Security

Cloud services: The threat of side channels

Cloud services offer convenience and potential cost savings, but a potential security issue may negate the benefits. Michael Kassner digs into some of the latest research.

I write about security, so my interest in "Cloud Services" or "Time-sharing Reincarnate" to us old timers is whether they are secure or not. Almost from the start, cloud services triggered my concern meter by the incessant reminding of how convenient the cloud is.

Since when is convenience a bad thing? Not normally, but current ideology in the digital world has convenience and security being polar opposites. I liken it to the mixing of water and oil. After a good shake, they may appear to be a single solution, but given enough time, they will separate.

I'm often asked for my opinion regarding cloud services. But, I politely refuse, explaining that current arguments -- pro and con -- about security and cloud services are moot. There hasn't been any supportable evidence either way.

That is until now...

The first chink

As I mentioned, I've been pursuing any and all leads about cloud-services security. And up until now, they have been dead ends. Then I caught wind of a research team, and their finding a vulnerability if exploited; jeopardizes the security of data residing in the cloud.

I'm afraid this is the real deal. The research team of Ari Juels (RSA Lab), Alina Oprea (RSA Lab), Michael Reiter (UofNC, Chapel Hill), Thomas Ristenpart (UofWI), and Yinqian Zhang (UofNC, Chapel Hill) have developed enough research to support multiple academic papers, and the capability to extract private encryption keys from a cloud service ("HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis" and Cross-VM Side Channels and Their Use to Extract Private Keys").

No way was I going to let a chance like this slip away. I contacted Dr. Juels, and he agreed to answer my questions. But first, I thought it best to define cloud services (courtesy of Wikipedia):

Is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). The name comes from the use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation.
Kassner: Dr. Juels, cloud services cover a lot of territory. In order for us to understand your research findings, would you please define what your concerns are? Dr. Juels: I think the term is appropriately broad, but it's worth highlighting elements relevant to security. Many of the security implications of the cloud stem from tenants entrusting computing resources to a third party that they controlled in the past.

The resulting loss of control and visibility gives rise to a large swath of security issues. Other security threats arise from the centralization that cloud services create and the resulting attraction of the cloud for attackers. But, centralization isn't without its security benefits either.

Kassner: Using many Virtual Machines (VM) on a single physical server is a big reason why cloud services are economically feasible. Between your comments, and the research papers, one begins to sense sharing space on a physical server is asking for trouble. Why is that? Dr. Juels: VMs create an appearance of isolation between neighbors. This is a convenient abstraction, but glosses over an important reality: Sharing hardware means unintentionally sharing information. For low-security applications, this may not be a problem, but tenants need to understand the risks. Kassner: In order to verify if a party is indeed the only VM on the server, you and the research team created HomeAlone. The research paper on HomeAlone states:

The key idea in HomeAlone is to invert the usual application of side channels. Rather than exploiting a side channel as a vector of attack, HomeAlone uses a side-channel (in the L2 memory cache) as a novel, defensive detection tool.

What are side-channels, and would you please explain how HomeAlone works?

Dr. Juels: Side channels are vectors of information leakage that arise as a byproduct of system design, rather than an explicit feature. For example, if two VMs share a cache, one VM can deduce information about the other by examining its cache footprint. The cache wasn't designed to transmit information between VMs, but effectively does so. Kassner: It almost seems no one believed you about the seriousness of side-channel attacks. To that end, you created an attack to prove your point. What were the results? Dr. Juels: Security professionals have long hypothesized that sensitive information can be exfiltrated across VM boundaries, but didn't have proof positive. We've confirmed their intuition. What we've shown is that under the right circumstances, an attacker VM can extract a cryptographic key from a victim VM resident on the same server. In other words, an attacker can breach the VM isolation boundary, and seriously compromise a victim. Kassner: We are always told it's one thing to create and prove something in the lab, but entirely different in the "wild." Is this approach accessible by anyone, and how hard would it be for them to get it up and running? Dr. Juels: The attack we demonstrated is pretty difficult to mount. The student who implemented it, Yinqian Zhang, has a deep knowledge of side channels in virtualized environments; and invested a lot of time and creativity in making it work. Broadly speaking, if you don't have more immediate concerns than side-channel attacks, you're probably doing a good job of securing your computing resources.

That said, I guess serious side-channel attacks are well within the capabilities of nation states, and they are an easily overlooked vector of attack. Moreover, once visible, attacks can become commoditized. While the development of Stuxnet probably required a well resourced team of experts, malware writers learned from it, and have adopted techniques it introduced. Side channels are a real problem and already taken quite seriously for some technologies, such as smartcards.

Kassner: If you were required to setup a cloud service for a company, what would you look for in a cloud-service provider? Do you have any additional advice for those interested in a cloud service? Dr. Juels: It's a Hobson's choice at the moment. I would urge the industry to press for better standards and procedures to achieve visibility and control. Auditing standards like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) are utterly inadequate for achieving meaningful security assurances from cloud providers.

What tenants need is real-time, high-assurance validation of cloud security posture -- not a checklist run through by some fellow showing up from time to time at a data center with a clipboard. The industry would benefit from a combination of tenants demanding better security reporting, and the development of new supporting technologies to secure the increasingly concentrated and critical infrastructure that is the cloud.

Kassner: Dr. Juels, I'd like your opinion on something. There is significant debate about how secure cloud services are. You have researched the subject extensively. What are your feelings on the subject? Dr. Juels: The important point here is that nobody really knows. As I mentioned, cloud providers aren't required to or equipped to provide assurances of the security of their services that are commensurate with the responsibilities they're assuming. My impression is major cloud service providers are earnest about maintaining strong security, but it's not possible to have more than a vague impression.

Generally every new industry needs to relearn the security lessons of its predecessors, and treats security as an afterthought. What makes me somewhat optimistic about the cloud is that, in contrast to many past examples, security has been a major concern of customers from the very start.

Final thoughts

It appears the floodgate is just cracked. Like many other sophisticated attacks that were quickly monetized, it's a pretty good bet this one will be as well. I'd like to reaffirm what Dr. Juels mentioned:

Cloud providers aren't required to or equipped to provide assurances of the security of their services that are commensurate with the responsibilities they're assuming.

In simple English, it is yet another case of “Buyer Beware.”

I’d like to thank the research team for their effort, and a special thanks to Dr. Juels for taking time to explain the team’s findings.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

48 comments
greg.dargiewicz
greg.dargiewicz

A September Tech Republic article on Europe and "cloud computing" included this phrase: "... despite the best efforts of Microsoft and other vendors to make cloud a household term..." That to me sums it up: "cloud computing" in no small part is being pushed because it is a much more profitable model to companies like Microsoft, Adobe, etc., who up to now have used the business model of rushing out new releases and either removing support for or "sunsetting" older versions, as a form of built-in digital obsolescence. Security is just one of a host of issues that ought to put the brakes on relying on or tossing everything into the "cloud" (or as it is better known, the Internet) - not the least of which is that it is first and foremost a strategy for transfering money from your company to theirs. Why not apply the model to other areas of commerce? Maybe someday soon we'll only be able to lease cars, using the sunsetting model - your car stops working after three years. (Well, you can start the car and drive it around in your own yard, but not on the road. You can play your own CD, but the radio won't get reception). Sorry, we don't sell houses any more, but you can rent! "Hey, we're updating your fridge with a new voice-activated ice dispenser! Gonna be offline Sunday for the update....new pricing will be reflected in your rent." Clothing could be fitted with DNA sensors that cause the fasteners to fail if anyone but the original owner tries to wear it. Here's a sexist brainstorm: sunsetting bikinis! If you don't update yours before the end date, it just falls off! I'd spend more time at the pool, that's for sure!

ITSecurityGuy
ITSecurityGuy

My gut has been in sync with Michael's and I have only recently begun to even consider the use of a cloud for Backups only, even then only if distributed across many distinct clouds after being locally converted to at least 5 striped logical disks in a Level 6 RAID. The 5+ disk images would be individually encrypted LOCALLY prior to being separately backed up to their 5+ respective clouds. To reconstruct my data, an intruder would have to locate the data from at least 3 of my providers and decipher at least 3 different keys. Conversely, I could withstand the failure of as many as 2 providers and still recover my data. By encrypting locally, my encryption key would never exist in the cache memory of any cloud server, nor would any clue as to the schema for the striped array of an unknown number of disks. Introducing BRIC (Bunch of Redundant Independent Clouds): http://bitcartel.wordpress.com/2012/10/21/rbic-redundant-bunch-of-independent-clouds/ Redundant Array of Independent Clouds: Share To Cloud Mapping https://tahoe-lafs.org/trac/tahoe-lafs/browser/git/docs/specifications/backends/raic.rst Welcome to The Least-Authority File System https://tahoe-lafs.org/trac/tahoe-lafs I don't know why some people call me paranoid.

Deadly Ernest
Deadly Ernest

providers do anything about this! Good article Michael.

TrajMag
TrajMag

Thanks Michael for getting the subject of Cloud Security out and in front of the community. How anyone can justify putting all their personal data let alone corporate data in the hands of some remote entity is beyond my comprehension. Anyone that is the least sensitive about security knows that it is not a matter of if but of when we get news of some major corporation's data body knowledge has been compromised. Virtual machines are the same deal. They are software generated therefore someone will eventually figure out how to get in and eves drop on their neighbor. My bet is no one here is old enough to remember Party telephone lines! ;-) Thanks again.

pgit
pgit

L2 cache, eh? Maybe folks should run their cloud services on celeron hardware? :) Fascinating stuff, thanks again MK.

JCitizen
JCitizen

although I may not fully understand "side-channel" function; it doesn't seem to surprise me that VMs may be leaky(or somewhat vulnerable). The very existence of VM aware malware, has kept me suspicious of the supposed invincibility of VMs in the first place. Of course the technology is useful and reliable enough, I would trust a host service to give me a rental space. No need to put blinders on though. As usual - great article Michael - 'bout time someone brought this subject out!

JCitizen
JCitizen

I'll never call anyone paranoid! You can't be paranoid enough in this business.

Michael Kassner
Michael Kassner

I did not know that there was activity in this area. It is a great idea. I definitely will be looking into it.

seanferd
seanferd

I'll have to check out the links.

Michael Kassner
Michael Kassner

I see it being a situation where if it is required by the customer, it will be an additional cost to have only one customer per physical server.

JCitizen
JCitizen

I've been entrusting them with my most critical data for years. Doesn't mean they won't get cracked eventually - it is just a case of reputation. Cloud services will have to build this trust or go out of business to competition that will.

Deadly Ernest
Deadly Ernest

growing up. We had to count the rings to know if it was for the house we were in at the time. The farm we spent many holidays didn't get rid of theirs until about 1967, or so - about a year after we got decimal currency.

seanferd
seanferd

Plenty of people here old enough to remember party lines. I have the same reservations about a lot of what is marketed as cloud services. And not just for security (in terms of unauthorized use or access) reasons. But this is one more bit of IT sold as an appliance, and people want to believe it is. And when a provider like Amazon doesn't even know what is going on in its own personal cloud (let alone their website)*, I have no idea why I should trust them to host my stuff, directly or through another party using their services, in their cloud. *Complicated anecdote which I will spare you, which is not statistical data, but which is illustrative I think. Ended up involving 95 minutes on the phone, multiple corrections on multiple points of failure. Yes, it's their software running in their cloud, but they also built and run the cloud.

Michael Kassner
Michael Kassner

I'm plenty old enough to remember party lines. And I remember going to a neighbor's to watch that new-fangled thing called television.

Michael Kassner
Michael Kassner

Dr. Juels and his team are doing some amazing things. I think we have we have just seen the beginning.

Michael Kassner
Michael Kassner

As I understand it, the bits remain in memory until they are replaced or power is removed. Since the memory is shared, another VM can access the memory if it is no longer in use and read what is there.

pgit
pgit

I feel the same way, but my 'attitude' is often a little hard for customers to take. Some think I'm just trying to pad the bill with unneeded labor under guise of "security." Others see what I'm saying but think I'm being overly concerned about an issue. One thing everyone agrees on is I'm consistent, consistently paranoid as they see it. Most do appreciate that I bother to care, but around half have not done everything I have suggested they do for their own safety. I will say TR and similar sources (especially you, Michael) provide an independent voice on such matters, I often send articles to customers that I haven't been able to convince. Off hand I recall 3 incidents recently where sending an article to a customer got them to agree to instituting additional measures.

Michael Kassner
Michael Kassner

You both bring up questions that I have been asking during my many years of researching this phenomenon "Time-sharing reborn." I'm starting to wonder if we can liken it to fashion, old ideas all of a sudden become new. Just the other day, I overheard a young lady exclaim how cool and innovative what I would have called "Beatle boots" were.

Deadly Ernest
Deadly Ernest

will then make huge reductions in the likely savings to be made from the process.

Michael Kassner
Michael Kassner

It's a hardware issue. And, only the first of many. VMs have not been tested in this manner -- ever.

seanferd
seanferd

For all I know, there still are. My neighbors had one, although I'm not sure who they shared it with or why. Legacy stuff just sticking around.

Michael Kassner
Michael Kassner

Not sure what else there is. You are going to have to explain.

ITSecurityGuy
ITSecurityGuy

You're one lucky dude. We had to wait until Dad finally caved and we bought our own television, circa 1957. It wasn't long before the sockets for the tubes got a little corroded and we had to bang on the side of the cabinet to "fix" the TV. (It took another 20 years before the house was air conditioned.) Oh, and we only had a party line for 3-4 years.

JCitizen
JCitizen

that make clear sense! I appreciate it! :)

Michael Kassner
Michael Kassner

Your comments mean a great deal, and I sure do appreciate them.

ed
ed

I'm in education and have sent a number of your links to the coordinator of the educational computing program. She shares them with all the faculty in the area, hoping that maybe we can convince half of 1% of the students that security, privacy, et al are worth attention. I can remember being invincible half a century ago. But then it was testing the top speed of my parents' Chrysler on two-ply bias tires and fortunately, it only had a two-barrel carb.

JCitizen
JCitizen

Michael's TR articles make good reference to unbelieving clients! :) Sometimes I even post them on FaceBook for all my friends there. They are all convinced after a single exposure to the truth! (so far) ;)

pgit
pgit

I actually receive a substantial portion of my contact from clients via IM. I have several clients (and several accounts) up and running 24/7 and check frequently. Often I can troubleshoot and talk folks through the fix over the IM. The customers that use it love it. It makes them feel more directly connected to me than calling on the phone does, for some reason. Maybe because the subject is usually computers and they are using one for the communication.

Michael Kassner
Michael Kassner

I had to think the last time I used IM. It's been years. I text now as well as just about everybody under 30. But, you are right, that is just another reincarnation -- a much more convenient one.

Deadly Ernest
Deadly Ernest

well I'd like to know how much different to Telnet and BBS it is - same basic concept just a different display, it seems.

HAL 9000
HAL 9000

A small Medical Center and a very small School who got hit with Ransom Ware. Neither had Solid Backups and where just hoping for the best believing that Computers are Magic and never loose anything. They of course learned the Hard Way and in all likelihood will need to learn that lesson again after they have gone a few years without incident. Col

Deadly Ernest
Deadly Ernest

they have no or little security concerns at all that could have some real savings with cloud services. Some of the smaller secretarial companies that type up basic letters etc for people would have no security concerns with using the cloud.

HAL 9000
HAL 9000

I hear a lot about this but have yet to see any real savings. When the entire cost of moving to the cloud is considered with out the Need for Additional Security not provided by the Cloud Provider I have yet to see any real saving gained. What has always been the sticking point is No Internet = No Cloud and that always means No Work. Happens a lot more than some people are willing to admit here at least. What the companies may save in local Hardware is soon eaten up by the increased costs of the ISP because they require so much more bandwidth. Add to that the possibility of their encrypted Data being let loose onto the WWW and all I can see is a major expense with no savings. Well at least not for the individual companies may be a massive saving for the Cloud Providers but as they are not my customers I'm not overly concerned about them. ;) Col

Michael Kassner
Michael Kassner

As far as I know all VM software is proprietary, and that makes it hard to review.

JCitizen
JCitizen

and hopefully they will hold their systems to tests like this in the future.

Deadly Ernest
Deadly Ernest

house you could have a good chat with the neighbours or just listen in on their calls to get the latest gossip.

doug.cronshaw@baesystems
doug.cronshaw@baesystems

... the UK was still using (Sterling) pounds, shillings and pence until March 1971 if memory serves me right. Same thing though: the UK pound was divided into twenty shillings, and each of those shillings was divided into twelve pennies. Below that, the currency was binary, with each penny having two halfpence, and up 'til about 1955 each halfpenny being further divisible into two farthings. (The ha-penny was still a feature of the UK decimal currency until the early nineties.)

Deadly Ernest
Deadly Ernest

12 pence to a shilling, 20 shillings to the pound, which is why a half pound note was a tenner or ten shillings and that became a dollar with 100 cents in instead of 120 pence. I know as I was doing bookkeeping at school during the mid 1960s and for a few years I was doing all the accounts work in pounds, shillings, and pence. A crown was 5 shillings and a half crown was 2 shillings and six pence. a florin was 2 shillings or 2 bob.

HAL 9000
HAL 9000

a Half Pound was 12 Shillings and a Pound was 24 Shillings. If there had of been 20 Shillings to the Pound there would have been no need to Decamiaise. We moved from a 12 Base Unit of Money to a 10 Base Unit where sixpence became 5 cents and 12 pence/a Shilling became 10 cents. And so on and So on. Col

Deadly Ernest
Deadly Ernest

Australia adopted dollars and cents, we used pounds, shillings, and pence to pay all things of a monetary sense. No more twelve pence to the shilling, or a pound complete to twenty shilling. To accept a crown or florin if willing, or tuppence, or a bob, or tenner, of zac, as payment for your sale and work that colourful old money we used to track. from wikipedia - http://en.wikipedia.org/wiki/Decimal_currency#Australia_and_New_Zealand Australia decimalised on 14 February 1966, with the new Australian dollar equivalent to ten shillings or half an Australian pound in the previous currency. Since a shilling became equal to ten cents, the Australian cent was equal to 1.2 Australian pence, although they were usually exchanged on a 1:1 basis during the brief period when both were circulating.

seanferd
seanferd

"You've been in business for how long, now?" Yeesh.

JCitizen
JCitizen

music just doesn't sound the same without my brothers old Heath-kit tube amp. The music industry was actually geared toward that natural distortion.

pgit
pgit

I'm an intolerant snob when it comes to audio production. Tubes are analog, and distortion is even-order. That means any distortion augments the sound naturally. Pleasing to the ear. (and brain) Solid state produces odd-order distortion. It degrades the overall quality and is grating, it gets on your nerves and can negatively alter your mood if exposed long enough. Nothing beats tubes for guitar amps, too. (including bass, tho solid state is less 'grating' at the lower frequencies) The glow is nice, including the lovely blue Cherenkov radiation haunting the grid. I used to rebuild tube amps and tube shortwave receivers. Obviously I'm a vacuum tube fanatic... you got me started, I can't help myself... just don't mention passenger rail or elm trees and I promise I'm done ranting. :)

Michael Kassner
Michael Kassner

I was trying to calculate when that was, and I lose track. "57" I'd have been five, so that sounds about right for my memory as well. If that's the case then you were luckier. I miss the tube radios. As a ham radio operator, I loved the glow in my shack.

Michael Kassner
Michael Kassner

I give credit to the research team for holding my hand and explaining the details. It is quite a trick to pull off, but once it is in employed in a piece of malware, anyone can use it.

Editor's Picks