Proactive Security Strategy

Wanneer verschillende omgevingen gebruik maken van gedeelde infrastructuur, zoals bij 3rd party cloudcomputing, onstaan er nieuwe risico’s waar rekening mee moet worden gehouden. Zelfs al zijn de machines geisoleerd door middel van virtualizatie. Deze risico’s worden uitvoerig beschreven en gedemonstreerd in ‘Exploring Information Leakage in
Third-Party Compute Clouds’. Een whitepaper geschreven door studenten van MIT en UCSD.

Deze whitepaper is hier te vinden : http://people.csail.mit.edu/tromer/papers/cloudsec.pdf

Third-party cloud computing represents the promise of outsourcing as applied to computation. Services, such as Microsoft’s Azure and Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it. In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities. Using the Amazon EC2 service as a case study, we show that it is possible to map the internal  cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.

Niet alleen worden de risico’s goed beschreven maar ook dat er geen echte oplossing voor is.

There are a number of approaches for mitigating this risk. First, cloud providers may obfuscate both the internal structure of their services and the placement policy to complicate an adversary’s attempts to place a VM on the same physical machine as its target. For example, providers might do well by inhibiting simple network-based co-residence checks. However, such approaches might only slow down, and not entirely stop, a dedicated attacker. Second, one may focus on the side-channel vulnerabilities themselves and employ blinding techniques to minimize the information that can be leaked. This solution requires being confident that all possible side-channels have been anticipated and blinded. Ultimately, we believe that the best solution is simply to expose the risk and placement decisions directly to users. A user might insist on using physical machines populated only with their own VMs and, in exchange, bear the opportunity costs of leaving some of these machines under-utilized. For an optimal assignment policy, this additional overhead should never need to exceed the cost of a single physical machine, so large users—consuming the cycles of many servers—would incur only minor penalties as a fraction of their total cost. Regardless, we believe such an option is the only foolproof solution to this problem and thus is likely to be demanded by customers with strong privacy requirements.