A project ran by researchers at RSA and two American universities has managed to extract cryptographic key from another VM running on the same hardware.
The hack was a difficult task to master. The researchers had to overcome many challenges in aspects of core migration, pre-empting the victim with the frequency required to extract fine grained information and numerous sources of channel noise. In some ways this reflects well on the security of vendors and cloud providers seeing how difficult the hack was. On the other hand it highlights how logical isolation VMs sharing physical resources are not as secure as claimed as the researchers did manage to perform a successful hack.
The attack used Xen hypervisor successfully as a test platform, this suggests desktop on desktop attacks also need to be addressed.
The research was carried out using the following conditions
“Our threat model assumes that Xen maintains logical isolation between mutually untrusting co-resident VMs, and that the attacker is unable to exploit software vulnerabilities that allow it to take control of the entire physical node. We assume the attacker knows the software running on the victim VM and has access to a copy of it.”
The rig researchers created set about sussing out the victims activity. It was an access driven attack by a programme that is ran to perform cryptographic operation of interest attacks.
“The attacker program monitors usage of a shared architectural component to learn information about the key, e.g., the data cache, instruction cache, floating-point multiplier, or branch-prediction cache. The strongest attacks in this class, first demonstrated only recently, are referred to as asynchronous, meaning that they do not require the attacker to achieve precisely timed observations of the victim by actively triggering victim operations. These attacks leverage CPUs with simultaneous multi-threading (SMT) or the ability to game operating system process schedulers; none were shown to work in”
The research observes and deciphers CPU behaviours by combining low level systems with sophisticated tools like classifiers and sequence alignment algorithms. The hack extracted ElGamal decryption keys from the victims VM.
The report stresses how difficult the attack was to perform, there were many unusual and difficult challenges to overcome, but they did eventually get there. Virtualisation users are bound to show a little less confidence in sandboxes and their ability to remain free of contamination.