Thoughts On “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” Article

The paper “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” is categorized into 3 main parts, first is problem statement, second is Implementation of attack and last one is mitigation which are suggested by author.

1. Problem Statement -

As per article author wanted to solve the side channel attack on security of loud computing.

The cloud provider’s main functionality is providing multi tenancy features to cloud consumers. In multi tenancy, virtual instance of physical server or machine is utilized by tenant. In this case many virtual instances can be reside in a one physical machine. It is possible that attacker can see and penetrate in others virtual machines.

2. Implementation of attack –

The article provides Amazon EC2 case study. The role of Xen hypervisor is to manage guest images, resource provisioning, and control access rights. Amazon gives their services in 2 regions USA and Europe with 5 Linux instance types. The customer way wants to specify the zone and instance type. As per article, in this situation author act like attacker that aims to run malicious process along with target instance process.

Secondly, author tries to determine whether virtual instances are close to each other or not. As per author, they resulted in false positive rate to zero.

Lastly author concentrates on exploiting data and information leakage. It is possible that, attacker can see and extract confidential information of nearby virtual machines.

3. Risk Mitigation –

• Author mentioned many mitigation techniques for above risks-
• Prevent cloud cartography
• At the time of instance launch, need to randomly assign IP addresses. It means prevent Attacker to get access to nearby virtual instance.
• Prevent side attack.

My thought -

I like this paper. It mainly focused on the risk, attacks in very detail. The paper describes Each attack method in-depth but simultaneously, there is not in-depth description of mitigation techniques.