'Cloud Cartography' and Security update from August 2009

Can Internet attackers target a particular virtual machine on a large public cloud platform? Craig Balding at Cloud Security points to a paper from researchers at MIT and Cal-San Diego titled "Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (PDF).” Here's a summary:

"Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine."

Craig says the paper is important in highlighting new avenues of attack for cloud security professionals to understand and defend. "There’s no EC2 '0-day', but that’s not the intent of the paper," Balding writes. "Rather, we are reminded that cloud platforms and technologies do bring some novel attacks that thus far have not really figured in much of the security conversation to date. We need more of this type of research to better understand what we are getting ourselves into."