Cloud computing has improved the lives of countless developers and businesses in the last few years. In a modern world, development teams can spin up clusters of virtual machines and containers, connect them with virtual networks, deploy their application onto them, and assign it a public IP address. They can do all this whilst sipping a pint in their local pub if they like. From a cloud operator’s perspective, these features are underpinned by a complex architecture. One of the consequences is that security vulnerabilities become harder to find and are sometimes extremely difficult to fix. So the question is: how much complexity are organizations willing to confront when it comes to securing their systems? Is complexity a factor in risk assessments?
When deciding on which features to implement, developers tend to weigh the value of the feature against the cost of its implementation. In other words, return on investment. So should organizations ever transpose this concept onto security? Also, if they are going to deem certain vulnerabilities as too complex (and therefore expensive) to remediate, how will they come to these decisions?
In our case, if a vulnerability introduces a risk to our customers’ data, then we absolutely need to invest time in remediation research and implementation, since that is key to our particular business model. But is this sustainable, realistic or even desirable for every company in every scenario? Should social networks or every cloud provider try to remediate all vulnerabilities regardless of complexity and effort?
The CPU Cache Side-Channel Nightmare
The year 2018 introduced numerous vulnerabilities, complex to exploit and to fully remediate without undesirable side-effects. According to a recent article by ITWeb, “SonicWall threat researchers have deemed processor vulnerabilities a growing security concern for both software and hardware technologies, which could have unprecedented ramifications” (https://www.itweb.co.za/content/kYbe97XxoJg7AWpG).
The white-papers on these vulnerabilities have included proofs showing the extraction of cryptographic keys when “simultaneous multithreading” (SMT) was enabled on certain processors. This feature, also known as HyperThreading, theoretically doubles the amount of compute resources offered by a CPU core. In a cloud infrastructure, some of these vulnerabilities could theoretically allow a cloud tenant to steal sensitive data from another tenant whose VM shares a physical CPU for an extended period of time. This is clearly a terrible scenario for any cloud provider.
No universal fix has been made available for these vulnerabilities - the recommended step was to disable the SMT feature altogether. Regardless of your business, this means a substantial performance hit. It also means that you’ve paid more for a hardware feature you’re not going to use, which can hit hard if you’re a small business.
So the next step is to consider whether to research alternative solutions which keep your current performance levels, or buy new hardware on a large scale, but this is where the aforementioned question arises: is it worth it? Bearing in mind the very specific circumstances under which a number of these attacks have been demonstrated, many organizations have likely decided that the investment required compared to the risk of being compromised is far too high. Similar to a team of developers who decide that adding a feature on their social media platform is far too much work compared to the new users it might attract, so a security team might decide to leave this vulnerability in place. The difference of course is that end users of a cloud platform don’t necessarily have any idea that this is the case, and may even assume that companies will remediate every and any vulnerability they know of. Given our own business model, we decided that we did need to invest in a better solution to this issue because we couldn’t sleep at night otherwise.
Be Ready Whatever You Decide
There is a growing focus in our industry on the response part of the incident lifecycle, and an acceptance that some attacks will sneak through. This makes a lot of sense. It seems inevitable that, as attackers become more sophisticated and systems more complex, so do the attacks which exploit them. In other words, we are in an arms race. In which case, organizations need to make tough choices, but inevitably decide whether they should expend serious effort to remediate a vulnerability, or at the very least cover it as part of a detailed response plan.
At InfoSec 2019, we’ll be really interested in hearing more about how companies perform risk assessments such as these to determine whether some complex attacks are simply not worth the time or investment, and fall more into the, “this could happen, but we’ll be ready” category.