Is Your “Cloud” Safe From Cross-Tenant Side-Channel Attacks?

The X-force Blog has a good post about Platform as a Service (PaaS) cloud   (#28 in Security analyzed page)

http://securityintelligence.com/platform-as-a-service-paas-cloud-side-channel-attacks-part-ii/#.VZq8NflglmM

 

The Platform as a Service is a certain kind of Cloud service.  In some cloud services your data resides on machines dedicated for your company (IaaS) – Infrastructure as a Service. In PaaS your application that you use shares computers with other applications.  The idea of course is that your application does not connect with other applications. I.e. your application will not call data from a different customer app.

 

Here is the abstract of the well written research paper:

abstractonlyofcrosstenant

cross-tenant-PaaSclouds

They performed tests on several PaaS cloud instances which they created:

Appfog           www.appfog.com

Azure         azure.microsoft.com

Baidu               developer.baidu.com/en

Cloud Foundry     cloudfoundry.org

DotCloud   dotcloud.com

Elastic Beanstalk   aws.amazon.com/elasicbeanstalk

Engine Yard                   www.engineyard.com

Heroku                             www.heroku.com

HP cloud application PaaS         www.hpcloud.com/products-services/application-paas

Joyent SmartOS      www.joyent.com

OpenShift        www.openshift.com

WSO2        wso2.com/cloud

As you can see that the application tests ran the gamut of User, VM, and Container isolation instances in Table 1.  for the test instances in above PaaS clouds.

 

 

The tests were done in such a manner to test whether a specific attack could find data in other applications. Each cloud company used different isolation techniques: runtime-based isolation, user-based isolation, container-based isolation, and  VM-based isolation.

They used an attack framework called “Side channels via flush-reload”

The idea is to use a method that uses data from the same cpu from last-level cache or sometimes within a specified interval on another CPU.

flushreload-protocol

The most interesting thing about this “flush-reload attack” is that people are assuming all Clouds are safe, will not “cross-pollinate” and are generally safely outsourced.

The security researchers are doing us a service  – I have always said we need more testing of cloud systems, local systems, firewalls, all computer systems need a lot more testing to ensure they actually do what they say they do.

The problem is we need a lot more  understanding, since if a few researchers are using computing knowledge and making suppositions, tests, and then drawing conclusions which upend all what we know of cloud computers. Does this sound familiar?

There are many more hackers which in the past did the same, either you do this yourself, or wait for the criminal to do it for you.