Fine grain Cross-VM Attacks on Xen and VMware (AES)
'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware virtual machines, the most popular VMs used by cloud service providers.' Abstract: http://eprint.iacr.org/2014/248 Paper: http://eprint.iacr.org/2014/248.pdf So in a nutshell, if you want to steal a website's private keys, you can get an account on their hosting provider and at least have a shot at getting on the same physical server ;-) ~Griffin
Griffin Boyce <griffin@cryptolab.net> writes:
'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware virtual machines, the most popular VMs used by cloud service providers.'
That's just another proof of the inverse of Law #1 of the 10 Immutable Laws of Security, "If a bad guy can persuade you to run his program on your computer, it’s not your computer any more". The inverse is the Immutable Law of Cloud Computing Security, "If a bad guy can persuade you to run your program on his computer, it’s not your program any more". Peter.
participants (2)
-
Griffin Boyce -
Peter Gutmann