Technology Review: Vulnerability Seen in Amazon's Cloud-Computing

Technology Review: Vulnerability Seen in Amazon's Cloud-Computing


Ron Rivest, a computer science professor at MIT and pioneer in cryptography, says the four researchers have "discovered some troubling facts" about cloud-computing services, which rent out computing resources, including storage and processing power, on a by-the-hour basis. Specifically, the potential weaknesses were found in the basic computing infrastructure services that are provided by Amazon and Rackspace and are widely used within many in-house corporate datacenters.
These technologies involve "virtual machines"--remote versions of traditional onsite computer systems, including the hardware and operating system. The number of these virtual machines can be expanded or contracted on the fly to meet demand, creating tremendous efficiencies. But the actual computing is, of course, performed within one or more physical data centers, each containing thousands of computers. And virtual machines of different customers sit on the same physical servers.
The attack involves first figuring out which physical servers a victim is using within a cloud, then implanting a malicious virtual machine there, and finally attacking the victim.
Hunting down a victim who might be on any of tens of thousands of servers might seem a needle-in-haystack enterprise. But the paper concludes that with some simple detective work, "just a few dollars invested in launching [virtual machines] can produce a 40 percent chance of placing a malicious [virtual machine] on the same physical server as a target." They dub this mapping process "cartography."