The X-force Blog has a good post about Platform as a Service (PaaS) cloud (#28 in Security analyzed page)
The Platform as a Service is a certain kind of Cloud service. In some cloud services your data resides on machines dedicated for your company (IaaS) – Infrastructure as a Service. In PaaS your application that you use shares computers with other applications. The idea of course is that your application does not connect with other applications. I.e. your application will not call data from a different customer app.
Here is the abstract of the well written research paper:
They performed tests on several PaaS cloud instances which they created:
Appfog www.appfog.com
Azure azure.microsoft.com
Baidu developer.baidu.com/en
Cloud Foundry cloudfoundry.org
DotCloud dotcloud.com
Elastic Beanstalk aws.amazon.com/elasicbeanstalk
Engine Yard www.engineyard.com
Heroku www.heroku.com
HP cloud application PaaS www.hpcloud.com/products-services/application-paas
Joyent SmartOS www.joyent.com
OpenShift www.openshift.com
WSO2 wso2.com/cloud
As you can see that the application tests ran the gamut of User, VM, and Container isolation instances in Table 1. for the test instances in above PaaS clouds.
The tests were done in such a manner to test whether a specific attack could find data in other applications. Each cloud company used different isolation techniques: runtime-based isolation, user-based isolation, container-based isolation, and VM-based isolation.
They used an attack framework called “Side channels via flush-reload”
The idea is to use a method that uses data from the same cpu from last-level cache or sometimes within a specified interval on another CPU.
The most interesting thing about this “flush-reload attack” is that people are assuming all Clouds are safe, will not “cross-pollinate” and are generally safely outsourced.
The security researchers are doing us a service – I have always said we need more testing of cloud systems, local systems, firewalls, all computer systems need a lot more testing to ensure they actually do what they say they do.
The problem is we need a lot more understanding, since if a few researchers are using computing knowledge and making suppositions, tests, and then drawing conclusions which upend all what we know of cloud computers. Does this sound familiar?
There are many more hackers which in the past did the same, either you do this yourself, or wait for the criminal to do it for you.