Hype and high expectations have always been there as an important  risk for the Cloud to never overcome the high expectations created. We have got used to impressive IaaS system, delivering easily-manageable virtual infrastructures, virtually infinite resources, etc. or advanced PaaS Clouds letting us to deploy our applications and easing data persistence and other development-related tasks. However, the end user was often overlooked and the Cloud had few examples at a global scale aimed at satisfying end users’ needs.

Today, MORFEO Cloud technologies is proud to announce the result of some years of  research and tests in which members of this chapter actively collaborated.

We’d like to present 3GBox, also in the Mobile World Congress 2010. Being more than a 3g modem, 3gBox helps users to store data in the cloud; their SIM card becomes the key element for security and a local cache is in charge of storing data to upload the information to the Cloud depending on the available bit rate. Also, heuristics are implemented that help keep the most “useful” data locally stored to improve users’ experience. Updates,O.S. drivers and so on are downloaded from the Cloud to help usage and configuration.

A few months ago, we tested Amazon’s IaaS offer, concluding that machines deployed closely in time were closely located. We were also able of pinging machines in the same subnetwork which did not belong to us.

A recent article by UCSD and MIT researchers has much further expanded our initial observations on Cloud’s security implications.

The authors use several “probing” techniques such as enumerating public EC2-based web servers using hping2, nmap, or wget, translating responsive public IPs to internal Amazon’s IPs (via DNS queries within Amazon), and launching several EC2 instances of varying types, analyzing the resulting IP address assignment.

Having these  tools handy, the authors are capable of extracting the following heuristics:

• All IPs from a /16 are from the same EC2 availability zone (e.g. US).
• A /24 inherits any included sampled instance type (e.g. small, large, x-large etc).
• A /24 containing a Dom0 IP address only contains Dom0 IP addresses. We associate to this /24 the type of the Dom0’s associated instance (recall that Dom0 is the first domain started by the hypervisor after booting)
• All /24 between two consecutive Dom0 /24’s inherit the former’s associated type.

This topic is often overlooked by Cloud networking providers. “Simple” means can be set up, like, for instance, making local IP assignment random across instance types and availability zones and/or restricting the customers view of this process.

The paper deals with an important issue, preventing the determination of whether or not a VM is located on the same physical machine that other VMs (”colocation”). Three checkpoints are proposed: 1) matching Dom0 IP address; 2) small packet RTT; 3) numerically close internal IP addresses.  The authors conclude that “even a very naive attack strategy can successfully achieve co-residence against a not-so-small fraction of targets” and “instance flooding” (spinning up numerous VMs) immediately after the target has booted to “take advantage of the parallel placement locality exhibited by the EC2 placement algorithms”.

Having colocated VMs implies the possibility of preforming side attack channels. Several of these are discussed: Denial of Service (shared physical resources imply covert channels that can be employed for implementing cross VM attacks), measuring cache usage (creating covert channels between cooperating processes belonging to different VMs), detection of  co-residence without relying on sending any network probes (injecting load on an alien VM and monitor our own in order to correlate load increases in the other VM with performance decreases in our), or estimating traffic rates to deduce targets’ activity patterns in order to determine the most painful moment for an attack to be done.

The paper is a MUST read for both, IaaS Cloud providers and those aiming at moving some services to the Cloud .

Telefónica I+D is proud to announce the first release of its OCCI Java implementation.

 After UCM’s efforts to provide the first fully-compliant OCCI server attached to OpenNebula, we release here a second OCCI implementation (Java REST client + server).

This is the result of privately-funded efforts as well as  FP7 European Research projects  (co-funded by Telefónica and the European Commission) such as RESERVOIR.

 Affero GPL has been the chosen license for this OCCI implementation. Comments, critique and feedback are most welcome through our support pages.

 Thanks a lot!!

Cloud Security Alliance has recently released their second edition of the Cloud Security Guide, defining security recommendations for Cloud security at different architectural levels.

We’d like to highlight one important issue raised by the authors: the abstraction level provided by the CLoud, which hides the underlying heterogeneity of resources, makes it specially hard to integrate classical security controls, such as for instance those dealing with network security.

We agree that having these recommendations handy would result in a secure Cloud environment. However, as we highlighted in a previous post, we still miss a detailed architectural state of the art for tools helping to enforce the proposed recommendations.

As stated in a well-known Cloud security blog, it is the time for Cloud security resolutions, not just recommendations or predictions.

Yes, I was trying to attract your attention with a “British tabloid” style heading here. The news is not at all so radically new, but now that I attracted your attention I beg you pardon and kindly ask you to allow me 4 minutes to sum up Amazon’s “new” billing model

Amazon announced spot pricing for cloud compute instances. EC2 customers can indicate their own price, and Amazon EC2 will bring compute instances up at variable discount prices according to these “bids” [1].

This move is in sync with their strategy  extra-cost reserved instances, which is regarded as an evolution by many, but, frankly resembles previous allocation models in Grid computing. Again, nothing new under the sun. Indeed, auction systems supported by software agents and expert systems have been in the market for long long time.

In [1], the authors raise a very interesting question that we generalize and rephrase here: Are different billing models needed for different Cloud service types? How many do we need per service type? Is the billing model the only important parameter here?

From this humble Internet corner, we bet that automated bidding systems will play a role for massive service provision and better prices to be acquired. Still, some important features are still missing such as for instance custom billing support for “VIP” clients.

[1]  http://web2.sys-con.com/node/1220487