Researchers steal data from CPU cache shared by two VMs
All of a sudden dedicated instances are looking a lot better than multi-tenancy
A group of researchers say they can extract information from an Amazon Web Services virtual machine by probing the cache of a CPU it shares with other cloudy VMs.
A paper titled Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud (PDF) explains the challenges of extracting data from CPU cache, a very contested resource in which the OS, the hypervisor and applications all conduct frequent operations. All that activity makes a lot of noise, defying attempts to create a persistent communications channel.
Until now, as the researchers claim they've built “a high-throughput covert channel [that] can sustain transmission rates of more than 45 KBps on Amazon EC2”. They've even encrypted it: the technique establishes a TCP network within the cache and transmits data using SSH.
The results sound scarily impressive: a Black Hat Asia session detailing their work promised to peer into a host's cache and stream video from VM to VM.
The paper explains that this stuff is not entirely new, but has hitherto also not been entirely successful because it's been assumed that “error-correcting code can be directly applied, and the assumption that noise effectively eliminates covert channels.”
The authors knock both of those arguments over, the first by figuring out a way to handle errors and the second with a method of scheduling communication between two VMs.
The paper details those efforts extensively, names them a “Cache-based Jamming Agreement” and offer you working code on GitHub so you can build your own all-in-cache covert channel, either on-premises or in the cloud.
Getting this going in the cloud is non-trivial, because you must first figure out how to get two VMs running on the same host. A 2015 paper titled A Placement Vulnerability Study in Multi-Tenant Public Clouds found that's possible in Amazon, Google and Azure and is cited by “Hello from the Other Side's” authors.
Yes, this is a little esoteric. But it also shows why many users are willing to shell out for dedicated instances in their chosen clouds. We can also see that secure multi-tenancy may have a way to go. ®