How Scientists Plan to Stop Nasty Side-Channel Attacks

News
By Douglas Perry
published

Side-channel attacks are considered by many computer security experts as one of the greatest security risks in cloud computing.

Shafi Goldwasser at MIT and Guy Rothblum at Microsoft Research are proposing a technique that could alleviate the threat of such attacks, which often rely on an attacker being able to listen to the "noise" of computer processes. Side-channel attacks are frequently timing storage transactions and are measuring the power use of a systems to make conclusions of a system's activity and ultimately open a door to critical data.

According to Goldwasser and Rothblum, such an attack would only require a piece of code loaded on a cloud server, which could eavesdrop on the activity of applications. A side-channel attack is still a very sophisticated attack in secure server environments, as it would require a hacker to send code to the server's memory and back and use the measured time to draw conclusions when other programs are active. The researchers say that such an attack can reveal such data with "remarkable accuracy".

To mitigate the threat, the researchers suggest to obscure the activity of a program in which it writes and retrieves data from the memory. In a paper published by the Electronic Colloquium on Computational Complexity, they describe a method in which a computation is sliced into modules to create a computation sequence. Data that is transferred will be encrypted in stages and multiple ways using different encryption methods, but deliver decrypted output at the end of the chain that "is exactly the output of the original computation."

As a result, an attacker would be able to listen to each computational module, but he would not be able to draw conclusions of what the sequence looks like as whole or what it actually does.

“The adversary can take measurements of each module,” Goldwasser said, “but they can’t learn anything more than they could from a black box.”

The entire approach is based on the thought to make leaking data more secure. If found effective, the method could be implemented fairly easily as it does not require any changes to "secure" hardware components, the researchers said.

Douglas Perry
13 Comments Comment from the forums
  • dreadlokz
    I just like when it grows!
    Can't wait to get my personal cloud computer home server and my super fast devices =)
    Reply
  • memadmax
    Or, just avoid "cloud" like the plague....
    Too many tech noobs falling for this crap....

    If you are concerned with storage, get a 1TB hard drive and a stack of DVD's.... If you have that much crap, you might want to think about cleaning out your junk.....
    On the plus side, you don't have to pay monthly fees, your data will always be there, and it will be faster, no download wait times.........
    Reply
  • theconsolegamer
    PHUCK THE CLOUD. WHY WOULD I PAY SOMEBODY ELSE TO STORAGE MY SH!T? THAT'S RETARDED.
    Reply
  • frostmachine
    EmemadmaxOr, just avoid "cloud" like the plague....Too many tech noobs falling for this crap....If you are concerned with storage, get a 1TB hard drive and a stack of DVD's.... If you have that much crap, you might want to think about cleaning out your junk.....On the plus side, you don't have to pay monthly fees, your data will always be there, and it will be faster, no download wait times.........
    Except when there's a fire, flood, earthquake, lightning strike or maybe a tornado. Admit it, most people store their backups in the same room as their computer. If anything happens to that room, well so much for monthly scheduled backups.

    If you are really unlucky, a burglar or a well-aimed drunk driver can really ruin Aunt May's wedding pics.
    Reply
  • Link to Paper?
    Reply
  • "Side-channel attacks are frequently timing storage transactions and are measuring the power use of a systems to make conclusions of a system's activity and ultimately open a door to critical data."

    This sentence makes no sense.
    Reply
  • Onus
    Perhaps the cloud has its place. Perhaps. Handling mission critical and/or sensitive data is definitely not among them.
    Reply
  • drwho1
    I have said many times, I will never use the "cloud".
    I prefer to have MY files on MY own computer

    Sharing between my other computers?
    that's what home networks are for.

    Sharing on the road?
    That's why my notebook is for, simply copy/transfer anything that I need on the go.

    Is secure and Free.
    Reply
  • g00fysmiley
    I'm surprised at the numebr of people here on a tech site not embracing new tech. I plan on storing my own data on my own drives to, but I have some photos and pdf's saved in my email accounts as backups. I have a usb 1tb drive used for some file backups but in case those fail some pictures of family and things I've written that I dont' want to lose I see no reason not to keep it stored on a third soarce esp when it is free. I don't really have much sensative data but I will agree that I wouldn't keep like my tax retun info on a cloud but for some nonsensative data I like the extra level of redundancy
    Reply
  • velocityg4
    g00fysmileyI'm surprised at the numebr of people here on a tech site not embracing new tech. I plan on storing my own data on my own drives to, but I have some photos and pdf's saved in my email accounts as backups. I have a usb 1tb drive used for some file backups but in case those fail some pictures of family and things I've written that I dont' want to lose I see no reason not to keep it stored on a third soarce esp when it is free. I don't really have much sensative data but I will agree that I wouldn't keep like my tax retun info on a cloud but for some nonsensative data I like the extra level of redundancy
    New tech does not mean good tech. The only way I'd consider cloud storage would be my own NAS also setup for cloud features. It's not like I worry about a company loosing my files.

    What I worry about is that those companies provide great big targets worth hundreds of millions of dollars or more in personal data. With legions of hackers salivating at the prospect of getting at that data. Those data centers are constantly under attack. With all the high profile security breaches by hackers in the news. You know it is only a matter of time until a single hacker or a dedicated group slips by undetected. Then they can just sift through the data gorging on the personal information of millions upon millions of people. Such as that data kept by Turbotax, Quicken and Quickbooks.

    While some small home NAS offering private cloud storage is more secure. Sure it doesn't provide the massive levels of security that cloud providers too. It also isn't a target. It is too small and insignificant to look for, track down, and spend time defeating its security.
    Reply