How Private is Your Private Cloud? Security Analysis of Cloud Control Interfaces

Abstract

The security gateway between an attacker and a user’s pri-vate data is the Cloud Control Interface (CCI): If an at-tacker manages to get access to this interface, he controls the data. Several high-level data breaches originate here, the latest being the business failure of the British company Code Spaces. In such situations, using a private cloud is often claimed to be more secure than using a public cloud. In this paper, we show that this security assumption may not be justi-fied: We attack private clouds through their rich, HTML5-based control interfaces, using well-known attacks on web interfaces (XSS, CSRF, and Clickjacking) combined with novel exploitation techniques for Infrastructure as a Service clouds