Stealing encryption keys on Amazon’s Cloud servers

Researchers have been aware of vulnerabilities in public cloud servers since it was demonstrated six years ago that the co-location of virtual machines is possible and that sensitive information can be extracted from a co-located “victim machine.” Cloud service providers, like Amazon Web Services, and developers of security software and cryptographic libraries, including Libgcrypt, have responded to published reports of successful attacks with patches that have addressed known vulnerabilities. In fact, a new patch available from Libgcrypt addresses the very vulnerabilities that the WPI team took advantage of, though it is up to the users of cloud services, not the cloud providers, to install the patch. That means many users may still be unprotected.

The focus of the WPI paper is a type of cloud service called infrastructure as a service, or IaaS, in which users run computer applications on virtual machines. Typically, many virtual machines can operate independently on each server. Because providers like Amazon maintain thousands of servers, it was once thought that virtual machines would be more difficult to attack than physical computers, since an attacker would have to be able to determine which server was hosting a target machine and then set up its own “spy” machine on the same server. That was believed to be all but impossible.

In 2009, a team at the University of California San Diego and MIT showed how they could predict which server was likely to host a particular virtual machine. They then created a number of virtual machines until they successfully co-located one on the target’s server. While security features in the server environment prevent a co-located virtual machine from directly accessing information on the target, a number of studies have shown that it is possible to observe how a virtual machine loads information into memory caches in the server and glean clues that can be used to deduce sensitive information. These techniques, collectively, are known as cache side-channel attacks.

Security patches have closed off a number of these side-channels and also rendered previous methods for determining co-location ineffective. The WPI team devised a new co-location technique that makes use of what is known as the last-level cache, which is memory shared by all of the virtual machines running on a server. By performing a variety of tests on this cache, they were able to systematically zero in on instances of co-location.

Once co-located with a target machine, the researchers launched a prime-and-probe attack, which involves filling a portion of the cache with data and then observing how the target responds. The cache is designed to hold frequently accessed information and to lessen the need for the CPU to retrieve information from the server’s random-access memory (RAM). Since it takes less time to access the cache than it does to retrieve data from RAM, the time it takes the server to access the cache or RAM provides clues about the type of information being retrieved. By observing the patterns of memory access, the WPI team was able to determine when the target machine was retrieving the 2,048-bit RSA code and then to deduce the actual bits of the RSA key.

Our research has shown that covert channels still exist and may be exploited by side channel attacks,” Eisenbarth noted. “Crypto keys are safe if users follow security best practices and stick to well-maintained and fully patched crypto libraries. The efforts of Amazon and other providers to address known vulnerabilities in the public cloud have made it harder for anyone attacking these services.”

— Read more in Mehmet Sinan Inci et al., “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud,” Cryptology ePrint Archive, Report 2015/898 (22 September 2015)