Radio Cloud Native - Week of June 15, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week we discussed:

• Cloud providers installing undisclosed middleware

• The "Hertzbleed" side-channel attack

• Announcements at MongoDB World

• Sunset for Atom

• Check out the podcast for a discussion of more sunsets, including the end of Internet Explorer.

You can download the podcast from Apple Podcasts, Spotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of next week’s broadcast.

Eric Gregory: The RSA security conference was last week, bringing together cybersecurity experts from across industry and government. Some of the most interesting news to emerge from the conference came from the cloud security company Wiz, whose researchers presented findings on secret middleware installed by cloud service providers. 

Previously, Wiz reported on the Open Management Infrastructure agent used by Azure, which was the vector for a remote code execution vulnerability called OMIGOD. Now Wiz researchers have dug deeper and found similar agents—secret agents, if you will—used across AWS and Google Cloud. 

So what exactly is happening here, and why does it matter? According to Wiz’s Nir Ohfeld and Shir Tamari:

"Cloud service providers install proprietary software on customers’ virtual machines typically without the customer’s awareness or explicit consent. This cloud middleware software, which bridges customers’ virtual machines and cloud providers’ managed services, can introduce new potential attack surface unbeknownst to cloud customers due to the implicit manner in which it is installed. Moreover, when a new vulnerability is discovered in cloud middleware software, and there is uncertainty about who is responsible for updating it, customers are left exposed to critical vulnerabilities."

In other words, when cloud customers enable certain features like log collection or auto-updates, the providers quietly install little agents to make that happen. By all appearances there’s no malice or profit here for the providers—it’s just flipping a switch to turn on a feature, and they don’t feel a lot of need to tell us how that’s happening behind the scenes, in the same way that they don’t walk us through the backend architecture of their web portals. But the problem is that, unlike the web portal backend, these middleware agents live on the machines that make up your infrastructure—they’re a component of your infrastructure, and one that you don’t know about. That means they create an attack surface you don’t know about, one that you’re not prepared to mitigate. 

So if you’re a cloud customer, what can you do? Stay informed. Along with its presentation, Wiz launched a GitHub page to track all of the agents installed by cloud providers, which can be updated by the community at large. Right now, the best thing you can do is simply know about the additional attack surface and be prepared to act if a vulnerability is discovered.

On June 14th, a group of researchers from the Universities of Texas at Austin, llinois Urbana-Champaign, and Washington, released a paper disclosing a side-channel attack they’re calling Hertzbleed. In general, side-channel attacks derive sensitive information from physical indicators or side-effects of computing–things like electromagnetic emissions, power consumption, even sound. You know, as abstracted as the digital world can feel, its operations are happening right here in space and time, and side-channel attacks go deep to exploit that fact—they’re like little Sherlocks noting the color of dirt on your boots and inferring exactly where you’ve been and who you were talking to and what you said. 

So this strategy exploits the dynamic frequency scaling feature used by processors to optimize power consumption. According to the research team, “Under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).” Using this fact, the team demonstrated, an attacker can extract advanced cryptographic keys, and then it’s all over but the crying. 

The team disclosed the vulnerability to Intel, AMD, Microsoft, and Cloudflare, and waited until now to publish publicly in compliance with an embargo request from Intel. 

So…are you affected? Yeah, probably. Intel has confirmed that all of their chips are affected, and AMD acknowledged a large set of impacted processors. According to SecurityWeek, Microsoft and Cloudflare say they have “implemented mitigations.” Intel and AMD, meanwhile, have published advisories suggesting ways to harden cryptographic libraries. But ultimately, this is a tough one—neither company has released any firmware updates, probably because the problem here is pretty fundamental…the clearest workaround is to run with degraded performance. Intel also downplays how practical of a concern this is. In a blog for an Intel videocast, Intel’s Jerry Bryant says, “While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.”

Shifting gears, let’s talk about tooling. MongoDB made some interesting announcements at its MongoDB World 2022 conference last week. Their new Cluster-to-Cluster Sync feature will do pretty much what it says on the tin: continuously synchronize data between two clusters. That means you could have a dev environment that is synced up with production data in real time. The feature works across any combination of on-prem and managed Atlas clusters, and it’s set to hit general availability in July.

MongoDB also announced a column store indexing feature that represents a small but significant step into analytics. When configured correctly, this will enable users run some heavier analytics jobs against the database without negatively impacting overall performance. That feature will be available later this year.

Meanwhile, it’s sunset for GitHub’s Atom IDE – GitHub announced that the open source code editor will be retired to the great repository in the sky on December 15th of this year. In their announcement, GitHub unsurprisingly noted that parent company Microsoft’s VS Code has taken over a huge share of the IDE space, and said that they intend to focus on “bringing fast and reliable software development to the cloud via Microsoft Visual Studio Code and GitHub Codespaces.”

We should take a moment to pour one out for Atom here, because it was enormously influential – beyond inspiring VS Code, it was the first Electron app, and single-handedly gave rise to the Electron framework, which enabled cross-platform app development using web technologies and serves as the basis for everyday apps like Discord and Slack. 

Notably, founder of Atom Nathan Sobo is leading the development of a new code editor called Zed, which is written in Rust and emphasizes collaboration. The project is in private alpha now, and we’ll be watching it with interest.

Check out the podcast for the rest of this week's stories.