Cloud computing vendors are a likely target as hackers try to exploit the Meltdown and Spectre hardware vulnerabilities that have affected most desktops and servers.
"They are a high-value target,” said Scott Laliberte, managing director, global leader of security and privacy solutions at Protiviti.
The situation harkens back to a worry people had in the earliest days of cloud computing.
“When cloud computing first came out, everyone was hesitant to move because there was all this theoretical risk of, if somebody got into one tenant’s environment, could they jump to another tenant’s environment?” Laliberte said. “That concern subsided after a while, because no one saw that happening; there were no real exploits or attacks being published that took advantage of that. Spectre and Meltdown are now reviving that risk and bringing it to light, and making people rethink their control and mitigation strategy.”
It’s of particular interest to banks, which must stay informed as they made decisions about cloud computing versus tech solutions on premises.
At issue is two new vulnerabilities unveiled by researchers at Google and several universities in early January, which has sparked widespread concern within IT departments. The techniques, nicknamed Meltdown and Spectre, could be used to compromise most computer chips and read sensitive information stored in a computer’s memory, including passwords and account numbers.
Arguably those most worried might be the cloud computing vendors, whose business models depend on the appearance of strong security and moats around cloud computing clients.
“You have to ask, what’s the biggest security risk here? Individual computing? Private, on-premises, or shared multitenant? What’s most at risk for exploitation?” said David B. Weiss, an independent consultant. “I believe it’s the shared multitenant environment.”
In the worst-case scenario, bad actors could use Spectre and Meltdown to access a cloud user’s system and try to read memory from other tenants’ systems, using that access to steal passwords and other sensitive information.
Daimon Geopfert, national leader, security and privacy consulting at the consulting firm RSM, likens this to an apartment dweller getting a master key to the mailboxes in the lobby and reading his neighbors’ mail.
“The cloud providers’ big issue is this new class of attack directly impacts cloud infrastructure and the things you’re not supposed to be able to do in the cloud — get out of your virtualized instance and get down to the hypervisor and read other people’s data,” he said. “All that stuff you’re not supposed to be able to do, this new class of vulnerabilities allows you to do.”
Cloud vendors insist they are blocking this type of attack.
Amazon’s security bulletin says, “All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of the [Spectre and Meltdown vulnerabilities]. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory.”
Since by most accounts, there is no true patch yet that prevents Spectre — it’s a type of hack that takes advantage of the basic architecture in most computer chips and the only full protection would be new hardware that hasn’t been designed or manufactured yet — it’s hard to understand cloud vendors’ claims that they’re completely shielding customers from them.
Marty Puranik, CEO of Atlantic.Net, a cloud provider that specializes in cloud environments compliant with specific regulations such as Sarbanes-Oxley, noted that newer processors have process-context identifier (PCID) technology that could help detect Spectre attacks.
“PCID is a method for keeping track of which virtual machine is accessing the CPU and the data associated with it,” he said.
So if attacks were happening, PCID would help administrators realize they were happening.
Amazon, Google, Microsoft and IBM all referred us to their security bulletins, which track their efforts to mitigate Meltdown and Spectre.
“We’re taking the necessary updates to protect the underlying infrastructure and encouraging customers to patch their operating systems,” an Amazon spokesperson said in a call. “Security is our top priority.”
According to Geopfert, the cloud vendors’ security bulletins are wordsmithing.
“They’re saying they’ve deployed all patches and updates to all known versions of these vulnerabilities,” he said. “But you have to be really careful with that language. What they’re saying is there’s a maintenance process here, they’ve deployed all the known patches, that implies that new patches keep coming out as new versions of new issues of this problem are discovered. They might be correct in saying they’ve deployed all known protections, that doesn’t mean they’re impervious and not vulnerable to this anymore.”
There’s no reason to doubt cloud vendors are applying all available patches for Meltdown and Spectre.
“Everybody’s trying to do the best they can,” Puranik said. “This is a logical flaw in how CPUs are designed. To solve a problem like this in a weekend is unrealistic. In the longer term Intel, will have to rethink how they design their products.”
Puranik pointed out that cloud users can’t lean on their providers to do all the patching and mitigation.
“The key point that’s being missed is even if cloud providers have patched their software, customers have to patch their virtual machine or instance in the cloud,” he said. “It’s a two-step process: The host has to be patched and each computing instance that runs on that host has to also be patched.”
It’s unknown at this point whether hackers will even try to compromise cloud vendors in this way. There is proof of concept code posted on various sites cybercriminals use, but no discovered exploits yet.
Immediate problem: slowdowns
Meanwhile, the more pressing problem is that some cloud users have reported slowdowns in computing performance as a result of the patching. This is not surprising, as Spectre and Meltdown themselves take advantage of the very feature in hardware chip design that allows transactions to be processes more quickly: an ability to predict what the next request from the CPU will be and grab the memory needed for that process.
The Meltdown software patches move the operating system kernel into its own separate virtual memory space, protecting it from this type of exploit. This introduces overhead that could slow down the system.
Intel has said Meltdown patches can cause 5% to 30% degradations in performance. Microsoft admitted in a blog that on some Microsoft servers and desktops, users may notice a slowdown from Meltdown patching.
Andrew Retrum, managing director, technology consulting at Protiviti, said a client recently told him that after its cloud provider patched its tenant environment and the client did its own patching, they saw a 30% slowdown in processor use.
“The concern is real,” he said. “I’ve seen benchmarks from various sources, including vendors themselves, showing 2% to 20% slowdowns. That varies heavily depending on what processor you’re talking about. But it’s certainly something we are advising our clients to pay close attention to in testing the patches prior to installing and after the fact.”
But some cloud vendors deny there are performance degradations.
“We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads,” Amazon said in its security bulletin.
Geopfert at RSM said that, though slowdowns are inevitable, cloud providers may be compensating by bringing in additional hardware to keep processing speeds up.
Slowdowns could cause those paying by the hour to pay more for the same amount of work, or to eventually be charged more as cloud vendors make costly upgrades to maintain promised performance levels, and those costs get passed down.
“The whole thing is predicated on a meter running,” Weiss said. “If suddenly you’re spending 30% more time processing something due to the hypervisor and OS patching and everything else they’re doing to mitigate this risk, and suddenly you’re spending more on CPU cycles, are customers going to ask they do something about that? Forget about the merits of cloud computing economically versus rolling your own. If the efficiency of the platform is reduced, who pays for that?”
Companies will need to discuss and negotiate any pricing changes with their cloud providers, Laliberte noted.
“Given the extremity of what’s going on right now, it’s not an option to not address it and not patch it,” he said. “I also suspect that [the current set of patches] is the initial response to this issue. We may see better solutions that can avoid the degradation we’re seeing.”
It’s also true that Spectre and Meltdown are difficult types of attacks to carry out, much harder than phishing attacks or code injection attacks that also enable cybercriminals to steal sensitive data.
Occam’s razor may apply here — the principle attributed to the Franciscan friar William of Ockham that states that if you have two competing theories, the simpler one is better.
“If someone is going to break into your cloud security, it’s highly unlikely they’ll use hardware,” Geopfert said. It would be easier to find some other means of capturing a cloud user’s username and password, log into the cloud instance and steal data directly.
“This will give some businesses pause, but it’s not a primary concern,” he said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.