Client-Server

EHR: System Architecture and Systems Security – An Analysis of Interdependencies

SBA Research & Vienna University of Technology Edgar R. Weippl Typical Security Errors in Large-Scale Systems

SBA Research & Vienna University of Technology Edgar R. Weippl Basic Architectures

http://datacenterpost.com/wp- http://www.futuretimeline.net/subject/images/computer- content/uploads/2014/11/mainframe-apps.jpg storage-timeline.jpg Basic Architectures

http://www.datacenterknowledge.com/wp- http://conversation.which.co.uk/wp- content/uploads/2013/07/cloud-vm-movement.jpg content/uploads/2011/03/peer-to- peer_shutterstock_56319415.jpg Architectures

Centralized Distributed Historic Mainframe Client-Server • Admins understand • Admins understand systems and can systems and can observe everything observe servers and • Server-based security communication • Decentral / private data

Hype Cloud Computing P2P / Grassroots • Internals hidden / Infrastructure protected • Trust in majority • Arms race in analysis • Sybil attack

Architectures

Centralized Distributed Historic Mainframe Client-Server • Admins understand systems • Admins understand systems and can observe everything and can observe servers and • Server-based security communication • Decentral / private data

Hype Cloud Computing P2P / Grassroots Infrastructure • Internals hidden / protected • Trust in majority • Arms race in analysis • Sybil attack

Observation & Empirical Research Impact Hop-count measuring

 Once IP is found, find path to victim

 Cloud platforms block ICMP errors/ control messages

 Our idea: Scan with incrementing TTL

 Use timing side-channel to count hosts

Co-residence Testing

 Place prober on same host as victim

 Check if TTL scan to victim is 0

 Check patterns to prober via interrupt-based side-channel

 If both pass – attacker is co-resident with victim Data Deduplication

At the server At the client – Same file only stored – Calculate hash or once other digest – Save storage space at – Reduce server communication

Authentication

Viber, WhatsApp, fring, GupShup, hike, KakaoTalk, Line, ChatOn, textPlus and WeChat Re-Evaluation 2014 Empirical Research

• Dropbox • Amazon Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Amir Herzberg and Haya Shulman and Johanna Ullrich and Markus Huber, and Edgar R. Weippl. Dark clouds on the Edgar R. Weippl, Cloudoscopy: Services Discovery and horizon: Using cloud storage as attack vector and online Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, slack space. USENIX Security, 8/2011. 2013.

• WhatsApp • Tor Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Philipp Winter and Richard Koewer and Martin Mulazzani and Markus Huber and Sebastian Schrittwieser and Stefan Edgar R. Weippl. Guess who is texting you? evaluating the Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing security of smartphone messaging applications. In Network Malicious Tor Exit Relays, in Proceedings of the 14th Privacy and Distributed System Security Symposium (NDSS 2012), Enhancing Technologies Symposium, 2014 Feb 2012.

• Facebook • GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, Mulazzani, and Edgar R. Weippl, IMSI-Catch Me If You Can: and Edgar Weippl. Appinspect: Large-scale evaluation of IMSI-Catcher-Catchers in Proceedings of ACSAC, 2014 social networking apps. In ACM Conference on Online Social Networks (COSN), 2013. Take Aways

• Implement or improve monitoring – Typical rates of queries – Amount of storage allocated – Reuse statistics for data duplications – … • Analyze attack surface • Active probing – Bad node behavior – … Architectures

Hype Cloud Computing P2P / Grassroots Infrastructure • Internals hidden / protected • Trust in majority • Arms race in analysis • Sybil attack

[email protected]