Skip to Content

How to Steal Data from Your Neighbor in the Cloud

A study proves that software hosted in one part of the cloud can spy on software hosted nearby.
November 8, 2012

Cloud computing teaches people not to worry about physical equipment for hosting data and running software. But a new study suggests that this could be a costly mistake.

Dark cloud: A new attack demonstrated by researchers reveals that people might want to think twice before storing sensitive material in the cloud.

Researchers at University of Wisconsin, University of North Carolina at Chapel Hill, and the computer security company RSA have shown it is possible for software hosted by a cloud-computing provider to steal secrets from software hosted on the same cloud. In their experiment, they ran malicious software on hardware designed to mimic the equipment used by cloud companies such as Amazon. They were able to steal an encryption key used to secure e-mails from the software belonging to another user.

The attack demonstrated is so complex that it is unlikely to be a danger to customers of any cloud platform today, but the experiment answers a longstanding question about whether such attacks are even possible. The proof suggests that some very valuable data should not be entrusted to the cloud at all, says Ari Juels, chief scientist at RSA and director of the company’s research labs. “The basic lesson is that if you’ve got a highly sensitive workload, you shouldn’t run it alongside some unknown and potentially untrustworthy neighbor,” says Juels.

One reason cloud computing is growing fast is that businesses can save money thanks to the economies of scale that come from large warehouses of computers taking over work previously done by much smaller-scale in-house operations. RSA’s work might give pause to companies and government departments contemplating moving more of their systems to the cloud.

The new attack undermines one of the basic assumptions underpinning cloud computing: that a customer’s data is kept completely separate from data belonging to any other customer. This separation is supposedly provided by virtualization technology—software that mimics an instance of a physical computer system. A “virtual machine” offers a familiar system on which to install and run software, hiding the fact that, in reality, all customers are sharing the same complex warehouse-scale computer system.

Juels’s attack depends on finding ways to break that illusion. He found that, because virtual machines running on the same physical hardware share resources, the actions of one can impinge on the performance of the other. Because of this, an attacker in control of one virtual machine can snoop on data stored in memory attached to one of the processors running the cloud environment—memory that serves up recently used data to speed up future access to it—a trick known as a side-channel attack.

“Despite the fact that, in principle, it’s isolated from the victim, the attack virtual machine will catch glimpses of the behavior of the victim through a shared resource,” says Juels.

The software developed by Juels abused a feature that allows software to get priority access to a physical processor when it needs it. By regularly asking to use the processor, the attacker could probe the memory cache for evidence of the calculations the victim was performing with his or her e-mail encryption key.

The attacker could not directly read the victim’s data, but by noting how quickly it could write data to the cache, it could infer some hints about what had been left in there by its victim. “The attack VM will catch glimpses of the behavior of the victim,” says Juels. By collecting thousands of these glimpses, it was eventually possible to reveal the full encryption key.

Despite its complexity, the researchers say that cloud providers and customers should take the threat seriously. “Defenses are challenging,” says Juels, who has informed Amazon about his work.

Michael Bailey, a computer security researcher at the University of Michigan, notes that the software attacked—an e-mail encryption program called GNUPrivacy guard—is known to leak information, and that the experiment wasn’t carried out inside a real commercial cloud environment. However, he says, the result is significant and will inspire other researchers—and perhaps real attackers—to prove that such attacks can be practical.

“The reason I’m excited is that someone’s finally given an example of a side-channel attack,” says Bailey. “It’s a proof of concept that raises the possibility that this can be done—it will motivate people to look for more serious versions.”

A particularly concerning demonstration would be to use the method to steal the encryption keys used to secure websites offering services such as e-mail, shopping, and banking, says Bailey, although that would be much more challenging. Juels says he’s working on exploring how far he can push his new style of attack.

Keep Reading

Most Popular

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

supermassive black hole at center of Milky Way
supermassive black hole at center of Milky Way

This is the first image of the black hole at the center of our galaxy

The stunning image was made possible by linking eight existing radio observatories across the globe.

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.