Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

In other words, one of the key benefits of cloud computing–the ability to instantly expand or contract computational capacity as required–in this case provides a crucial vulnerability.

Once the researchers achieved such co-residence on Amazon’s infrastructure, they were able, by monitoring ebbs and flows of the servers’ processing speed and other factors, to indirectly learn what kinds of computing resources a would-be victim uses and when he uses them–often crucial clues that can reveal sensitive information about the victim’s activities.

“I might find out all kind of business intelligence with things that these ‘side-channels’ might leak,” says Radu Sion, a computer scientist at Stony Brook University who is chairing a cloud security workshop at an upcoming conference at which the paper will be presented. A flurry of heavy computational activity by a company running financial trading models, for example, could provide clues to a pending market movement. Concurrent high levels of activity between two brokers could suggest a pending transaction.

While the researchers said that actual theft of data is possible, they did not go ahead to demonstrate it. “Stealing encryption keys isn’t something we have demonstrated in this context yet, but we have demonstrated that the underlying side-channels are capable of that,” says Tromer.

It may even be possible to detect the victim’s passwords through a so-called keystroke attack, Tromer says. Earlier research has demonstrated that analyzing the timing of keystrokes can reveal which letters have been struck on a keypad. The current paper adapted that insight to suggest that small spikes in activity from a victim’s previously idle virtual machine can reveal the activity of a person typing a password. Measuring subtle load-changes provides a way of detecting the timing of the keystrokes and thus, potentially, the password.

The approach could also be used to perform much cruder attacks. If an attacker sits on the same servers as his victim, a conventional denial-of-service attack becomes possible simply by amping up his resource usage all at once.

In a statement, Amazon spokesman Kay Kinton says Amazon has “rolled out safeguards that prevent potential attackers from using the cartography techniques described in the paper.” She added that for security reasons, Amazon could not disclose the details. However, Tromer says that the only full solution available today would be to give customers the option to avoid sharing physical servers with other customers. Creating unbreachable virtual walls between virtual machines that sit on the same server remains “an open research problem that we, and others, are working on,” he says.

Amazon’s statement also calls the side-channel method implausible. “The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment. As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice.”

Amazon also said it had tightened access credential procedures, though this is not of direct relevance to the new paper. Rackspace did not return requests for comment made yesterday afternoon.

2 comments. Share your thoughts »

Tagged: Computing, security, cloud computing, Amazon, network analysis, virtualization

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me