a tech report. Devote one section each for the above tasks. Use your judgement in what to include in these sections. Your overall goal is to convince any reader of your report that you have understood and carried out the tasks.
  2. ~ceg738000/turnin L6 ReadMe.txt myLabJournal.txt L6Report.pdf survey.txt

TBD Grading Sheet

4 References

Copyright © 2015 pmateti@wright.edu www.wright.edu/~pmateti 2015-08-09