Sign in / up

back to article Cloudy VMs leak ID details that could allow attacks, says researcher

Research published by a US masters student reaches the somewhat unsettling conclusion that current cloud technologies don't separate virtual machines (VMs) as well as they could. By spying on shared resources at a low level, the research suggests, an attacker's VM can retrieve data written by another (like crypto keys), and …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Technically

    These are already a known problem. I do love the refinements though. When you have the leakage of energy (information actually since the two are equivalent) from one system to another (VM to VM in this case), you have a potential vector for collection of that energy. It's that simple. Now doing this on systems with multiple processes (not just two which is the trivial case) sharing the same system is interesting. Nice bit of work here and methinks worthy.

    Theoretically, since the universe is supposedly a closed system (I have serious doubts about that), you can perform this anywhere on anything but we're thankfully far from that level of sophistication.

    1 0 Reply
  2. Roo
    Windows

    Anyone else impressed by the out of order execution side-channel work ? OK, it's not the first time it's been done - but it still has the wow factor for me. :P

    3 0 Reply
    1. InNY
      Reply Icon
      Pint

      Wow!

      Yup, thankfully, it's still impressive.

      Have a beer for being honest!

      0 0 Reply
  3. Graham Cobb Silver badge

    Is spying possible?

    I read the slides, but not the thesis. I can see the various side channels, and the way they can be exploited to set up a communication between co-operating sender and receiver. I have amused myself with playing with such side-channels in the past -- I remember being particularly pleased with using the VMS cluster-wide lock manager to have surreptitious communication between between processes on different nodes of the cluster by manipulating lock states. Side-channel communication between systems sharing some resource always possible -- the only question is how much you can force the effective bit-rate down while keeping the resource usable.

    However, it is not clear to me whether the research is making the much stronger claim that one machine can spy on another without co-operation. Is it really the case that one VM can read cached memory data belonging to another VM? That would seem like a major, and obvious, hole which would have been found and fixed long ago. I am not familiar with the x86 cache manipulation instructions but I presume the emulation of those is handled in the hypervisor.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like