Cryptography attack: side-channel cloud threat is all nerd and no knickers

Opinion Davey Winder Nov 12, 2012

Side channel attacks could threaten cloud security in a big way. Best to be prepared

Side-channel attacks are nothing new, in fact I have been interested in them and writing about them for more than ten years now. Their arrival in the cloud, or rather the potential for a side-channel approach to touch the cloud threat surface, most certainly is though; but is it something you need to worry about? 

In order to answer that, you first have to get your head around what a side-channel attack actually is, or should I say what side-channel attacks are? Yep, the plural applies here because the 'side-channel' tag can be applied to numerous attacks that target the physical implementation of the cryptographic system. Physical implementation, that is, rather than attacking algorithmic weaknesses. So, for example, when talking about side-channel attacks we might consider the topics of electromagnetic leakage, power consumption fluctuation or timing information as a route to exploitation. If you are thinking that this all sounds, well, just a little bit 'lab coat and pen protector' then you would be right; it is.

Of course, the mere fact that the theory surrounding a potential vulnerability of any sort is mind-bogglingly complicated doesn't have to equate to an exploit technique that requires a degree in advanced crypto-boffinology. Although it often does, truth be told, and as such, side-channel attacks more often than not remain in the realms of lab-based proof of concept rather than out there in the wild and stealing stuff.

The exceptions are where the necessary clever stuff can be boiled down to a black box solution, capable of being operated by any Eastern European henchman with the right backing. So, is the side-channel attack that is threatening crypto in the cloud of the 'plentiful insider cryptographic know-how required' variety or does it fall into the more generic 'another vulnerability waiting to be exploited by any determined crim' category?

Exploiting a vulnerability doesn't need an exploit technique that requires a degree in advanced crypto-boffinology

To determine this, I read through the Cross-VM Side Channels and Their Use to Extract Private Keys research paper by Yinqian Zhang, Professor Michael K. Reiter, Thomas Ristenpart and Ari Juels. This collection of professors, assistant professors, PhD students and corporate security chief scientists have developed a side-channel attack that, as the paper's name suggests, can target virtual machines in the cloud in order to extract decryption keys from co-resident VMs within the same cloud host. That sounds horrendous to start with, but the specifics are enough to calm the temperature a little: the researchers performed the attack in a lab-based environment and not out in the wild, it needed a malicious VM to launch the attack, the private ElGamal decryption key was on a co-resident VM protected by Gnu Privacy Guard implementing OpenPGP encryption.

Sure, as the paper itself states, virtualised symmetric multiprocessing systems "are very common today, ranging from desktops that use virtualisation to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers" but that doesn't make the attack itself child's play. The paper goes on to admit that to be successful it would need to overcome "challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it." 

So, is the cloud safe from side-channel attacks on crypto keys in a real world scenario or not? Good question. The researchers suggest that there is room for a potential breach within the imperfect isolation of VMs found in public clouds, and advise that 'highly sensitive workloads' should not be stored there. Well duh, to be honest. Storing 'highly sensitive' anything in a public cloud is kind of asking for trouble isn't it?

Even given this pretty obvious statement, I'm still not convinced that the side-channel attack demonstrated in the lab is something that will leak out into the real world any time soon. Why so? Well, forget the difficulty involved in actually performing the attack in terms of the amount of 'noise' in the cloud that needs to be cut through in order to get the data required to break the crypto key. Forget just how many VMs will be running concurrently, and how many caches the thread loads will be distributed across. Forget that, in order for this attack to be able to do its stuff it would require the target machine to be repeatedly performing cryptographic operations in a hugely unreal-worldly way.

Nope, forget all of that, the real spanner in the criminal works is that the attacker has to somehow ensure that the malicious VM they are using to launch the attack from, the VM they have paid for legitimately within the cloud, has to 'sit' on the exact same host as the target VM. Quite how you accomplish that with any degree of certainty outside of the laboratory environment used by the researchers is, frankly, something of a mystery. It's worth repeating: for the attack to work, both the attacker and the target VM have to be running on the same physical hardware.

Summing up then, if you are something of an IT security nerd or a comp.sci groupie, this new side-channel attack demonstration will be fascinating. If you are a business with real data out there in the real cloud, and assuming you've followed basic security best-practice strategies, including the rather obvious non-use of public clouds for highly sensitive data storage, you can move on: nothing to see here ...

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.