Amazon Downplays Cloud Breach ThreatResearchers Demonstrate Amazon Web Services Attack in Lab Setting
As security professionals weigh the pros and cons of cloud-based services, researchers at Worcester Polytechnic Institute claim they've spotted a potential data breach issue involving Amazon Web Services - and by extension other cloud services, both public and private.
But Amazon tells Information Security Media Group that while the research is useful, "AWS customers using current software and following security best practices are not impacted by this situation."
Cloud services are predicated on running numerous virtual machines - often for many different, unconnected organizations - on a single physical server. Such an approach can provide the cost savings associated with cloud when compared with on-premises services.
But for infrastructure-as-a-service offerings such as the Elastic Compute Cloud, also known as EC2, from Amazon Web Services, each of these co-located virtual machines - or "instances" - must be kept isolated, lest hackers rent one instance and use it to hack into another instance being hosted on the same server.
Attack Steals Crypto Keys
The Worcester Polytechnic Institute researchers claim to have used one Amazon Web Services instance to successfully hack into another, but only in a lab setting. This revelation suggests that a single cloud instance could be used by attackers to breach other instances running on the same machine, thus compromising individuals and organizations that are otherwise unrelated, except for using the same cloud service.
In a research paper titled "Seriously, Get Off My Cloud! Cross-VM RSA Key Recovery in a Public Cloud," researchers at the institute document how they used their access to an EC2 virtual machine to recover RSA keys from a separate EC2 virtual machine. "We show that co-location can be achieved and detected by monitoring the last-level cache in public clouds. More significantly, we present a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a co-located instance."
The researchers say that that they shared their findings with Amazon in June. "This work reaffirms the privacy concerns and underlines the need for deploying stronger isolation techniques in public clouds," they say. "Even with advanced isolation techniques, resource sharing still poses a security risk to public cloud customers that do not follow the best security practices. ... We [also] believe that smarter cache management policies are needed both at the hardware and software levels to prevent side-channel leakages and future exploits."
In response, an Amazon Web Services spokesman says that Amazon continues to improve the "the built-in, base-level security measures" now present in Amazon EC2 and notes that the researchers' "complex attack" requires "extremely rare, unlikely pre-existing conditions and outdated third-party software" to be present in the targeted EC2 instance.
As a result, Amazon contends, "AWS customers using current software and following security best practices are not impacted by this situation." But just to be on the safe side, it notes that "a patched version of the open source software targeted by this research - Libgcrypt - is publicly available for Amazon EC2 customers via their operating systems' standard software update mechanisms or direct download from the Libgcrypt project page."
Watch for Isolation Breaks
The research is a reminder that the security of cloud services needs to be scrutinized, not just by cloud users but also providers. "It has some disturbing implications, as many systems are now run in cloud environments like Amazon Web Services," says cybercrime expert Alan Woodward, a computer science professor at University of Surrey. "This research suggests that recovering your virtual neighbors' encryption keys might be quite possible. Not good. Not good at all."
Rich Mogull, CEO of information security research and advisory firm Securosis, tells Information Security Media Group that cloud services experts have long worried about the type of attack demonstrated by the Worcester Polytechnic Institute researchers. "This is what we call an isolate failure - when one instance is able to affect another, on a different account. Specifically, it looks like they used memory-parsing techniques, which we actually included as a risk in the Cloud Security Alliance training class for the first time five years ago," he says.
Mogull says the related risk has been detailed in that training course so that anyone building a private cloud can be sure to avoid it. "Major public providers have known of these memory-parsing attacks for isolation breaks for years and are on top of it," he says. "While this class of attacks is always a concern, and the research looks very good, it doesn't represent an immediate risk."
The researchers' key-recovery attack also carries real-world caveats. "Their co-location detection technique relies on both instances being compromised/owned by the attacker on the same hardware," Mogull says. "If an attacker can already own both instances, you are pretty screwed anyway."
Mogull says the research - even if it cannot be carried out in real-world attacks - should serve as a reminder for enterprises to ensure that they only use a reputable cloud services provider. "Stick with a major provider, don't let someone pwn your instances in the first place, patch your crypto libraries and consider using dedicated instances for sensitive crypto operations," he says.
On the upside, the Worcester Polytechnic Institute researchers report that numerous attack techniques that worked back in 2009 are no longer successful against major cloud providers. "Similarly, increased hardware complexity and better protected cryptographic libraries increase the cost and required sophistication of attacks to succeed," they say. "Nevertheless, many covert channels are still exploitable and require further patches."