CISPA researcher helps close security gap at cloud providers
Many companies and individuals use so-called cloud services, through which servers, computing power, storage space, and other resources can be accessed from the Internet as needed. These services save their users from having to build and maintain the corresponding IT infrastructure locally. A new research paper by CISPA faculty member Michael Schwarz and researchers at the Graz University of Technology, La Sapienza University in Rome, and cloud provider Cloudflare shows that a new type of Spectre attack can succeed on some of these platforms, putting users' data security at risk. The researchers have developed a tool that can detect and defend against these attacks, and it is already being used by cloud provider Cloudflare.
The good news first: The research team does not believe that any of the attacks described in the paper have already occurred. An attack that would be worthwhile for attackers is currently still too elaborate and comparatively lengthy, explains Michael Schwarz. "Nevertheless, it is good to discover attack opportunities early on. It only takes one person to invest enough time and effort in further developing such an attack, and it can become a common attack method."
The newly discovered Spectre attack challenges supposed certainties: it is the first attack of its kind that could be accomplished without the ability to measure time accurately, Schwarz explains. But back to the beginning. As with all Spectre attacks, an attack exploits a feature of microprocessors designed to make CPUs faster. To shorten computing times, the processor tries to anticipate what data will be needed next during periods of low utilization and computes it without waiting for the command to do so. This is known as speculative execution. In this way, data can be retrieved quickly if it is needed. If this is not the case, they are discarded. However, the computed data leaves traces in the cache, a temporary memory. To deduce a word or number previously loaded into the cache, such as a credit card number, attackers often compare the times for retrieval. Unusually fast loading allows the conclusion that the data has already been calculated.
To successfully protect against Spectre attacks, some cloud providers, therefore, make precise time measurement impossible, says Schwarz. That includes Cloudflare, the provider that collaborated with the researchers. Despite the precaution, the research team was able to launch a successful Spectre attack on the cloud service and steal the data of other users in the system.
The services are ultimately doomed by the fact that they do not completely isolate the computing processes of their users for performance reasons. Such separation is usually achieved by generating a virtual machine (VM) for each user. A VM is a software-based computer system modeled on a real computer in hardware and simulates its functionality. The rule for most cloud services is one VM per CPU core. However, the CPU cores are usually underutilized in this way. To increase efficiency, providers such as Cloudflare try to get as many customers as possible onto one core. Cloudflare takes other measures to ensure the data security of the users. For example, the platform only allows code to be executed in JavaScript - a language in which all code is executed in a secure environment called a sandbox." This prevents malicious code from entering the encompassing system. In the case of software vulnerabilities, this method provides sufficient protection. However, targeted attacks on processors can bypass the sandbox procedure.
That's why services need a different strategy to defend against Spectre attacks. Schwarz and his colleagues have developed a new tool called dynamic process isolation that better reconciles performance and security. According to Schwarz, it works like this: If a cloud user is attacked, the tool detects the attack and then - and only then - generates a separate virtual machine for the attacker. This isolates the computing process from the attacker. The attack then simply goes nowhere, as the attackers cannot break out of the virtual machine. "Under normal circumstances, the users have full performance. In the event of an attack, they lose very little of the performance because not all processes have to be isolated," says Schwarz. On Cloudflare, the security mechanism is already running, and Spectre doesn't stand a chance.