The study ("Hey, You, Get Off of My Cloud") shows that it is possible to find out where a virtual-machine instance is running. Once that is accomplished, a 'shotgun' technique is able to start a new virtual machine on the same hardware, opening the door to virtualization 'side-channel' attacks that could compromise those instances.
The study was carried out on Amazon.com's Web Services because, researchers say, it is the leading example of public cloud computing. Amazon is not unique, however -- all the major cloud providers are vulnerable to these kinds of attacks.
"Concurrent virtualization vulnerabilities are not Amazon's fault. This is how the technology is," said Dr. Eran Tromer, postdoctoral associate at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and one of the lead researchers on the study. "All of these [cloud infrastructure services] create these kinds of inadvertent common channels," he said. Tromer added that the techniques they used were rudimentary and, in some cases, took advantage of the very nature of how cloud computing resources are sold.
The 'cloud cartography' research was carried out with basic network discovery techniques, such as correlating the public addresses handed out to every machine instance with geographical DNS information and sending HTTP requests to see if Web servers had left this basic security precaution undone. By doing this, Tromer and his fellow researchers were able to roughly determine where a given server was physically running in Amazon's data centers.
Tromer said they did not attempt to exploit the vulnerabilities exposed in Amazon's EC2 service for ethical reasons, nor did they attempt to co-locate with machines not started in the course of research. They only verified that data transmission from one VM to another in the cloud was possible. Tromer said they had demonstrated proof-of-concept exploits against virtual machines in their own networks and saw the potential for similar attacks in public clouds.
Tromer said potential exploits in cloud ranged from denial-of-service attacks, where an attacker would co-locate with a target and monopolize CPU or memory usage, to sophisticated data interception, such as recovery of encryption keys or decoding data as it passed from hard drive to CPU.
Private clouds vulnerable to same attacks
Tromer said that private clouds using multi-tenant based virtualization were just as likely to suffer from these vulnerabilities as public clouds.
"These profiling tools do a good job of illustrating the fragility of cloud," said security expert Christofer Hoff, director of cloud and virtualization solutions at Cisco. He called the study a "not-so-subtle reminder" that, despite the hype, cloud computing hadn't seriously addressed fundamental security concerns; it had aggravated them.
He said it also highlighted claims that providers could necessarily "do security" better than consumers. "What users are given to work with in terms of network control is very limited, especially in Amazon's cloud," said Hoff. He noted that cloud providers don't assume any risk against security breaches for users and aren't transparent about measures they do take. "The security controls that they put in place are very, very, very basic," he said.
"The entire premise…comes down to them saying, 'trust us'," said Hoff. He added that this is obviously good enough for customers who are practically lining up to use AWS and other cloud services, but as private clouds grow in scope and interconnect with public computing resources, security professionals would need to look at problems like this from the ground up.
Amazon responds to security issues
For its part, Amazon is taking the research seriously. Spokeswoman Kay Kinton said in an email that Amazon was coming to grips with the problem very quickly. She pointed out that the researchers noted several mitigating factors that helped Amazon be resistant to potential virtualization exploits.
"While it's unclear what specific attacks could be made in this scenario, AWS takes any potential security issue very seriously and we are in the process of rolling out safeguards that prevent potential attackers from using the cartography techniques described in the paper," she said.
Rackspace did not respond to requests for comment on its awareness or efforts to deal with either cloud cartography or virtualization insecurity. Joyent claimed that its use of an OpenSolaris-virtualized environment, rather than Xen, meant it did not have the vulnerabilities expressed by the research.
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at email@example.com.