The security and separation of data in a multi-tenant infrastructure-as-a-service environment is of the utmost...
A multi-tenant machine enables multiple clients to share the same physical hardware, but any interaction between the two clients should be impossible. If it was possible to access the data of another client using the same hardware, it would be a major breach of security, and would destroy the idea that multi-tenant environments are safe.
A key focus in multi-tenant security is on any part of the hardware that is not virtualized; as that component is shared, it may then be possible to establish a covert communication channel that enables data to be sent and received across virtual machine instances.
One of the components that can be vulnerable to this issue is the CPU cache. It has been traditionally seen as very difficult to establish a communications channel through the cache because other processes steal the memory space and, thus, terminate the covert channel, and there are already a number of errors in any communication.
However, at Black Hat Asia 2017, a team of researchers recently presented a method of resolving these CPU cache problems and establishing a robust and encrypted communications channel over Secure Shell, enabling the communication of data between different Amazon Elastic Compute Cloud instances. They even released working code that can be used in a multi-tenant cloud environment. If deployed maliciously, the attack method could enable data to be exfiltrated from one virtual machine to another colocated virtual machine. This fundamentally breaks the security of multi-tenant environments.
The attack works by addressing the problem of the noise in the CPU cache (the amount of data that is stored on it, and the fact that it constantly changes due to different processes accessing it). To do this, the attack borrows error correction techniques from wireless communication. The data to be exfiltrated from the target virtual machine is then divided into equal-size chunks and encoded to help protect against error. It is then transmitted at specific times when the CPU cache is likely to be available. This enables the data to be transmitted at a fast enough rate to be practical for attack.
Concerns over security in multi-tenant environments have led to many organizations choosing to switch to single tenant infrastructure as a service to mitigate the risks of colocated data. Despite the extra cost, this is a sensible and advisable solution.
This is not the first attack to demonstrate data access between virtual machines on the same hardware, and it is unlikely to be the last. In most cases, it is not possible to choose which hardware your data is deployed to and, therefore, not possible to select with whom you are colocated. This means that the most likely practical attack would be random rather than targeted specifically at your data.
However, a data breach is still a possibility, regardless of whether the attack is targeted or simply opportunistic.
Read more about multi-tenant cloud security considerations
Compare containers versus virtual machines for multi-tenant apps
Why you shouldn't develop for hybrid cloud without hybrid deployment