Is Cross-tenant Cloud Attack a Legitimate Threat?
Cloud providers mostly rely on virtualization to maximize the utilization of their computing resources. This comprises of many virtual machines (VMs) running on underlying shared physical infrastructure. However, co-residency with other VMs may cause high security risks such as cross-tenant or side channel attacks. This kind of attacks are difficult to detect and prevent. Should you or your enterprise be worried about such attacks? Let’s take a deeper look through this article.
It has been more than a decade since Amazon launched cloud computing for the public by introducing Amazon Web Services. Amazon defines cloud computing as, “The on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform via the internet with pay-as-you-go pricing”. If you log onto the internet today to use any kind of digital services, you might directly or indirectly be using some variation of cloud computing even without realizing it.
Public cloud offerings are classified broadly into three distinct categories:
1. Infrastructure as a Service (IaaS)
IaaS enables the customers to utilize virtualized infrastructure resources over the internet. It offers infrastructure components like servers, networking resources, security tools and several operating system flavors to develop applications and web services.
2. Software as a Service
(SaaS)SaaS lets the user focus on utilizing the applications and various software offerings on a subscription basis without worrying about provisioning the servers or allocating storage space
3. Platform as a Service (PaaS)
PaaS lets the customers and users leverage the various cloud platform offerings to build applications and services on top of it. Application developers can easily and quickly create web & mobile apps and deploy them without focusing on the nitty-gritties of managing the platform.
In order to efficiently use the underlying resources and extend the benefit of economies of scale, the cloud providers utilize what is known as a ‘multi-tenant software architecture’. In a multi-tenant software architecture, different customers share various system and infrastructure resources like storage, memory, operating system, etc. These resources are powered by a primary physical hardware. The demarcation amongst customer instances is achieved by virtualizing the hardware, operating system or application. This method enables logical isolation and provides separation of resources.
The cross-tenant attacks work on the concept of exploiting the Level 3 memory cache. A Level 3 cache is a mirror image of the system memory and it is shared between all the users in a multi-tenant environment. A hacker would manipulate the cache to a known state and then wait for the victim’s activity. By examining the sections of the cache changed, hackers can pin-point to the memory addresses which contain the user data. After these memory addresses are known, they can try to derive valuable information about victim’s data.
Above image depicts the Last Level Cache
Let us take a look at the most popular cross-tenant attacks and how they are carried out.
Flush + Reload Attack
When carrying out the Flush + Reload attack, the hacker first flushes out the cache memory. After the victim has performed an action, the hacker reloads the cache. If the victim has used the cache to store data, the reload activity would be faster, else, the reload activity would be slow. Hence, by timing the reload activities the hacker can deduce that the victim made use of the cache memory.
Prime + Probe Attack
In the Prime + Probe attack, the hacker would initially calculate the time required to access a known address in the cache. This is known as ‘Priming’ the memory. The hacker would then wait for an activity by the victim, after which he/she tries to calculate the time required to access the known memory address. If the time required is slower in the previous step as compared to the first time, it would indicate that the victim used a memory space adjacent to the memory address already known to the hacker.
Above image depicts the Flush + Reload and Prime + Probe attacks
An obvious question that should intrigue someone at this point is, “Is my data and proprietary business information safe in such an environment?”
The answer is yes, because of the following reasons:
- Firstly, each cloud provider has thought of this threat in great detail and has positioned specific security measures in-place to clearly distinguish and isolate the resources used by individual customer. Each cloud provider has its own approach of achieving this, and in addition, they have configured several ways to detect any deliberate attempts of cross-channel intrusion. They would heavily penalize and permanently debar their customers if they are found guilty of such wrong doings.
- Secondly, critical data that reside in such an environment is encrypted both at rest and in transit. Even if the tenant gains access to the data belonging to another tenant in some way, he won’t be able to derive any meaningful information out of it. Decryption of such data won’t be possible without gaining access to private key that belongs to the actual tenant. Encryption protects the data from anyone trying to access it from outside the cloud environment.
- Thirdly, for hackers to specifically target a particular customer and his data, they should have the ability to launch their virtual machines on the same physical hardware as their target. This action is nearly impossible theoretically because, while launching an instance, they would not have the information about the underlying hardware and they would not have the ability to choose where their virtual machines are going to run. This renders the known ways of exploit, like Flush-Reload and Prime-Probe, which makes use of Level 3 memory cache exploitation completely ineffective for the miscreants.
Finally, majority of the data breaches that we hear about today in cloud are caused by human errors. With their knowledge, more often than not, customers themselves misconfigured their cloud instances and end up exposing their data to the outside world. Under the shared security model, it becomes the onus of the customer to protect his own data and he should make sure that the data protection mechanisms are in place for his data safety.
To conclude, although it seems like cross-tenant and side-channel attacks are a legitimate threat in theory and information security professionals can recreate them in a simulated lab set-up, the chances of them happening in a real public cloud environment are slim. Security experts are continuously on a look out to exploit any vulnerabilities in a shared multi-tenant space, and at the same time, the cloud providers are upgrading their existing security frameworks and policies to deliver robust and resilient services that protect from threats in the future. For the time being, we should focus on the overall aspects of cloud security and safely assume that cross-tenant or side-channel attacks are not possible in public cloud.
Having deduced the legitimacy of threats on cross-tenant cloud attacks, what are your thoughts on it?