Researchers claim cloud security breakthrough
Researchers at North Carolina State University claim to have invented a technique for more securely storing and processing information in the cloud.
Cloud computing is a burgeoning sector, but according to the researchers, potential weaknesses in the hypervisor software that creates virtual machines could make sensitive data visible to others using the same cloud.
The scientists have developed a software-driven framework that exploits hardware and firmware tools to better isolate different functions running on cloud servers, separating workflows as soon as they arrive for processing.
The technique works like a hotel receptionist, farming guest data into its own private areas on arrival.
We have significantly reduced the ‘surface’ that can be attacked by malicious software
“A long-standing concern in cloud computing is that attackers could take advantage of vulnerabilities in a hypervisor to steal or corrupt confidential data from other users in the cloud,” the researchers said, adding that their approach isolated sensitive information and workload from the rest of the functions performed by a hypervisor.
The technique, dubbed “Strongly Isolated Computing Environment” (SICE), uses a different layer of protection that the researchers claim has minimal impact on performance and uses stripped down code to make it simpler to secure.
“We have significantly reduced the ‘surface’ that can be attacked by malicious software,” said Peng Ning, a professor of computer science at NC State.
“For example, our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach. Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect.”
The technique confines the sensitive workload to one or a few cores with strong isolation, while allowing other functions to operate separately on other cores.