The Hacker News Logo
Subscribe to Newsletter

Cross-VM Side-channel attacks against cryptography keys

A group of researchers has developed a side-channel attack targeting virtual machines that could pose a threat to cloud computing environments. Side-channel attacks against cryptography keys have, until now, been limited to physical machines, this attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen).

A side channel is a form of information leakage that arises as a byproduct of resource exposure, such as the sharing of memory caches. A side-channel attack exploits such leakage to steal secrets, such as cryptographic keys.

"In this attack, the researchers were able to extract a private ElGamal decryption key from the target VM’s libgcrypt library; the target was running Gnu Privacy Guard. Over the course of a few hours of observations, they were able to reconstruct a 457-bit exponent accompanying a 4096-bit modulus with high accuracy. So high that the attacker was then left to search fewer than 10,000 possible exponents to find the right one."

The group was able to demonstrate an attack in a lab environment that allowed a malicious virtual machine (VM) to extract a private ElGamal decryption key from a co-resident virtual machine running Gnu Privacy Guard, which implements the OpenPGP email encryption standard, According to the paper.

The use of virtualization to isolate a computation from malicious ones that co-reside with it is growing increasingly pervasive. It targets one vulnerable application in a particular class of virtualized environment.

Researchers said, "For various reasons, technical and ethical, we did not execute the attack in a public cloud."

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Top Deals

Newsletter — Subscribe for Free

Over 500,000 Information Security professional read and trust our news platform. Join them and get all latest hacking news, free eBooks delivered to your inbox - free!