In the olden days, people would steal your information from the mail box at the curb. Today, people steal information from your electronic equipment, be it desktop computer, Wi-Fi connected laptop or data stored in the cloud.
Each day, data thieves become more sophisticated, although that?s too nice a word to use to describe them. Did you know hackers can steal information by timing a computer?s data storage transactions or by measuring its power use? How about using the noises your computer makes as it runs? Such indirect means of accessing your data are called side-channel attacks.
The cloud that everyone is running towards has its downside. By just sneaking a piece of code onto a server in the cloud, capable thieves can listen in on other applications that are running there. The people who study these computer security issues are known as cryptographers. One such individual is Shafi Goldwasser, the RSA Professor of Electrical Engineering and Computer Science at MIT. She and a former student Guy Rothblum, currently at Microsoft Research, have prepared a report which presents a generic approach to alleviating those nasty side-channel attacks. Her team will present how to adapt their technique to protect data processed on web servers at the Association for Computing Machinery?s Symposium on Theory of Computing (STOC) this month. They also address how to protect proprietary algorithms from reverse engineering.
Two computer programs sometimes share the same cache when running simultaneously. Cache is an allotment of high-speed memory where the operating system stores frequently used information. A study showed that a malicious program could measure how long it took to store data at a number of different cache locations then determined how frequently a cryptographic system used those same locations. One encryption program, AES, used tables of precalculated values as a computational short cut. It was shown to be vulnerable to attack. Several years ago, Intel added hardware support for AES to its chips to avert problems.
A hacker can infer what other programs are doing by repeatedly sending its own data to memory on the cloud server. Side channel attacks are not new and much has been done to prevent them, albeit the success has been hit and miss. The work focused mainly on threats to handhelds rather than servers.
Research proves that attackers can precisely map where a target’s data is physically within the cloud. Vulnerable areas are thought to be generic to virtualization technology rather than specific to one product. Those virtual machines still have an IP (Internet Protocol) address that can be seen by anyone within the cloud. Eran Tromer at MIT’s Computer Science and Artificial Intelligence Laboratory and colleagues from the University of California at San Diego, stated in 2009 that by investing a few dollars to launch a virtual machine could produce a 40 percent chance of placing a malicious [virtual machine] on the same physical server as a target. This mapping process is called cartography.
MIT is still working on the problem of side channeling. Unfortunately, says one cryptographer, it takes a long time to take an academic idea and turn it into something practical in the real world. In the meantime, you might think twice about what you put in the cloud.