Malicious Co-Residency in the Public Cloud Is a Real Threat

virtual machine escape cloud

A couple of weeks ago, we wrote about 6 Differences between Cloud Security & Data Center Security. One of the main differences between the two is shared equipment. Companies in the public cloud often share hypervisors with other entities. A logical barrier is created using virtualization to separate one company’s data and systems from another. In this article, we take a deeper dive into sharing resources in the cloud and the implications for security.

In the public cloud, company data and workloads are stored and run on separate VMs, but instances are often set up on shared hypervisors. Studies have been conducted in recent years to determine the security risk of multi-tenancy in popular public cloud platforms, such as AWS, Azure and Google. One such study conducted in 2015 by researchers from the University of Wisconsin and the University of Ohio, found that not only was it possible to co-locate on random machines on major cloud platforms, but attackers could exploit placement behaviors to increase the likelihood of co-locating with target victims.

The research team found the security risk in smaller PaaS clouds to be higher. When conducting tests in a particular PaaS environment, co-residency was achieved 6 out of 10 tries. The study concluded that “multi-tenancy in public clouds enable co-residency attacks,” and that “the chances of co-location are far higher than expected.” They also determined that achieving co-residency on three major cloud platforms was “surprisingly simple and cheap.”

Another similar study, funded by the U.S. Army Research Laboratory, was published in 2017. The study declares the risk of a VM sharing a physical machine with a malicious VM a “very real threat” and concluded, “Achieving co-residency with a victim VM on the cloud allows an attacker to launch various side-channel attacks that target information leakage.”

Co-residency attacks, also known as VM escape attacks, can result in stolen cryptography keys, data theft, and the installation of malware. A participant at this year’s Pwn2Own hacking competition in Vancouver earned a six-figure prize for successfully conducting a VM escape attack.

All Things Considered, Probability of Co-Residency Attacks is Low

To put this security threat into perspective, we spoke with Stephen Webster, CTO at MRE Consulting based in Houston. Stephen has over a decade of experience advising companies on infrastructure decisions. While he acknowledges that accessing a company’s data on the same hypervisor via co-habitation is a legitimate risk, he says the probability is low.

“The probability is higher that hackers would compromise data on a software-defined network used in public clouds than they would successfully compromise data security via co-residency.”

“I’m a big proponent of hybrid.” says Stephen. “A hybrid solution will almost always be the right solution for a corporation because it balances risks and benefits, security vs agility. If you choose to use public cloud services, you really need to have a good understanding of how public cloud platforms work. Each cloud platform has its own nuances in how it works — enhanced monthly, even weekly.”

Lack of Education Is the Greatest Threat to Cloud Security

Stephen believes the biggest threat to cloud security is a lack of education and understanding. “If you don’t have a well-educated administrator, it’s easy to make mistakes,” he says. “I don’t think anyone puts these systems in the cloud thinking they haven’t done their due diligence, but in a lot of cases, it’s a lack of understanding that creates these gaps or holes that can be exploited in the cloud, and hackers are looking for these gaps.”

Although many types of co-residency attacks that were once possible are no longer effective, due to new technologies such as VPC, researchers in the studies mentioned have found other ways to achieve them.

Researchers from the 2017 study mentioned above found a way to mitigate the threat of malicious co-residency via VM migration when co-residency is detected, but cloud providers do not yet offer such services.

So, in conclusion, co-habitation in the public cloud may be a minimal threat, but it is still a threat to be aware of, and appropriate actions should be taken to monitor for breaches like these. To learn more about the public cloud vs colocation or owning your own infrastructure, download our free white paper, Infrastructure Wars: Colocation Vs Cloud.

colocation vs cloud white paper