New research identifies additional risks for applications in the cloud

With great attention continuing to be focused on the potential for cloud computing services to re-shape the way public and private sector organizations manage their IT infrastructure and computing environments, a paper published this month by researchers from MIT and UCSD may provide more good reasons for caution in moving to outsourced services provided by prominent third-party cloud computing vendors like Amazon, Microsoft, and Google. Based on an analysis conducted on Amazon’s Elastic Compute Cloud (EC2) but which the authors suggest is generally applicable to other providers, there are a number of vulnerabilities that can be exploited against cloud-hosted apps that run in virtual machines multiplexed on the same physical server. The authors evaluated the provisioning of new virtual machines and identified ways to map the cloud infrastructure so that a theoretical attacker could effectively place an attacking virtual machine instance on the same server as the virtual machine hosting the application the attacker sought to compromise. This sort of “side channel” attack vector might understandably offer a malicious user the opportunity to launch attacks against whatever other applications might be running on the same server, but the research presented in the paper indicates that an attacker looking to compromise a specific service can do so, albeit with the need for more time and money to succeed.

It’s important to note that the authors work under the assumption that the cloud computing service provider is trusted. There are known risks such as the compromise of provider staff or attacks directed at hypervisors or other virtual machine administrative tools, but the attack vector on which the paper focuses is feasible even when the integrity of the provider’s security environment is maintained. The threat model used in the research the paper summarizes also does not address direct attacks against applications; these threats exist both for cloud-hosted and conventionally hosted applications, and there is no theoretical increase in risk to a network-accessible application that happens to be running on outsourced infrastructure. Instead, as the authors themselves note, the research focuses “on where third-party cloud computing gives attackers novel abilities; implicitly expanding the attack surface of the victim” (Ristenpart, T., Tromer, E., Shacham, H., & Savage, S., 2009; emphasis in the original).

Cloud computing service providers might do well to take note both of the issues presented in the paper and of the recommendations the authors make to mitigate the risks they found. These recommendations include revisions to business and administrative practices as well as technical defensive measures.

Reference:

Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009, November). Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. Paper presented at the 16th Association for Computing Machinery Conference on Computer and Communications Security, Chicago, IL. Retrieved from