Most people are happy to give their neighbours a spare house key in case of emergencies, but you probably wouldn’t want to give them your digital passwords. Now, security researchers have shown that you may not have a choice, at least when it comes to cloud computing.
Cloud servers let users run simulations of an ordinary computer, called virtual machines (VMs), on remote hardware. A VM performs exactly as an ordinary computer would, but because it is entirely software-based, many of them can run on a single hardware base. Yinqian Zhang of the University of North Carolina, Chapel Hill, and colleagues have discovered that it is possible for one VM to steal cryptographic keys — used to keep your data secure — from another running on the same physical hardware, potentially putting cloud-computing users at risk.
The attack exploits the fact that both VMs share the same hardware cache, a memory component that stores data for use by the computer’s processor. The attacking VM fills the cache in such a way that the target VM, which is processing a cryptographic key, is likely to overwrite some of the attacker’s data. By looking at which parts of the cache are changed, the attacking VM can learn something about the key in use.
Zhang and team did not test the attack in the cloud for real, but used hardware similar to that employed by Amazon’s cloud service to try stealing a decryption key. They were able to reconstruct a 4096-bit key in just a few hours, as reported in a paper presented at the Computer and Communications Security conference in Raleigh, North Carolina, last month.
This attack won’t apply in all situations, as an attacker would have to establish a VM on the same hardware as yours, which isn’t always possible. What’s more, an attack would not work on hardware running more than two VMs. Still, those looking to use cloud services for high-security applications may want to reconsider.
Image: David Malan/Getty