Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Cloud crowd: Some 4,000 servers hum at IBM’s cloud computing center in San Jose, CA.

In 2006, when Amazon introduced the Elastic Compute Cloud (EC2), it was a watershed event in the quest to transform computing into a ubiquitous utility, like electricity. Suddenly, anyone could scroll through an online menu, whip out a credit card, and hire as much computational horsepower as necessary, paying for it at a fixed rate: initially, 10 cents per hour to use Linux (and, starting in 2008, 12.5 cents per hour to use Windows). Those systems would run on “virtual machines” that could be created and configured in an instant, disappearing just as fast when no longer needed. As their needs grew, clients could simply put more quarters into the meters. Amazon would take care of hassles like maintaining the data center and network. The virtual machines would, of course, run inside real ones: the thousands of humming, blinking servers clustered in Amazon’s data centers around the world. The cloud computing service was efficient, cheap, and equally accessible to individuals, companies, research labs, and government agencies.

But it also posed a potential threat. EC2 brought to the masses something once confined mainly to corporate IT systems: engineering in which Oz-like programs called hypervisors create and control virtual processors, networks, and disk drives, many of which may operate on the same physical servers. Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.

In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it (see “Snooping Inside Amazon’s Cloud” in above image slideshow). They hired some virtual machines to serve as targets and others to serve as attackers–and tried to get both groups hosted on the same servers at Amazon’s data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars. While they didn’t actually steal data, the researchers said that such theft was theoretically possible. And they demonstrated how the very advantages of cloud computing–ease of access, affordability, centralization, and flexibility–could give rise to new kinds of insecurity. Amazon stressed that nobody has successfully attacked EC2 in this manner and that the company has now prevented that specific kind of assault (though, understandably, it wouldn’t specify how). But what Amazon hasn’t solved–what nobody has yet solved–is the security problem inherent in the size and structure of clouds.

Researchers recently figured out a way to place malicious “virtual machines” on the servers hosting virtual machines assigned to intended victims in Amazon’s Elastic Compute Cloud, which they say could make it possible for an attacker to steal data. Amazon says it has since prevented this kind of attack and that the threat of data theft had only been theoretical. Here’s how the researchers did it.
1. The researchers hired “victim” virtual machines (VMs) from Amazon’s cloud and noted the machines’ IP addresses. They learned that if they bought multiple VMs at nearly the same time, those machines would have similar IP addresses, indicating that they were probably hosted on the same server.

Cloud computing–programs and services delivered over theInternet–is rapidly changing the way we use computers (see Briefing, July/August 2009, and “Clouds, Ascending” in above slideshow). Gmail, Twitter, and Facebook are all cloud applications, for example. Web-based infrastructure services like Amazon’s–as well as versions from vendors such as Rackspace–have attracted legions of corporate and institutional customers drawn by their efficiency and low cost. The clientele for Amazon’s cloud services now includes the New York Times and Pfizer. And Google’s browser and forthcoming operating system (both named Chrome) mean to provide easy access to cloud applications.

Even slow-moving government agencies are getting into the act: the City of Los Angeles uses Google’s Apps service for e-mail and other routine applications, and the White House recently launched to encourage federal agencies to use cloud services. The airline, retail, and financial industries are examples of those that could benefit from cloud computing, says Dale Jorgenson, a Harvard economist and expert on the role of information technology in national productivity. “The focus of IT innovation has shifted from hardware to software applications,” he says. “Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.”

2. They realized that to increase the odds of placing a malicious VM on the same server as a victim VM, they would have to force a victim to hire a machine at a certain time. One way to do this, they say, would be to bombard the victim’s website with requests, forcing the victim to increase capacity.

Of course, none of this can happen unless cloud services are kept secure. And they are not


8 comments. Share your thoughts »

Credits: Jason Madara, Bryan Christie Design, Craig Mitchell Dyer/Getty Images
Videos by David Talbot, edited by JR Rost

Tagged: Computing, Web, IBM

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me