Co-lo VMs busted by crypto attack

By on
Co-lo VMs busted by crypto attack
Credit

Side-channel cache-sniffers steal keys.

Researchers have demonstrated a controlled attack in which private keys can be stolen from a virtualised machine.

The side-channel cryptographic attack was thought to be the first of its kind and could have serious consequences for cloud computing environments where an attacker is co-resident to a victim.

It was demonstrated in a paper (pdf) by researchers from the universities of North Carolina and Wisconsin along with security outfit RSA on a Xen-based virtualisation platform that replicated public cloud infrastructure.

RSA laboratories director Dr Ari Juels said while the attacks were made in a lab, there was “no reason to think that any public virtualised infrastructure is immune” from the attacks.

“The takeaway is this: VMs (virtualised machines) running highly sensitive workloads should not be placed on the same hosts as potentially untrustworthy VMs,” Juels said.

The attacks targeted a vulnerability in the cryptographic package libgcrypt used by GnuPG, which lacked defences against side-channel attacks.

Side-channel leaks were present in some crypto installations as a result of resource exposure.

“In our experiments, an attacker VM targets a co-resident victim VM running Gnu Privacy Guard,” Juels said.

“The attacker VM is able to steal the victim VM’s full private (ElGamal) key. In other words, the attack results in complete compromise of one form of encryption in GnuPG.”

The success of the attack in gaining the keys rendered obsolete existing beliefs that virtualisation, through the use of distinct operating systems, provided effective isolation and therefore security.

It did this by targeting shared hardware resources, specifically the L1 instruction cache, which revealed enough information based on alternate process execution between the target and attacker to build a crypto key.

Importantly, the access-driven side-channel attacks overcame challenges including hypervisor noise, core migration, and the “difficulty of preempting the victim with sufficient frequency to extract fine-grained information”.

While the attacks required a target and attacker to be co-resident on a single machine, earlier research (pdf) had shown it is possible to locate clients within cloud infrastructure.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?