Virtualization vulnerabilities leave clouds insecure

By Carl Brooks, Technology Writer 24 Sep 2009 | SearchCloudComputing.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on cloud security: Amazon adds onetime password token to entice the wary Novell tool to secure data and workloads in the cloud

The research demonstrates how much can be discovered about a public cloud's infrastructure that the provider has not disclosed, along with whether it is possible to target and attack virtual machines running in that cloud.

The study ("Hey, You, Get Off of My Cloud") shows that it is possible to find out where a virtual-machine instance is running. Once that is accomplished, a 'shotgun' technique is able to start a new virtual machine on the same hardware, opening the door to virtualization 'side-channel' attacks that could compromise those instances.

The study was carried out on Amazon.com's Web Services because, researchers say, it is the leading example of public cloud computing. Amazon is not unique, however -- all the major cloud providers are vulnerable to these kinds of attacks.

"Concurrent virtualization vulnerabilities are not Amazon's fault. This is how the technology is," said Dr. Eran Tromer, postdoctoral associate at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and one of the lead researchers on the study. "All of these [cloud infrastructure services] create these kinds of inadvertent common channels," he said. Tromer added that the techniques they used were rudimentary and, in some cases, took advantage of the very nature of how cloud computing resources are sold.

The 'cloud cartography' research was carried out with basic network discovery techniques, such as correlating the public addresses handed out to every machine instance with geographical DNS information and sending HTTP requests to see if Web servers had left this basic security precaution undone. By doing this, Tromer and his fellow researchers were able to roughly determine where a given server was physically running in Amazon's data centers.

Concurrent virtualization vulnerabilities are not Amazon's fault. This is how the technology is. Dr. Eran Tromer, postdoctoral associate at the MIT Computer Science and Artificial Intelligence Laboratory

By then firing up their own server instances in quick succession, they were speedily able to co-locate with targeted virtual machines; that is, run their own machines on the exact same CPUs, RAMs and hard drives of targets. Tromer said that once a virtual machine's location was established, it was vulnerable to 'side-channel' attacks. 'Side-channel' attacks rely on weaknesses in software or hardware, rather than weak passwords, unsecured network trafficmore or more common security blunders.

Tromer said they did not attempt to exploit the vulnerabilities exposed in Amazon's EC2 service for ethical reasons, nor did they attempt to co-locate with machines not started in the course of research. They only verified that data transmission from one VM to another in the cloud was possible. Tromer said they had demonstrated proof-of-concept exploits against virtual machines in their own networks and saw the potential for similar attacks in public clouds.

Tromer said potential exploits in cloud ranged from denial-of-service attacks, where an attacker would co-locate with a target and monopolize CPU or memory usage, to sophisticated data interception, such as recovery of encryption keys or decoding data as it passed from hard drive to CPU.

Private clouds vulnerable to same attacks
Tromer said that private clouds using multi-tenant based virtualization were just as likely to suffer from these vulnerabilities as public clouds.

"These profiling tools do a good job of illustrating the fragility of cloud," said security expert Christofer Hoff, director of cloud and virtualization solutions at Cisco. He called the study a "not-so-subtle reminder" that, despite the hype, cloud computing hadn't seriously addressed fundamental security concerns; it had aggravated them.

He said it also highlighted claims that providers could necessarily "do security" better than consumers. "What users are given to work with in terms of network control is very limited, especially in Amazon's cloud," said Hoff. He noted that cloud providers don't assume any risk against security breaches for users and aren't transparent about measures they do take. "The security controls that they put in place are very, very, very basic," he said.

"The entire premise…comes down to them saying, 'trust us'," said Hoff. He added that this is obviously good enough for customers who are practically lining up to use AWS and other cloud services, but as private clouds grow in scope and interconnect with public computing resources, security professionals would need to look at problems like this from the ground up.

Amazon responds to security issues
For its part, Amazon is taking the research seriously. Spokeswoman Kay Kinton said in an email that Amazon was coming to grips with the problem very quickly. She pointed out that the researchers noted several mitigating factors that helped Amazon be resistant to potential virtualization exploits.

"While it's unclear what specific attacks could be made in this scenario, AWS takes any potential security issue very seriously and we are in the process of rolling out safeguards that prevent potential attackers from using the cartography techniques described in the paper," she said.

Rackspace did not respond to requests for comment on its awareness or efforts to deal with either cloud cartography or virtualization insecurity. Joyent claimed that its use of an OpenSolaris-virtualized environment, rather than Xen, meant it did not have the vulnerabilities expressed by the research.

GoGrid spokesman Michael Sheehan said that even though GoGrid used the same underlying Xen architecture as Amazon, its background in hosting made the company well aware of security issues in virtualization. He said that their management software could isolate virtual machines to specific hardware on their back-end if a customer needed security assurances, and many did.

"Our hybrid [cloud and physical hosting] option has gotten a lot of traction for just this reason," he said.

Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at cbrooks@techtarget.com.

Tags: Data privacy in the cloud,  Data protection in the cloud,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data privacy in the cloud Security issues in cloud computing Oracle users balk at cloud computing Learning to let go: A cloud security primer with George Reese Public sector drags its heels on cloud Amazon adds onetime password token to entice the wary Novell tool to secure data and workloads in the cloud Researchers discuss virtual private clouds, coin CloudNet Trusted Cloud Computing Platform proposed to secure IaaS clouds Private Virtual Infrastructure proposed to address cloud security issues Cloudy with a chance of Ubuntu, Hohm gets hosted Data protection in the cloud Cloud computing coming into focus for IT pros Security issues in cloud computing Learning to let go: A cloud security primer with George Reese Novell tool to secure data and workloads in the cloud Researchers discuss virtual private clouds, coin CloudNet Trusted Cloud Computing Platform proposed to secure IaaS clouds Private Virtual Infrastructure proposed to address cloud security issues Cloudy with a chance of Ubuntu, Hohm gets hosted Encryption breakthrough promises privacy in the cloud Lightning crashes at Amazon, IBM plays in the cloud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cloud cartography  (SearchCloudComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary