Striking like a “Bolt” Out of the Blue: A New Attack System Tests Security in Multi-Tenant Cloud Infrastructures
By Lori Cameron
Published 09/20/2018
Share this on:
As more and more businesses adopt Software-as-a-Service (SaaS) as part of their digital strategy, they face a choice between multi- or single-tenant cloud platforms.
Single-tenancy pairs a single business with a single software resource. The platform comes with greater security and more control over design and management of the platform.
However, multi-tenancy is a different story.
Its higher security vulnerabilities are why researchers, Christina Delimitrou of Cornell University and Christos Kozyrakis of Stanford University, created a cloud attack system called “Bolt” to test those vulnerabilities in hopes of giving developers ways to improve the design of future cloud systems, the details of which are revealed in their article “Uncovering the Security Implications of Cloud Multi-Tenancy with Bolt.”
Although substantially cheaper because they offer multiple businesses access to one software resource, multi-tenant platforms are vulnerable to resource “interference,” which can leak information about who is using an application and what they are using it for. In addition, they have multiple access points from which adversaries can extract data such as passwords and private keys.
How hackers steal data and attack your applications
Hackers have developed sneaky ways to break into multi-tenant platforms to steal confidential data without being detected by the cloud service provider.
“Once attackers obtain this information, they can launch severe, inexpensive, and hard-to-detect performance attacks against applications with which they are sharing resources,” say Delimitrou and Kozyrakis
That’s where Bolt comes in.
“We present Bolt, a practical system that accurately detects the type and characteristics of applications sharing a cloud platform based on the interference an adversary sees on shared resources,” the authors say.
How researchers tested the Bolt system
Delimitrou and Kozyrakis tested and validated Bolt in a controlled environment across their home turf of Stanford and Cornell University. They conducted a multi-user study using a shared Amazon Elastic Compute Cloud cluster with 200 servers.
Bolt correctly identified the characteristics of 385 out of 436 diverse workloads.
“Extracting this information enables a wide spectrum of previously impractical cloud attacks, including denial of service (DoS) attacks that increase tail latency by 140X, as well as resource freeing attacks (RFAs), and co-residency attacks,” say the authors.
How Bolt detects the application you are using
Every application uses resources in a certain way, leaving a signature. In a cloud environment, apps that share a machine also share resources.
Bolt uses an engineered program that observes the signatures of legitimate apps on cloud servers. It uses machine learning to gather signatures from a few resources enough to accurately identify the application. Overall, just by running right up next to your app, Bolt can figure out its details and hence launch an attack on it.
How Bolt then launches an attack against you
The specific denial-of-service attacks Bolt uses also rely on resource usage. If Bolt identifies your app, it knows which resources you are more dependent upon.
Then, Bolt launches an attack on the same machine that puts a lot of pressure on just that resource. Since the overall activity of the attacker is low—no pressure is applied to any other resource—the cloud providers are unlikely to detect the attack.
“While advanced isolation mechanisms such as cache partitioning lower detection accuracy, they are insufficient to eliminate these vulnerabilities altogether. To do so, one must either disallow core sharing or allow it only between threads of the same application, leading to significant inefficiencies and performance penalties,” the authors say.
How Bolt gets away with it
If Bolt knows enough detail about a program, it can launch a number of very specific security attacks against it.
For example, Bolt can try to exploit some bug in the Java or Scala frameworks that Spark—one of the most popular frameworks for big data analysis—relies upon.
However, Bolt does this in a subversive way: It quietly attacks only one system resource at a time, unlike conventional blitzkrieg denial-of-service attacks that flood a system so hard, it crashes.
It then ensures that the app slows down to unacceptable levels even though clients are paying for cloud resources that should be sufficient for good performance.
Three lessons learned from Bolt
Delimitrou and Kozyrakis offer three takeaways from the Bolt study for cloud platform developers:
First, Bolt showed that there is a current and readily exploitable security threat in modern cloud providers. It quantified the ability of an adversary to obtain confidential information about the type and characteristics of a victim application with minimal profiling, and to do so completely transparently for both the victim and cloud operator.
Second, the analysis of isolation techniques above shows that existing hardware and software techniques are insufficient to mitigate security vulnerabilities, and techniques that provide reasonable security guarantees sacrifice performance or cost-efficiency, by resulting in low utilization. This highlights the need for new fine-grained and coordinated isolation techniques that guarantee security at high resource utilization.
Third, despite the malicious way in which data mining is used here, Bolt shows the value big data can offer in improving the design and management of platforms whose scale makes empirical optimizations impractical. The application detection process Bolt relies on would have been impossible to perform manually, even if we assumed that the adversary can remain co-scheduled with the same victim for long periods of time.
“As cloud systems scale in size, number, and complexity, the goals of performance, efficiency, and security often clash with one another. Leveraging practical data mining techniques to quickly and accurately uncover and resolve vulnerabilities or inefficiencies in large-scale systems is a promising approach to reconcile these often-conflicting objectives,” the authors add.
Research related to cloud security in the Computer Society Digital Library:
Lori Cameron is a Senior Writer for the IEEE Computer Society and currently writes regular features for Computer magazine, Computing Edge, and the Computing Now and Magazine Roundup websites. Contact her at l.cameron@computer.org. Follow her on LinkedIn.