January 13, 2017
Berk Sunar

In the Vernam Group’s computer security lab, a venerable piece of electronic test equipment is at work protecting today’s modern flood of information. The device is an oscilloscope, hooked up to a computer chip running some software routines. As the transistors on the chip quietly do their work, the oscilloscope measures tiny fluctuations in the amount of electrical power they consume.

A transistor uses a slightly different amount of power performing an operation that generates a 1, than one that produces a 0, explains Thomas Eisenbarth, PhD, assistant professor of electrical and computer engineering. By measuring the fluctuations, he can eventually figure out what the chip is doing. “If you look at hundreds or thousands of operations, you can see quite a bit,” he says.

By carefully observing similar changes in a computer’s performance, Eisenbarth and Vernam Group director Berk Sunar, PhD, professor of electrical and computer engineering, were able to decipher cryptographic keys (known as RSA keys) from virtual machines running on Amazon Web Services (AWS) servers. In doing so, they got their hands on what is supposed to be one of the most tightly guarded secrets on the Internet — a sequence of numbers that protects data from prying eyes as it’s transmitted over unsecured communications channels. “Our attack was really the first that successfully recovered an RSA decryption key from a neighboring instance in the cloud,” Sunar says.

Navigating the Side Channels

Thomas Eisenbarth

The Amazon attack, part of a project supported by a $500,000 award from the National Science Foundation (NSF), wasn’t as straightforward as hooking up an oscilloscope, but it nonetheless provided new evidence that the way a computer behaves — the time it takes to complete a function, for example, or the amount of power an operation consumes — can provide clues about what is transpiring inside its electronics. These so-called side channels can leak sensitive information from otherwise secure systems.

Eisenbarth and Sunar first reported on their attack in 2015 at the IEEE Symposium on Security and Privacy. That work was followed by a paper and presentation at the Conference on Cryptographic Hardware and Embedded Systems (CHES) 2016; CHES is an annual conference for computer security experts founded at WPI in 1999. Sunar and Eisenbarth also shared their results with engineers at Amazon. “They weren’t very happy,” Sunar says, “but they were cooperative and very open to our feedback.”

Security in the Cloud

The Vernam Group (named for a Gilbert Vernam, Class of 1914, who pioneered secure encryption while working on telegraph systems) focuses on various applications of encryption and data security. This video focuses on research by Professors Sunar and Eisenbarth aimed at identifying vulnerabilities in the remote storage and computing services known as the cloud.

Security in the Cloud

Spies in the Cloud

Cloud computing is increasing rapidly in popularity. A 2015 Goldman Sachs study predicted that spending on cloud infrastructure and platforms will grow by 30 percent per year through 2018, compared with a 5 percent overall growth rate for enterprise IT. For businesses, renting space and computing power in the cloud can be cheaper than investing in new hardware and employees, and if the need declines, companies are not stuck with unneeded resources. Cloud computing has become a big business for Amazon, which earned more than $6 billion from its AWS operation in 2015.

Many users think of the cloud as a place to store photos and other files, but cloud computing also enables customers to create “virtual machines,” essentially private computers that will run their software and perform their business functions. This is what Amazon offers with its AWS servers. To achieve economies of scale, cloud providers will load as many as 10 virtual machines on a single server. Each acts as an isolated, stand-alone computer, though they do share resources, including memory.

Hardware and software safeguards prevent one virtual machine from directly observing what another is doing. So even though they operate side by side, the information they process should be secure. But in their groundbreaking study, Sunar and Eisenbarth showed that they could eavesdrop on another user just by observing how it was using the CPU’s shared resources.

“Any process on the same system can spy on other processes through the shared resources,” Eisenbarth says. “If you do that in a smart way you can figure out something about the process. If you can see accesses that are dependent on a secret, then you can learn something about that secret.”

Our attack was really the first that successfully recovered an RSA decryption key from a neighboring instance in the cloud
Berk Sunar

Clues in the Last-Level Cache

In this case they focused on the last-level cache, a form of memory that saves processing time by temporarily storing data so that it doesn’t have to be fetched from the main memory. That area of memory is shared by all of the virtual machines running on a server. Data stored there by one user will be overwritten if another process needs the space.

If a process needs to grab something from or write something to the last-level cache and it takes longer than normal, that means another program is also accessing the cache at the same time. By observing this give-and-take, the researchers were able to deduce how much of the cache was being used by each operation. That turned out to be an important clue to what kind of data was being processed.

With enough observations, and the application of clever statistics, patterns in the memory usage emerged. Sunar and Eisenbarth were able to determine when they were watching the RSA key being processed. Like safecrackers carefully listening to the sound of the tumblers in the lock, they parsed out the code, digit by digit. “It’s like trying to hear a whisper in a train station,” explains Mehmet Inci, a PhD candidate who worked with Sunar and Eisenbarth on the project. If the whisper is repeated, an eavesdropper can pick up different pieces of whatever’s said each time.

The virtual machine the team monitored was one that they, themselves, had installed on the server. In fact, for the attack to work, they had to find a way to co-locate two machines, the attacker and the victim, on the same server — no small feat since machines are assigned to servers randomly to make it all but impossible for malicious parties to co-locate their machines with particular targets.

A team at the University of California San Diego and MIT first showed that co-location was possible in 2009 by making assumptions about where a server might be placed and then deploying large numbers of machines until two popped up on the same server. The WPI team devised a new co-location technique that makes use of characteristics of the last-level cache.

Leaks Beyond the Cloud

After the researchers revealed the vulnerability they’d uncovered, Amazon issued an update to its cryptographic libraries intended to fix the problem. They also pointed out that it would be difficult for less sophisticated and less diligent users to duplicate what the WPI team had accomplished. Eisenbarth agrees: “This is not an easy attack to perform,” he says.

Still, he notes, even with the software patch, “the underlying mechanisms we used are still in place.” And, since computer users are often reluctant to install patches, fearing they will disrupt their computers (about half of Amazon AWS users are still running outdated libraries), the door the WPI team walked through is far from closed.

But the other issue is that computers are always going to leak some information. With a $500,000 NSF award, Eisenbarth and Sunar have been studying such leakage in the cloud in a project called RAIN. Their work demonstrates the need for constant vigilance in the cloud to find leaks and plug them before torrents of secrets are lost. And it isn’t just a problem for companies that trust their computing to Amazon’s cloud. “Whether you know it or not, you’re already using a cloud service provider,” says Sunar. Anyone using Dropbox or Evernote to store files or Netflix to watch movies is putting their data in the cloud, and it might be stolen if security breaks down.

And it’s not just the cloud that leaks. Recently, the Vernam Group received another $500,000 NSF grant for MIST, a project to identify vulnerabilities on mobile platforms, such as smartphones. Malicious apps, perhaps in the guise of something benign like a game, can gather information about the processes running on a phone to access information about the user, for example, tracking the user’s location or capturing credit card numbers. The team hopes to develop ways to manage the processes differently so they don’t leak information, and to provide tools app developers can use to prevent leakage.

Attacks don’t have to be remote, of course, which is where the work with the oscilloscope comes in. A growing number of devices can be physically accessed by people with a reason to hack them (the way some people have tried to steal cable service for years). Figure out what a chip is doing, and one might be able to steal money from a smart card. Hack a car’s computer, and one can gain access to services from satellite radio.

Security is really a process. If there’s any opening in any system, sooner or later it will be attacked.
Thomas Eisenbarth

Another Vernam Group project may make at least some data safer. With a $275,000 NSF grant, Sunar is working with Jeffrey Hoffstein and Joseph Silverman, mathematics professors at Brown University, to investigate new methods for achieving fully homomorphic encryption. This cryptographic technique makes is possible to send data in encrypted form to another computer for processing. The other computer performs its computations and returns an answer, also encrypted, though the other computer never “sees” the actual data.

Imagine you wanted to research something about a sensitive topic, such as mental health, and didn’t want anyone at Google to know about it. With homomorphic encryption, the search query would be turned into a cipher and Google would perform an encoded search, then send back the results without ever knowing what you asked or what the answer was.

Homomorphic encryption already exists, but it’s inefficient; a query that Google currently answers instantly in unencrypted form could take hours if encrypted. But Sunar thinks that within 10 years, better algorithms and more advanced computers will have mitigated that delay. “This is one of those big technologies that’s supposed to change everything,” he says.

But as long as there are computers processing data, there will be attackers trying to steal it, keeping security experts like the Vernam Group busy finding holes and closing them. “Security is really a process,” Sunar says. “If there’s any opening in any system, sooner or later it will be attacked.”

— Neil Savage

Illustrations by Greg Mably