Cloud computingVulnerability identified in Amazon's cloud computing

Published 28 October 2009

Researchers show that it is possible to find would-be victims within cloud hardware; cloud technologies use virtual machines — remote versions of traditional onsite computer systems; the number of these virtual machines can be expanded or contracted on the fly to meet demand, creating tremendous efficiencies — but the actual computing is performed within one or more physical data centers, creating troubling vulnerabilities

Leading cloud-computing services may be vulnerable to eavesdropping and malicious attacks, according to research that shows it is possible for attackers precisely to map where a target’s data are physically within the “cloud” and then use various tricks to gather intelligence.

Technology Review’s David Talbot writes that the study probed Amazon’s industry-leading Elastic Computer Cloud (EC2) service, but “we firmly believe these vulnerabilities are generic to current virtualization technology and will affect other providers as well,” says Eran Tromer, a postdoctoral researcher at MIT’s Computer Science and Artificial Intelligence Laboratory, who performed the work with three colleagues from the University of California at San Diego.

Ron Rivest, a computer science professor at MIT and pioneer in cryptography, says the four researchers have “discovered some troubling facts” about cloud-computing services, which rent out computing resources, including storage and processing power, on a by-the-hour basis. Specifically, the potential weaknesses were found in the basic computing infrastructure services that are provided by Amazon and Rackspace and are widely used within many in-house corporate datacenters.

These technologies involve “virtual machines” — remote versions of traditional onsite computer systems, including the hardware and operating system. The number of these virtual machines can be expanded or contracted on the fly to meet demand, creating tremendous efficiencies. The actual computing, however, is performed within one or more physical data centers, each containing thousands of computers, and virtual machines of different customers sit on the same physical servers.

Talbot writes that the attack involves first figuring out which physical servers a victim is using within a cloud, then implanting a malicious virtual machine there, and finally attacking the victim.

Hunting down a victim who might be on any of tens of thousands of servers might seem a needle-in-haystack enterprise, but the paper concludes that with some simple detective work, “just a few dollars invested in launching [virtual machines] can produce a 40 percent chance of placing a malicious [virtual machine] on the same physical server as a target.” They dub this mapping process “cartography.”

Tromer and his colleagues demonstrated that, once the malicious virtual machine is placed on the same server as its target, it is possible carefully to monitor how access to resources fluctuates and thereby potentially glean sensitive information about the victim. The researchers said it would be possible to steal data this way, though they did not take this next step.

The attack starts by taking advantage of that fact that all virtual