There is no denying that cloud computing is a red-hot topic, considering the tremendous cost-saving potential that can be achieved by leveraging the hardware infrastructure of a third party. Downsides to cloud computing usually have to do with the security risks associated with ownership of hosted data, as evidenced by feedback from TechRepublic’s own CIO Jury.

While proponents decry the oversensitivity of the security camp, a new research paper has been released that is opening yet another door on this topic. Written by researchers from the Department of Computer Science and Engineering at the University of California and the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology, the paper explores and models various theoretical exploits on cloud services.

The paper basically thrashes earlier assumptions about the security of cloud-hosted services based on the default anonymity of the hardware servers. You can download this highly technical piece, “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” and mull over the details for yourself, but I’ll give you a brief look at some of the highlights.

Anonymity in the clouds

One key premise that was worked on by the researchers has to do with the fact that VMs from competitors might wind up running on the same physical hardware. Despite the isolation that virtual machines are supposed to guarantee, attempts might be made to penetrate the isolation between VMs and violate customer confidentiality — without anyone being the wiser.

The researchers used Amazon’s EC2 as a case study and explored a variety of methods not only to identify specific machines but also to achieve “co-residence.” By manipulating how they request for new VMs using legitimate calls, it was possible to engineer a 40-percent chance of securing VM resources on the physical server hosting an identified target.

It is clear that anonymity by virtue of “hiding” in the clouds simply cannot be considered an appropriate defense. Despite the radically different set of circumstances where cloud computing is concerned, security by obscurity is once again proven to be no security at all.

Estimating traffic rates

Once co-residence is achieved, what next? While the ultimate in hacking the clouds would probably be the stealing of cryptographic keys, the researchers nevertheless acknowledged that successfully pulling it off will be “somewhat more difficult to realize.” Other attack vectors, though, might be denial of service or even the estimation of gross traffic rates — which can be damaging to certain Web sites.

Estimating traffic rates can be achieved by measuring the load of the physical machine by the co-resident virtual instance even as artificially inducted HTTP requests are sent to the target virtual instance. A correlation can then be drawn in order to estimate the actual traffic. This is a vastly simplified explanation, of course, since the load itself has to be computed by advanced techniques involving probing the cache and processor utilization from within the co-resident virtual instance.

Conclusion

A number of the highlighted vectors remain concepts and are not actually exploited. However, it is clear from the many experiments and statistical models employed that security in the clouds is more complex than originally envisaged and certainly needs to be approached with due diligence.

While I am not one to advocate shying completely away from the clouds, the truth is that we are still in the infancy of cloud computing. While there are great opportunities for cost savings and access to practically limitless computing resources, a lot remains to be discovered still.