Cloud Cartography
Posted inStorage Research

Cloud Cartography

Posted inStorage Research


800px-Above_the_Clouds

Photo: Above The Clouds

One of the benefits of the recent partnership with MIT is that all EMC employees are invited to attend (in person or remotely) lectures on a variety of interesting topics. These lectures typically occur on Friday. Sometimes I'll drive in to Cambridge, sometime I'll dial in from my office. This summer I have learned quite a few things about "cloud computing" from a security researcher's point of view.

I dialed into a lecture a couple of weeks ago and was fairly riveted as Dr. Eran Tromer of MIT introduced the term "cloud cartography". I had always operated under the assumption that a user of "cloud computing" should not and would not care about the placement of their VM onto a specific piece of hardware in a compute cloud. Dr. Tromer (and his associates at the University of California at San Diego) have caused me to change my mind.

Take a look at the recently published research paper, cleverly entitled "Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third Party Compute Clouds". Dr. Tromer, Thomas Ristenpart (UCSD), Hovav Shacham(UCSD) and Stefan Savage(UCSD) explore security issues in the compute cloud. Here's a section of their abstract which highlights one of their main points:

"Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine."

What I like best about the paper is the concrete, hands-on experimentation that the team did with Amazon's Elastic Compute Cloud (EC2) service. When a user provides EC2 with a first VM to run in a compute cloud, this VM is placed on an available physical server. Using network probing and a variety of other techniques, the researchers were able to effect/cause the placement of a second VM on the same physical server with 40% accuracy.

If the second VM is malicious, it can attempt to extract information from the first VM (using a variety of methods described in the paper).

180px-Fernão_Vaz_Dourado_1571-1  This leads to the introduction of the term "cloud cartography". Cartography is the study and practice of map-making. Cloud cartography is the science of mapping the physical topology of a cloud. Typical users may not care about cloud cartography and where their VM is running. But their adversaries do! They can map the cloud, understand VM placement strategies, induce VM co-residence, and then attempt to abuse the VM locality.

After listening to the lecture and reviewing the paper, it is clear that there are tough problems to solve. However, that's part of the beauty of the lecture series collaboration. My co-workers from RSA (the security division of EMC) are in the same room discussing potential solutions and strategies for these types of problems. They are on top of the issues. Think about the "golden lock" icon on a browser (which means RSA algorithms are in use).  I'm confident that an RSA "golden-lock for the cloud" will become pervasive (just as it has for secure browsing experiences).

As Chuck points out, security within the cloud is currently a huge area of investment. 'Zilla writes about dark clouds.  Like weathermen they're predicting the security future when it comes to cloud.

Because nobody wants to run their compute in a storm cloud. 

48px-Weather-storm.svg


Steve

http://stevetodd.typepad.com

Twitter: @SteveTodd

EMC Intrapreneur