Transcription
International Journal of Engineering Trends and Technology (IJETT) – Editor’s Issues - 2020API Vulnerabilities In Cloud ComputingPlatform: Attack And DetectionMuhammad Azizi Mohd Ariffin, Mohd Faisal Ibrahim, Zolidah KasiranFakulti Sains Komputer dan Matematik, Universiti Teknologi MARA, Shah Alam, MalaysiaABSTRACTNowadays most of cloud management software such asOpenStack and CloudStack provide an API to facilitatethe communication and exchange of data between users,application, cloud components and infrastructure. Dueto complexity of cloud management softwareimplementation, the provided API has vulnerabilitieswhich can be exploited by malicious party. Onceexploited, it can cause security issue and disrupt theavailability of services running on the cloudinfrastructure. Hence; it is importance to address cloudAPI security by identifying potential threats,demonstrating how such threats could be exploited andhow to detect such threat. This paper presents the topicof API Vulnerabilities in Cloud Computing Platform:Attack and Detection. We will discuss the vulnerabilitiesof the API in cloud management software. Based onthese vulnerabilities, this paper will demonstrate howeavesdropping on cloud API authentication servicesand API exhaustion attack can be initiated. To addressthe threat due to the vulnerabilities of the API, we needto detect attack which exploits the vulnerabilities. Thusthis paper also proposes and demonstrates methods todetect such attack effectively. Method to detect ongoingAPI exhaustion attack will be based on AD3 algorithm.From the experiments result, it shows that attacks on thecloud platform AP can be detected effectively.Keywords: Cloud Computing Security, Cloud APIVulnerabilities, API Exhaustion Attack.I. INTRODUCTIONThe evolution of cloud computing technology hasintroduced several advantages such as elasticity,scalability and more efficient use of computingresources. This caused it to be commonly used byeducation sectors, government, private enterprise and ITindustry to replace their legacy-computing platform intheir organization[1] [2]. However, the popularity of theplatform has attract hackers to exploit it weaknesses andmade it vulnerable to various security threats [2]. Inprivate deployment, cloud-computing platform consistsof hardware and software components pooling andsharing its resources together, usually all of these cloudISSN: 2231-5381components communicate with each other via commoninterface called as Application programming interface(API). This API can be overwhelmed with large amountof request intentionally by malicious party until itexhausted all of its computing resources and thuscausing denial of service. When the API is overwhelm,the cloud components unable to communicate with eachother and the cloud platform itself unable to perform itsnormal operation. This will cause outages to theplatform and will affect the availability of applicationsrunning or hosted on the cloud platform.Several studies have been conducted to identify thesecurity threats to the cloud computing platform [4] [5][6] [3]. But those studies did not focus on cloud APIexhaustion attack and provide a method to detect andmitigate such attack. Most of the studies, discuss thethreat of data breach, weak authentication andvirtualization vulnerabilities on the cloud. Work in [5]mentioned the insecurity of the cloud API that may leadto security issue but did not discuss further on how thecloud API could be exploited further to cause denial ofservice attack to the cloud platform components. Theimpact to service availability of cloud platform has hugerepercussion, for example recent outage on MicrosoftAzure platform, causing thousands of users unable toaccess the Office 365 application and run their businessnormally [7]. Therefore, there is a need to address thethreat of API exhaustion attack to the cloud-computingplatform. Moreover, when storing data in networkedenvironment such as in Cloud, it was crucial to addressthe vulnerabilities so that it able to pass the threatassessment such as MyRAM and HiLRA [27].This paper discusses the vulnerabilities of the API incloud management software. Based on thesevulnerabilities, this paper will demonstrate howeavesdropping on cloud API authentication services andAPI exhaustion attack can be initiated. To address thethreat due to the vulnerabilities of the API, we need todetect on-going attack which exploits thevulnerabilities. This paper will also demonstrate howsuch attack can be detected effectively using AD3algorithm. OpenStack software platform will be used toconstruct the cloud testbed which will be used for thedemonstration of attacks. This will provide moreaccurate representation of real world cloud deploymentdoi : 10.14445/22315381/CATI1P202Page 8
International Journal of Engineering Trends and Technology (IJETT) – Editor’s Issues - 2020as OpenStack is commonly deployed as cloud platformin production environment [8].II. API VULNERABILITIES IN CLOUDCOMPUTING PLATFORMA. Cloud Management SoftwareBuilding and operating own private cloud platform isa complex and challenging job. Hence, cloudmanagement software was regularly utilized byorganization for simplifying the task of managing theircloud. The definition of cloud computing managementsoftware is “Software and technologies utilized by publicor enterprise organization to build and operate in-houseor on-premise cloud platform and infrastructure, the toolin cloud management guaranteed resources of cloudcomputing are utilized or distributed effectively and ableto appropriately interacting external services and usersvia common interface” [9]. The cloud managementsoftware has two deployment categories; it can bedeployed using open source software such as OpenStack,Eucalyptus and CloudStack or using closed-sourcesolutions such as Citrix XenServer and VMwarevCenterOne of the core functions of the cloud computingsoftware is to manage and orchestrate the operation ofphysical hardware which pools it resources for the cloudplatform [10].It guarantees the physical resources are assignedoptimally to virtual machine and provides a commoninterface (e.g. API) which enables users, infrastructureand services to communicate. For example, inOpenStack it has dedicated software component ormodule which dedicated in managing the allocation ofcomputing resources (e.g. CPU, Memory) to the virtualmachine. Besides that, OpenStack also has otherscomponents which dedicate in providing other servicesuch as Networking via its Neutron and block storage viaCinder. Usually all of these different cloud componentscommunicate with each other via common interfaceknown as API.B. Type of Cloud APICloud APIs are the common software interface whichenables the communication between the cloudinfrastructure, applications and users. There are severaltypes of API have been widely deployed in cloudplatform such as SOAP and REST based API [24].SOAP (Simple Object Access Protocol) is a protocol thatdefine many things such as how data is transmitted andsecurity mechanism which introduce more overhead.While REST stands for Representational State Transferand it is simpler than SOAP. REST is a web services as ituses HTTP protocol and URIs. Table 1 shows thecomparison of SOAP and REST API.ISSN: 2231-5381Table 1: SOAP and REST API ComparisonComparisonSOAPData FormatXMLStyleProtocolSecurityACID ComplianceSupport SSL,WS-SecurityYesRESTJSON, PlainText, HTMLServer-ClientArchitectureSupport SSL,HTTPSNoIn cloud management software such as OpenStack, theAPI is based on REST and uses the same HTTP protocolas other web based system. Disruption on the APIavailability of OpenStack will cause disruption on thenormal operation of the plat-form.C. Type of API AttackAPI plays a crucial role in cloud computinginfrastructure communication as it allows different usersand cloud components to interact and exchange data.Therefore, attacker could exploit the weaknesses ofcloud management software such as Open-Stack [11]and its API implementation for malicious intent.The first type of attack is API Authentication ServicesAttack. This type of attack can be initiated by exploitingthe weaknesses of cloud API which providesauthentication services in cloud infrastructure. In cloudmanagement software such as OpenStack orCloudStack, API was provided for interacting with theauthentication services. Communication between hostsand the authentication is sensitive as usually credentialsdata such as password and session token is beenexchange during the session.Majority of API in the cloud management software isbased on REST or SOAP which is web standards [26].Hence it is exposed to attacks which are web-based, suchas eavesdropping, session hijacking, malicious codeexecution, XSS and denial of service attack [14] (seefigure 1). One of crucial services in OpenStack is theAPI which handle authentication, which a moduleknown as Keystone. The work of [15] has identified thatthe API of Keystone is also exposed to eavesdroppingattacks, because during the procedure to authenticateusers, the credentials data are communicated inplain-text. Besides, authentication mechanism based ontoken exchange in Keystone also has weaknesses. This isbecause, hackers will able to gain users privileges andaccess the services of other cloud components if theyable to obtain the password contained in theauthentication token.doi : 10.14445/22315381/CATI1P202Page 9
International Journal of Engineering Trends and Technology (IJETT) – Editor’s Issues - 2020Figure 1. Multiple Type of Attack to the AuthenticationService APIThe second type of attack is API Exhaustion Attack.This is a type of DOS attack to the cloud API services.Denial of service (DOS) attack occurs when attackerdisrupts the services by intentionally sending largeamount of traffic with the purpose of overwhelming thesystem. This prevents the system from processing therequest of legitimate users and thus denying them fromusing the service. In the context of cloud computing, theDOS attack can be targeted to the applications runningon the cloud or it can target the cloud platforminfrastructure [13] [12].When the DOS attack is targeting the cloud platformAPI, it can cause API exhaustion attack. Majority ofcloud management software offer web-based APIprotocol, for compatibility and simplicity. For instance,CloudStack and OpenStack APIs are built on REST, andduring the communication session the data is formattedas JSON [16] [17]. The work of [15] have found that theOpenStack Keystone API which uses web basedprotocols to provide the identity and authenticationservice is vulnerable to information disclosure, DOS andreplay attacks.API exhaustion attack is when the attackers maliciouslymisuse the API of the cloud platform by sending a largequantity of malicious API requests to overwhelm thesystem. The cloud components will be unable to respondto legitimate API request from other components andusers while it is overwhelm. This is because the web(HTTP) protocols utilized TCP as the transport protocol,thus when the server receives API requests using HTTP;it will allocate additional resources for the new TCPsession. The physical hosts of the cloud managementsystem components will eventually run out of resource ifthis continues for a long period. Hence, it unable toprocess the legitimate API request, which will lead to aDOS attack and disruption to its availability. The cloudmanagement software are exposed to these type of attacksince it uses web-based technology in API services andthis issue has been highlighted by many cloud admin onportal to track bugs and vulnerabilities database [18][19]. This paper highlights the API exhaustion becausethe communication using the common TCP/IP stack hasbecome the source of weaknesses of a cloud managementsystem. Figure 2 shows API exhaustion attack overview.ISSN: 2231-5381Figure 2. API Exhaustion AttackIII. ATTACK DETECTION EXPERIMENT ONCLOUD API SERVICESThis paper, will conduct experiments to simulateauthentication token eavesdropping and API exhaustionattack. During the experiment, we will apply a methodto detect such attack. To simulate an attack, we setup acloud Testbed based on OpenStack platform.For the purpose of emulating a cloud provider setup,we configured a multiple node cloud cluster with twocompute and one controller nodes. 3 Servers hostsrunning a Dell OptiPlex 990 (3.40 GHz Intel i7-2600),1TB of Hard Disk, 16 GB memory, 2 Gigabit-Ethernetnetwork interfaces were used to form a cluster. One ofthe Ethernet inter-faces is connected to the managementnetwork and the other is connected to the data network.The management network is primarily used n between controller and compute node,transferring data between VM during migration); it canalso be used to access the cloud system panel by thecloud admin. Meanwhile, the data network enables VMhosted on the cloud infrastructure to interact betweeneach other and enable the VM to access the Internet. Thetopology of cloud cluster testbed is shown in figure 3.Figure 3. OpenStack Cloud Testbeddoi : 10.14445/22315381/CATI1P202Page 10
International Journal of Engineering Trends and Technology (IJETT) – Editor’s Issues - 2020A. Authentication Token Eavesdropping ExperimentTo investigate the security issues on the authenticationservices API, this paper recreates the issue on thetestbed. First we simulate authentication request viaOpenStack API and then we eavesdrop the session bycapturing the traffic between client and OpenStackcontroller using Wireshark tool. From the packet dump,it was shown that the token packet for the API serviceswas not encrypted. Figure 4 shows that we can read theAPI data in clear-text and as a consequence we able tocapture the password of the cloud administrator ashighlighted in the red box. It shows that we able toexposed the password by capturing the packet of theauthentication API when the cloud admin request atoken from the OpenStack Keystone.C. API Exhaustion Attack Detection MethodIn order to effectively minimize the security risk in thecloud environment, we need to detect anomaly thatpossibly cause by the malicious activity [21]. Inspired bythe work of [22] regarding a method applied to the cloudfor malware detection system, this paper proposed ananomaly detection method based on AD3 algorithm [29]and non-parametric data density [23] which designedfor detecting anomaly in the cloud platform. Theanomaly detection methodology is shown in figure 5.Figure 4. The API data exposed in plaintext duringeavesdroppingFigure 5. Anomaly Detection Methodology [25]B. API Exhaustion ExperimentTo simulate API Exhaustion attack to the OpenStackAPI, this paper utilized open source software calledSiege [20]. The software will simulate 15 hostsconcurrently sending a huge numbers of requests to theAPI services using JSON format. Furthermore, thebackground traffic will be running while the experimentis running for 10 minutes. While the attack is runningduring the experiment, this paper will apply the AD3algorithm in order to detect such attack. To ensure thedetection based on proposed methodology able todistinguish between the anomaly produced by an attackand normal operation of API during experiment, weexecute two normal VM operations. The First operationis restarting a VM and the second operation is deleting aVM. Both of the operations will invoke the OpenStack toutilize the keystone API to invoke the authorization andauthentication process.ISSN: 2231-5381During experiment, we collected several parameterssuch as CPU or memory utilization from the testbed andthen fed it into the anomaly detection algorithm. Thealgorithm will then extracts features from theparameters and perform a pre-processing on thosefeatures. The algorithm and pre-processing wasperformed using Matlab Software. Next, it will detect anoutlier data in a form of graph, which is then, can beused for further analysis and visualization.AD3 [29,30] is a machine learning algorithm forapproximate maximum a posteriori (MAP). In thisproject, the anomaly parameters is extracted and thennormalized to be become data density value [23]. Fromthere, the density value is further processes using AD3so multiplier value can be obtained. As a result we candifferentiate the noise of normal VM operation andvalue (in the form of data density) of an anomaly causeby an attack.doi : 10.14445/22315381/CATI1P202Page 11
International Journal of Engineering Trends and Technology (IJETT) – Editor’s Issues - 2020D. API Exhaustion Attack Detection ResultWe simulate the attack on the cloud APIs and collect thesystem parameters during the attack. The parameters arethen fed into the AD3 algorithm with the purpose todetect and visualized the anomalies due to the attack.The parameters which are collected during experimentand then feed into the detection algorithm are systemCPU utilization, memory utilization, byte count, flowrate, interface TX and RX rate and the packet count. Theexperimental result of the API exhaustion attack isshown in Figure 6.anomaly happens when the VM is being shut down,while the second anomaly is detected when the VM isturned on back again, to complete the whole rebootprocedure. When the time interval is at 60, the thirdanomaly is spotted which during this period the systemis initiating the VM deletion process. The density valuedrops from 0.9 to 0.52 (0.38 differences) during thedeletion process. The deletion process completed at timeinterval 64 and during this period the line on the graphhas recovered. At time interval 120, the fourth anomalyis spotted which during the period simulated APIexhaustion attack begins, the density value drops from0.88 to 0.02 (0.86 differences) which shows an extremedrop on the graph. The API exhaustion attack ended attime interval 162 and the line on the graph only beginsto recovers after that period. No other operation isinitiated after the attack.IV. DISCUSSIONFigure 6. API Exhaustion attack detection resultIn the simulated attack, huge quantities of APIrequests were directed to the Open-Stack authenticationservice API to overwhelm it. The X-axis signifies thetime interval at which the metric data was gatheredwhile the Y-axis show the calculated density values forthe selected features. Figure 6 shows, the algorithm ableto detect 4 anomalies as there is 4 distinct variationwhich shown as drops on the graph. At time interval 20,the first anomaly is detected which during the period thesystem initiate a VM’s reboot operation. During firstanomaly, the density value drops from 0.9 to 0.52 (0.38differences). The graph line starts to recover (returnupward) at time interval 21. Shortly after, at timeinterval 24 the second anomaly is detected, after the firstanomaly. During the period of second anomaly thedensity value drops from 0.9 to 0.5 (0.4 differences), thegraph shows recovery when time interval is at 25.The system initiation of reboot operation of VMstriggers the first and also the second anomalies; the firstISSN: 2231-5381During the experiment to simulate the eavesdropping ofthe authentication token, it shown that thecommunication session between the API requester andthe cloud controller is not encrypted, hence we able toread the token packet in plaintext and obtain the cloudadministrator password. In any secure system, passwordprivacy is very crucial; this will cause security issue tothe cloud platform as it could lead to data breach,privacy issues and session hijacking. Even if the webinterface has mechanism to filter input to prevent SQLinjection [28], it may not able to address security oncloud API due to eavesdropping if the packet was notencrypted.Besides that, there is a clear difference between theanomaly caused by normal VM operation and ananomaly trigger during API exhaustion attack from theexperiment result to simulate the API exhaustion attack.This is because during the API exhaustion attack ananomaly with the largest drops is seen. This
CloudStack and OpenStack APIs are built on REST, and during the communication session the data is formatted as JSON [16] [17]. The work of [15] have found that the OpenStack Keystone API which uses web based protocols to provide the identity and authentication service is vuln
![API Ballot: [Ballot ID] – API 510 & API 570, Deferrals, Rev05](/img/5/api510andapi570deferralsrev5.jpg)
