Cloud computing: Gaps in the 'cloud'24 October 2011, by Jens Wylkop

Researchers from Ruhr-University Bochum havefound a massive security gap at Amazon CloudServices. Using different methods of attack(signature wrapping and cross site scripting) theytested the system which was deemed "safe"."Based on our research results, Amazon confirmedthe security gaps and closed them immediately",said Prof. Dr. Jorg Schwenk, chair for network anddata security at the RUB. Amazon Webservices(AWS) offers its customers cloud computingservices and hosts, among others, services likeTwitter, Second Life and 4Square.

Cloud computing could be the major computingparadigm of tomorrow. The idea of processing andstoring software and data in a cheap externalinfrastructure is becoming increasingly popular.The fact that these services are by no means assecure as promised is now demonstrated by theresearch results of Prof. Schwenk and his staff.

The "Cloud" is a collection of many virtual serverswith concentrated computing power. Outsourcingto cloud computing has many advantages forprofessional users: they can rent storage andserver capacity short term on demand. The serviceis invoiced, for example, according to the usageperiod, and the customer saves the cost ofpurchasing his own software and hardware. Up tonow, the discussion about cloud computing hasabove all been dominated by the inability to complywith legal requirements. "Real" attacks were,however, less in the public eye.

"A major challenge for cloud providers is ensuringthe absolute security of the data entrusted to them,which should only be accessible by the clientsthemselves," said Prof. Schwenk, who set out withhis staff to seek weak points. They have foundwhat they were looking for: Juraj Somorovsky,Mario Heiderich and Meiko Jensen tested thesecurity concept of the cloud provider AmazonWeb Services, in short AWS.

"Using different kinds of XML signature wrappingattacks, we succeeded in completely taking over

the administrative rights of cloud customers", saidJuraj Somorovsky. "This allowed us to create newinstances in the victim's cloud, add or deleteimages." The researchers suspect that many cloudoffers are susceptible to signature wrappingattacks, since the relevant web service standardsmake performance and security incompatible. "Weare working on a high-performance solution,however, that no longer has any of the knownsecurity gaps", said Prof. Dr. Jörg Schwenk.

In addition, the researchers found gaps in the AWSinterface and in the Amazon shop which wereideally suited for smuggling in executable scriptcode - what are termed cross-site scripting attacks.With alarming consequences: "We had free accessto all customer data, including authentication data,tokens, and even plain text passwords" said MarioHeiderich. The researcher see the common loginas a complex potential danger: "It's a chainreaction. A security gap in the complex Amazonshop always also directly causes a gap in theAmazon cloud."

In contrast to public belief, Private Clouds are alsovulnerable to the aforementioned attacks:Eucalyptus, an open source project widely used toimplement Cloud solutions within companies, didexpose the same weaknesses. "A roughclassification of cloud technologies cannot replacea thorough security investigation", states Prof.Schwenk.

"Critical services and infrastructures are makingincreasing use of cloud computing", explained JurajSomorovsky. According to industry estimates, theturnover of European cloud services is set to morethan double in the next four years - from around 68billion Euros in 2010 to about 148 billion in 2014."Therefore it is essential that we recognise thesecurity gaps in cloud computing and avoid themon a permanent basis." Industry took immediateaction: "On our advice, Amazon and Eucalyptusconfirmed the security gaps and closed themimmediately".

1 / 2

Provided by Ruhr-University BochumAPA citation: Cloud computing: Gaps in the 'cloud' (2011, October 24) retrieved 21 May 2018 from https://phys.org/news/2011-10-cloud-gaps.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, nopart may be reproduced without the written permission. The content is provided for information purposes only.

Powered by TCPDF (www.tcpdf.org)

2 / 2