论坛公告:应用容器安全指南(SP800-190)中文版   美国政府宣布禁用卡巴斯基软件   《中华人民共和国网络安全法》讨论帖   新手报到专用帖   【论坛公告】关于本站广告贴泛滥问题的整理通知   

当前时区为 UTC + 8 小时


发表新帖 回复这个主题  [ 4 篇帖子 ] 
作者 内容
 文章标题 : 【开源翻译项目】向公共云迁移对软件隔离的影响
帖子发表于 : 2012-02-07 20:00 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-01-08 16:04
拥有: 10,224.00 安全币

奖励: 878575 安全币
在线: 107583 点
帖子: 3276
以下是开源翻译项目《公共云计算安全与隐私指南(SP800-144)》(http://bbs.cisps.org/viewtopic.php?f=128&t=29613)第四章第六节的原文及译文对照。请大家审阅译文并提出修改意见,我会给与提出修改意见者安全币奖励。

4.6 Software Isolation

4.6 软件隔离

High degrees of multi-tenancy over large numbers of platforms are needed for cloud computing to achieve the envisioned flexibility of on-demand provisioning of reliable services and the cost benefits and efficiencies due to economies of scale. To reach the high scales of consumption desired, cloud providers have to ensure dynamic, flexible delivery of service and isolation of consumer resources. Multi-tenancy in IaaS cloud computing environments is typically done by multiplexing the execution of virtual machines from potentially different consumers on the same physical server [Ris09]. Applications deployed on guest virtual machines remain susceptible to attack and compromise, much the same as their non-virtualized counterparts. This was dramatically exemplified by a botnet found operating out of an IaaS cloud computing environment [Mcm09a, Whi09].

云计算需要跨越大量主机平台的高度多租户模式来灵活实现可靠服务的按需提供,以及基于规模经济的成本效益和效率。要达到期望的消费规模,云提供商必须确保服务的动态和灵活递送以及客户资源的隔离。IaaS云计算环境的多租户通常由不同的客户在同一物理服务器上运行多个虚拟机来实现。与部署在非虚拟环境中一样,部署在客户虚拟机上的应用也可能被对手攻击和破坏。曾经发现的一个依赖IaaS云计算环境运行的僵尸网络就是典型的例子。

Multi-tenancy in PaaS and SaaS cloud computing environments can be handled differently. For example, many SaaS providers rely on an infrastructure free of virtual machines, using instead a single logical instance of an application (i.e., a software technology stack) that can handle extremely large numbers of tenants, scaling upwards or outwards as needed [Arm10, Wai08]. Regardless of the service model and multi-tenant software architecture used, the computations of different consumers must be able to be carried out in isolation from one another, mainly through the use of logical separation mechanisms.

Paas和SaaS云计算环境的多租户模式有所不同。例如,许多SaaS提供商不使用虚拟机环境,而是使用一个单独的逻辑实例(即软件技术组合)来处理大量租户服务,并根据需要扩充或缩减。不管什么样的服务模式和多租户软件架构。不同用户的计算必须相互隔离,这种隔离通常采用逻辑隔离。

Hypervisor Complexity. The security of a computer system depends on the quality of the underlying software kernel that controls the confinement and execution of processes. A virtual machine monitor or hypervisor is designed to run multiple virtual machines, each hosting an operating system and applications, concurrently on a single host computer, and to provide isolation between the different guest virtual machines.

管理器的复杂性
计算机系统的安全依赖于控制其进程隔离和执行的底层软件内核的质量。虚拟机监控器或管理器被设计用来运行多个虚拟机,每个虚拟机包含一个操纵系统和若干应用程序,这些虚拟机同时运行在一台计算机主机上,管理器为这些不同的宿从虚拟机提供隔离机制。

A virtual machine monitor can, in theory, be smaller and less complex than an operating system. These characteristics generally make it easier to analyze and improve the quality of security, giving a virtual machine monitor the potential to be better suited for maintaining strong isolation between guest virtual machines than an operating system is for isolating processes [Kar08]. In practice, however, modern hypervisors can be large and complex, comparable to an operating system, which negates this advantage. For example, Xen, an open source x86 virtual machine monitor, incorporates a modified Linux kernel to implement a privileged partition for input/output operations, and KVM, another open source effort, transforms a Linux kernel into a virtual machine monitor [Kar08, Sha08, Xen08]. Understanding the use of virtualization by a cloud provider is a prerequisite to understanding the security risk involved.

虚拟机监控器在理论上可以做得比操作系统更小更简单。这样的话更容易实现,也更容易分析和改进其安全方面的质量,所以相对于操作系统的进程隔离来说,虚拟机监控器可能更适合为宿从虚拟机之间提供更强的隔离。但实际上与操作系统相比,现代的管理器更加庞大和复杂,结果就与上面所提到好处背道而驰了。例如Xen是一款开源x86虚拟机监控器,它结合一款经过修改的Linux内核来实现对输入/输出操作的权限隔离,KVM是另一款开源软件,它将一款Linux内核转换为虚拟机监控器。理解云提供商使用的虚拟化技术是理解相关安全风险的前提。

Attack Vectors. Multi-tenancy in virtual machine-based cloud infrastructures, together with the subtleties in the way physical resources are shared between guest virtual machines, can give rise to new sources of threat. The most serious threat is that malicious code can escape the confines of its virtual machine and interfere with the hypervisor or other guest virtual machines. Live migration, the ability to transition a virtual machine between hypervisors on different host computers without halting the guest operating system, and other features provided by virtual machine monitor environments to facilitate systems management, also increase software size and complexity and potentially add other areas to target in an attack.

攻击方式
基于虚拟机云架构的多租户模式,加上多个宿从虚拟机共享物理资源的复杂性造成了更多威胁来源。最严重的威胁是恶意代码可能突破虚拟机的封闭机制去干扰管理器或其它宿从虚拟机。虚拟机监控器环境为协助系统管理而提供的一些特性,如在线迁移,即不中断宿从操作系统运行的情况下将虚拟机在不同主机的管理器之间迁移,这些特性都会增加软件的规模以及复杂性,从而潜在地增加了攻击时可选的目标区域。

Several examples illustrate the types of attack vectors possible. The first is mapping the cloud infrastructure. While seemingly a daunting task to perform, researchers have demonstrated an approach with a popular IaaS cloud [Ris09]. By launching multiple virtual machine instances from multiple cloud consumer accounts and using network probes, assigned IP addresses and domain names were analyzed to identify service location patterns. Building on that information and general technique, the plausible location of a specific target virtual machine could be identified and new virtual machines instantiated to be eventually co-resident with the target.

多个实例展示了不同的潜在攻击方式。首先是云架构映射。看起来这是一项工作量非常大的任务,但研究者曾经演示了一个针对知名IaaS云的方法。通过使用多个云客户帐号启动多个虚拟机实例和使用网络探测技术,分析所获得的IP地址和域名可以识别出服务所处位置的特征。基于这些信息和通用技术,可以识别出具体目标虚拟机所处的比较精确的位置,并且逐渐创建出与目标位置相同的虚拟机实例。

Once a suitable target location is found, the next step for the guest virtual machine is to bypass or overcome containment by the hypervisor or to takedown the hypervisor and system entirely. Weaknesses in the provided programming interfaces and the processing of instructions are common targets for uncovering vulnerabilities to exploit [Fer07]. For example, a serious flaw that allowed an attacker to write to an arbitrary out-of-bounds memory location was discovered in the power management code of a hypervisor by fuzzing emulated I/O ports [Orm07].15 A denial of service vulnerability, which could allow a guest virtual machine to crash the host computer along with the other virtual machines being hosted, was also uncovered in a virtual device driver of a popular virtualization software product [Vmw09].

一旦找到了合适目标的位置,下一步就是让宿从虚拟机绕过或破解管理器的封闭机制或完全占据管理器和系统。所提供的程序接口和命令处理过程也是经常发现漏洞及其被利用的一个领域。例如,有人利用模糊测试(fuzzing)在一款管理器的电源管理代码中发现过可以让攻击者越界写入任何内存位置的严重漏洞。在一款常用的虚拟化软件产品的虚拟设备驱动程序中也曾经发现过一个拒绝服务漏洞,该漏洞可以让宿主计算机及其运行的所有宿从计算机崩溃。

More indirect attack avenues may also be possible. For example, researchers developed a way for an attacker to gain administrative control of guest virtual machines during a live migration, by employing a man-in-the-middle attack to modify the code used for authentication [Obe08a]. Memory modification during migration presents other possibilities, such as the potential to insert a virtual machine-based rootkit layer below the operating system [Kin06]. A zero-day exploit in HyperVM, an open source application for managing virtual private servers, purportedly led to the destruction of approximately 100,000 virtual server-based Websites hosted by a service provider [Goo09b]. Another example of an indirect attack involves monitoring resource utilization on a shared server to gain information and perhaps perform a side-channel attack, similar to attacks used against implementations of cryptographic mechanisms in other computing environments [Ris09]. For example, an attacker could determine periods of high activity, estimate high-traffic rates, and possibly launch keystroke timing attacks to gather passwords and other data from a target server.

还可能存在一些更加间接的方法。例如,研究者曾经开发了一种攻击者可能用来在宿从虚拟机在线迁移时获得其管理控制权,这种方法采用中间人攻击篡改用于鉴别的代码。迁移期间对内存进行篡改还存在其它一些可能性。如可能在操作系统下方插入基于虚拟机的系统功能篡改(rootkit)层。在一款用于管理虚拟专用服务器的开源应用程序HyperVM中曾经出现过一个零日漏洞,据称该漏洞造成某服务提供商托管的大约10万台基于虚拟服务器的网站遭到破坏。另一个间接攻击的例子在共享服务器上通过监视资源使用情况收集信息,这样可能造成旁路攻击,类似与在其它计算环境中用于对加密设备的攻击。例如,攻击者可以确定活动多发的时间段,估算出高流量的速率,还可能发起击键时序攻击来收集目标服务器的口令和其它数据。


回到顶部
  用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对软件隔离的影响
帖子发表于 : 2012-02-09 12:54 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-01-08 16:04
拥有: 10,224.00 安全币

奖励: 878575 安全币
在线: 107583 点
帖子: 3276
4.6 Software Isolation

4.6 软件隔离

High degrees of multi-tenancy over large numbers of platforms are needed for cloud computing to achieve the envisioned flexibility of on-demand provisioning of reliable services and the cost benefits and efficiencies due to economies of scale. To reach the high scales of consumption desired, cloud providers have to ensure dynamic, flexible delivery of service and isolation of consumer resources. Multi-tenancy in IaaS cloud computing environments is typically done by multiplexing the execution of virtual machines from potentially different consumers on the same physical server [Ris09]. Applications deployed on guest virtual machines remain susceptible to attack and compromise, much the same as their non-virtualized counterparts. This was dramatically exemplified by a botnet found operating out of an IaaS cloud computing environment [Mcm09a, Whi09].

云计算需要跨越大量主机平台的高度多租户模式来灵活实现可靠服务的按需提供,以及基于规模经济的成本效益和效率。要达到期望的消费规模,云提供商必须确保服务的动态和灵活递送以及客户资源的隔离。IaaS云计算环境的多租户通常由不同的客户在同一物理服务器上运行多个虚拟机来实现。与部署在非虚拟环境中一样,部署在客户虚拟机上的应用也可能被对手攻击和破坏。曾经发现的一个依赖IaaS云计算环境运行的僵尸网络就是典型的例子。

Multi-tenancy in PaaS and SaaS cloud computing environments can be handled differently. For example, many SaaS providers rely on an infrastructure free of virtual machines, using instead a single logical instance of an application (i.e., a software technology stack) that can handle extremely large numbers of tenants, scaling upwards or outwards as needed [Arm10, Wai08]. Regardless of the service model and multi-tenant software architecture used, the computations of different consumers must be able to be carried out in isolation from one another, mainly through the use of logical separation mechanisms.

Paas和SaaS云计算环境的多租户模式有所不同。例如,许多SaaS提供商不使用虚拟机环境,而是使用一个单独的逻辑实例(即软件技术组合)来处理大量租户服务,并根据需要扩充或缩减。不管什么样的服务模式和多租户软件架构。不同用户的计算必须相互隔离,这种隔离通常采用逻辑隔离。


回到顶部
  用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对软件隔离的影响
帖子发表于 : 2012-02-09 20:48 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-01-08 16:04
拥有: 10,224.00 安全币

奖励: 878575 安全币
在线: 107583 点
帖子: 3276
Hypervisor Complexity. The security of a computer system depends on the quality of the underlying software kernel that controls the confinement and execution of processes. A virtual machine monitor or hypervisor is designed to run multiple virtual machines, each hosting an operating system and applications, concurrently on a single host computer, and to provide isolation between the different guest virtual machines.

管理器的复杂性
计算机系统的安全依赖于控制其进程隔离和执行的底层软件内核的质量。虚拟机监控器或管理器被设计用来运行多个虚拟机,每个虚拟机包含一个操纵系统和若干应用程序,这些虚拟机同时运行在一台计算机主机上,管理器为这些不同的宿从虚拟机提供隔离机制。

A virtual machine monitor can, in theory, be smaller and less complex than an operating system. These characteristics generally make it easier to analyze and improve the quality of security, giving a virtual machine monitor the potential to be better suited for maintaining strong isolation between guest virtual machines than an operating system is for isolating processes [Kar08]. In practice, however, modern hypervisors can be large and complex, comparable to an operating system, which negates this advantage. For example, Xen, an open source x86 virtual machine monitor, incorporates a modified Linux kernel to implement a privileged partition for input/output operations, and KVM, another open source effort, transforms a Linux kernel into a virtual machine monitor [Kar08, Sha08, Xen08]. Understanding the use of virtualization by a cloud provider is a prerequisite to understanding the security risk involved.

虚拟机监控器在理论上可以做得比操作系统更小更简单。这样的话更容易实现,也更容易分析和改进其安全方面的质量,所以相对于操作系统的进程隔离来说,虚拟机监控器可能更适合为宿从虚拟机之间提供更强的隔离。但实际上与操作系统相比,现代的管理器更加庞大和复杂,结果就与上面所提到好处背道而驰了。例如Xen是一款开源x86虚拟机监控器,它结合一款经过修改的Linux内核来实现对输入/输出操作的权限隔离,KVM是另一款开源软件,它将一款Linux内核转换为虚拟机监控器。理解云提供商使用的虚拟化技术是理解相关安全风险的前提。


--------本帖迄今已累计获得3安全币用户奖励--------


回到顶部
  用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对软件隔离的影响
帖子发表于 : 2012-02-10 10:27 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-01-08 16:04
拥有: 10,224.00 安全币

奖励: 878575 安全币
在线: 107583 点
帖子: 3276
Attack Vectors. Multi-tenancy in virtual machine-based cloud infrastructures, together with the subtleties in the way physical resources are shared between guest virtual machines, can give rise to new sources of threat. The most serious threat is that malicious code can escape the confines of its virtual machine and interfere with the hypervisor or other guest virtual machines. Live migration, the ability to transition a virtual machine between hypervisors on different host computers without halting the guest operating system, and other features provided by virtual machine monitor environments to facilitate systems management, also increase software size and complexity and potentially add other areas to target in an attack.

攻击方式
基于虚拟机云架构的多租户模式,加上多个宿从虚拟机共享物理资源的复杂性造成了更多威胁来源。最严重的威胁是恶意代码可能突破虚拟机的封闭机制去干扰管理器或其它宿从虚拟机。虚拟机监控器环境为协助系统管理而提供的一些特性,如在线迁移,即不中断宿从操作系统运行的情况下将虚拟机在不同主机的管理器之间迁移,这些特性都会增加软件的规模以及复杂性,从而潜在地增加了攻击时可选的目标区域。

Several examples illustrate the types of attack vectors possible. The first is mapping the cloud infrastructure. While seemingly a daunting task to perform, researchers have demonstrated an approach with a popular IaaS cloud [Ris09]. By launching multiple virtual machine instances from multiple cloud consumer accounts and using network probes, assigned IP addresses and domain names were analyzed to identify service location patterns. Building on that information and general technique, the plausible location of a specific target virtual machine could be identified and new virtual machines instantiated to be eventually co-resident with the target.

多个实例展示了不同的潜在攻击方式。首先是云架构映射。看起来这是一项工作量非常大的任务,但研究者曾经演示了一个针对知名IaaS云的方法。通过使用多个云客户帐号启动多个虚拟机实例和使用网络探测技术,分析所获得的IP地址和域名可以识别出服务所处位置的特征。基于这些信息和通用技术,可以识别出具体目标虚拟机所处的比较精确的位置,并且逐渐创建出与目标位置相同的虚拟机实例。

Once a suitable target location is found, the next step for the guest virtual machine is to bypass or overcome containment by the hypervisor or to takedown the hypervisor and system entirely. Weaknesses in the provided programming interfaces and the processing of instructions are common targets for uncovering vulnerabilities to exploit [Fer07]. For example, a serious flaw that allowed an attacker to write to an arbitrary out-of-bounds memory location was discovered in the power management code of a hypervisor by fuzzing emulated I/O ports [Orm07].15 A denial of service vulnerability, which could allow a guest virtual machine to crash the host computer along with the other virtual machines being hosted, was also uncovered in a virtual device driver of a popular virtualization software product [Vmw09].

一旦找到了合适目标的位置,下一步就是让宿从虚拟机绕过或破解管理器的封闭机制或完全占据管理器和系统。所提供的程序接口和命令处理过程也是经常发现漏洞及其被利用的一个领域。例如,有人利用模糊测试(fuzzing)在一款管理器的电源管理代码中发现过可以让攻击者越界写入任何内存位置的严重漏洞。在一款常用的虚拟化软件产品的虚拟设备驱动程序中也曾经发现过一个拒绝服务漏洞,该漏洞可以让宿主计算机及其运行的所有宿从计算机崩溃。

More indirect attack avenues may also be possible. For example, researchers developed a way for an attacker to gain administrative control of guest virtual machines during a live migration, by employing a man-in-the-middle attack to modify the code used for authentication [Obe08a]. Memory modification during migration presents other possibilities, such as the potential to insert a virtual machine-based rootkit layer below the operating system [Kin06]. A zero-day exploit in HyperVM, an open source application for managing virtual private servers, purportedly led to the destruction of approximately 100,000 virtual server-based Websites hosted by a service provider [Goo09b]. Another example of an indirect attack involves monitoring resource utilization on a shared server to gain information and perhaps perform a side-channel attack, similar to attacks used against implementations of cryptographic mechanisms in other computing environments [Ris09]. For example, an attacker could determine periods of high activity, estimate high-traffic rates, and possibly launch keystroke timing attacks to gather passwords and other data from a target server.

还可能存在一些更加间接的方法。例如,研究者曾经开发了一种攻击者可能用来在宿从虚拟机在线迁移时获得其管理控制权,这种方法采用中间人攻击篡改用于鉴别的代码。迁移期间对内存进行篡改还存在其它一些可能性。如可能在操作系统下方插入基于虚拟机的系统功能篡改(rootkit)层。在一款用于管理虚拟专用服务器的开源应用程序HyperVM中曾经出现过一个零日漏洞,据称该漏洞造成某服务提供商托管的大约10万台基于虚拟服务器的网站遭到破坏。另一个间接攻击的例子在共享服务器上通过监视资源使用情况收集信息,这样可能造成旁路攻击,类似与在其它计算环境中用于对加密设备的攻击。例如,攻击者可以确定活动多发的时间段,估算出高流量的速率,还可能发起击键时序攻击来收集目标服务器的口令和其它数据。


回到顶部
  用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 4 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 2 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
cron
华安信达(CISPS.org) ©2003 - 2012