Cloud computing, which I’ve mentioned here a few times before, is one of the hot topics in the IT world just now. Vendors like Google are offering services (E-mail, document production) “in the cloud” as an alternative to traditional desktop applications, and vendors like Amazon are offering computing capacity in the cloud as a sort of metered utility, purchasable on demand. The implementation of cloud computing frameworks often makes of extensive use of virtual machine [VM] technology (another IT flavor of the month). VM technology has several attractive features for the implementation of a cloud environment, such as the ability to run several “virtual servers”, possibly running different operating systems, on the same physical hardware, and the ability to dynamically allocate virtual machines to physical servers, to facilitate maintenance and load balancing. But probably the most important feature is the ability to isolate virtual machines from each other; ideally, the software running in one virtual machine should be completely unaware of any other virtual machine, and in fact should not be able to tell it is running in a virtual, rather than a physical, machine
Now ComputerWorld is reporting that a group of researchers at UCSD and MIT have discovered a potential new avenue for attacking virtual machines, using a class of techniques called side channel attacks.
In experiments with Amazon’s EC2 they showed that they could pull off some very basic versions of what are known as side-channel attacks. A side-channel attacker looks at indirect information related to the computer — the electromagnetic emanations from screens or keyboards, for example — to determine what is going on in the machine.
(Other examples of side-channel attacks are those which use variations in event timing, or power consumption, to infer properties of the target system.)
Although the specific attacks that the researchers tested were not very sophisticated, there is concern that more dangerous attacks could be mounted using the same general approach:
By looking at the computer’s memory cache, the researchers were able to glean some basic information about when other users on the same machine were using a keyboard, for example to access the computer using an SSH [secure shell] terminal. They believe that by measuring the time between keystrokes they could eventually figure out what is being typed on the machine …
The complete research paper can be downloaded here [PDF]. I should also note that, although these results are relevant to cloud computing, the attacks are actually directed at the VM technology used to implement the cloud.
The real danger of this kind of vulnerability is that it may open up systems to a whole new class of attacks that no one has prepared for. It is truism of the security business that attacks always get better, never worse. Hopefully, results like these will prod the vendors of cloud computing services to devote more attention to security, and will remind users that (at least in the ~40 years I’ve been involved in computing), none of these “flavors of the month” has turned out to be the magic bullet they have hoped for.