2) Exploiting the shared resources. CPU cache leakage attack: Measure load of the other virtual web server. Extract AES and RSA keys. Keystrokes timing analysis. Extract user passwords from SSH terminal. 20. Justify Security: The top concern for cloud users. Ans: Cloud security is a set of control-based safeguards and technology protection designed to protect resources stored online from leakage, theft, or data loss. Protection encompasses cloud infrastructure, applications, and data from threats. Security applications operate as software in the cloud using a using a Software as a Service (SAAS) model. Topics that fall under the umbrella of security in the cloud include:  Data center security  Access control  Threat prevention  Threat detection

 Threat mitigation  Redundancy  Legal compliance  Security policy PART-C 1. Identify the main security threats for the SaaS cloud delivery model on a Public cloud. Discuss the different aspects of these threats on a public cloud vis-à-vis the threats posed to similar services provided by a traditional service-oriented architecture running on a private infrastructure. Ans: The National Institute of Standards and Technology (NIST) has defined cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, e.g. networks, servers, storage, applications, and services, that can be rapidly provisioned and released with minimal management effort or service provider interaction. The favorite means of attack are: distributed denial of service (DDDS) attacks which prevent legitimate users to access cloud services, phishing, SQL injection , or cross-site scripting. Availability of cloud services is another major concern. System failures, power outages, and other catastrophic events could shutdown cloud services for extended periods of time. Insecure APIs may not protect the users during a range of activities starting with authentication. 2. Analyze Amazon’s privacy policies and design a service-level agreement You would sign if you were to process confidential data using AWS. Ans:

3. Analyze the implications of the lack of trusted paths in commodity operating systems and give one or more examples showing the effects of this deficiency. Analyze the implications of the two-level security model of commodity operating systems. Ans: Specialized closed-box platforms such as the ones on some cellular phones, game consoles, and ATM (Automatic Teller Machines) could have embedded cryptographic keys that allow themselves to reveal their true identity to remote systems and authenticate the software running on them. Such facilities are not available to an open-box platforms, the traditional hardware designed for commodity operating systems. The two-level security model supports two modes of operation, a kernel and a user mode. The kernel mode is a privileged mode, it allows a user unrestricted access to all system resources and the ability to perform any operation it wishes to perform. This explains why malicious individuals try to hijack a system and operate in kernel mode, then use the system to attack other systems in the Internet. The two-level security model creates serious problems for virtualization