Knocking Cloud Security Off Its Game

separate areas of the same cloud without disturbing each other. But the administrative functions hypervisors perform are also an instability factor as they open up a variety of attacks. Under certain conditions, these attacks can make it possible to access data stored in the memories of other active cloud users working with the same hardware. Moreover, cloud providers could also use hypervisors to take a peek at their users’ data themselves.

Both these risks are unacceptable to companies and governmental organizations that process sensitive data. Indeed, in an expert report compiled by the Swiss Federal Council, which examined the legal framework for implementing Switzerland’s cloud strategy, unauthorized access to what’s referred to as “data in use” was rated as the most probable risk associated with using a public cloud.

Fully Isolating the Hypervisor Is Impossible
There are, however, fundamental limitations as to how well a user system can be isolated and protected from the hypervisor. After all, some communication must take place between the two, and as an administrative tool, the hypervisor still has to be able to perform its core tasks. These include allocating cloud resources and managing the virtual server running the secured system in the cloud.

One of the remaining interfaces between the hypervisor and the TEE concerns the management of interrupts. The ETH team launched what are known as Ahoi attacks to exploit the hypervisor as a means of sending coordinated interrupts to the secured system at any time. This exposes the gap in security: instead of blocking the request from the untrustworthy hypervisor, the TEE lets certain interrupts through. Unaware that these interrupts are coming from outside, the system runs its usual programming routines.

Interrupt Heckles Knock Security Off Its Game
By sending coordinated interrupt heckles, the ETH scientists managed to confuse a TEE-secured system so effectively that they were able to gain root access – in other words, take full control. “Most affected by this problem was AMD’s confidential computing, which proved vulnerable to attack from several different interrupts. In the case of Intel, only one interrupt door had been left open,” Shinde says in summarizing the results of her “Heckler attack”. The researchers also rated AMD’s previous means of defense as insufficient. The chip manufacturers have since taken steps to address this.

The second attack scenario, known as WeSee, affects AMD hardware only. It exploits a mechanism that the chip manufacturer introduced to make communication between TEE and hypervisor easier despite isolation. In this case, a special interrupt can cause the secured system to divulge sensitive data and even run external programs.

Byproduct on the Path to User Control of Phones
As important as it is to find gaps in the security for sensitive data stored in the public cloud, for Shinde and her research group this was merely a byproduct on the path to ensuring that users of iPhones and Android smartphones retain full control over their data and applications. A specially designed TEE will do more than make sure user data is protected from eavesdropping by the manufacturer’s operating system. “We also want our TEE to support unmonitored operation of those apps not managed by Apple or Google,” Shinde says.

Daniel Meierhans is a writer at ETH News. The articlewas originally posted to the website of ETH Zurich.