Virtualization is a hot topic among server administrators these days, and the use of virtual machines and cloud services continues to rise. A virtual machine essentially allows an IT administrator to set up multiple “virtual” servers on a single piece of server hardware. A popular example of a system that uses virtual machines is Amazon Web Services Elastic Cloud Computing (EC2), and many highly visible websites use Amazon EC2, including Instagram, Foursquare, Dropbox and Amazon itself.
The prevalent thought behind virtualization is that each virtual machine is run in an independent process without being affected by any other process or virtual machine. In creating multiple VMs on a single piece of hardware, the cost of hardware is significantly reduced while the flexibility of administration is increased.
Recently, researchers from RSA Laboratories, the University of Wisconsin and the University of North Carolina published a paper revealing a method they discovered that would allow a VM to uncover the cryptographic key of another VM on the same piece of hardware. The crypto key is what’s used by the virtualization software to ensure one VM’s data is safe and secure from another VM.
The attack sniffs out clues to the crypto key by studying the hardware’s data cache, which over time reveals fragments of the crypto keys being used. According to the paper, the research team was able to piece together a 4096-bit key in a few hours. They also noted that while the concept of this attack is straightforward, the implementation of such an attack is “surprisingly difficult.” A couple hurdles would-be attackers would have to jump include establishing a VM on the same physical hardware as their target, and currently, it would have to be the only other VM on that same hardware.
If you don’t have an IT team that can closely monitor new security trends and how they could affect your business, OAC Technology, a Minneapolis-based IT company, can help you lock down and maintain your Network Security. We can scan your network and make personalized recommendations for your business based on what we find. Contact us today to set up a free Network Security Audit.