Google has just launched a series of new cloud security technologies that included Shielded VMs, which protect virtual machines from the installation of rootkits and other persistent malware, as well as other attacks that could result in data theft, according to ARS Technica. This new implementation will make virtual machines like the Google Cloud Platform “tamper-proof” by alerting their owners to changes in their runtime state and preventing a virtual machine from being booted in a different context than it was originally deployed in.
Microsoft’s Azure Complete Confidential and Google’s Asylo are confidential computing programs that demonstrate the tech giants’ abilities to combat attackers in the cloud. But they aren’t bulletproof, as they require applications or containers built specifically to run in trusted environments, and they’re not always practical for protecting your entire cloud. Hacking these systems is not easy, and instances are very rare, but they aren’t unheard of. One of the most notable incidents was the hacking of the Democratic National Committee via a spear phishing attack.
“A more common situation would be that someone left AWS credentials in a Github repo that was exposed to the public and forgot to limit the permissions on the credentials in the first place,” said Chris Vickery, director of cyber risk research at cloud security firm UpGuard. Attackers can make a snapshot of virtual machines or storage “and then migrate the snapshots over to an account owned by [the attacker] for pilfering.” Often, it’s a mistake in human computing that leads to this kind of perforation.
Earlier in July, Robert Mueller cited an attack on the DNC’s cloud services by hacker at Russia’s Main Intelligence Directorate (GRU). They were able to “gain access to a virtual machine used for analytics development by the DNC and save snapshots of the virtual server, allowing them to essentially clone the virtual server and create another instance of it within the same cloud service, extracting data at their leisure,” says ARS Technica.
The goal of Shielded VMs is to eliminate the possibility of these kind of attacks. They use a combination of firmware-based UEFI Secure Boot and a virtual Trusted Platform Module (vTPM), which can generate and store “sealed” encryption keys. These keys ensure that the VM will only run authenticated software and resist previous baselines of the virtual machine’s configuration once they are used in Secure Boot and Measured Boot, which protect against rootkits and kernel-level malware.
By storing these encryption keys, the vTPM combats a hackers ability to gain access to a cloud’s drive unless the operating system boots in a “known-good” state. Otherwise, the system won’t reboot and the attacker can’t decrypt the virtual disks. If a snapshot of the VM is moved into a different context by an attacker, the vTPM will protect all the same.
Google’s Binary Authorization, which is soon to be released in beta, will heighten secure options by allowing users to require signature verification of container images before they can be deployed.