INSIGHTS | June 18, 2024

Recent and Upcoming Security Trends in Cloud Low-Level Hardware Devices: A survey

The rapid evolution of cloud infrastructures has introduced complex security challenges, particularly concerning all of the processing devices and peripheral components that underpin modern data centers.

Recognizing the critical need for robust and consistent cloud security standards, technology firms, developers, and cybersecurity experts established the Open Compute Project Security Appraisal Framework and Enablement (OCP S.A.F.E.) Program.

At the 2024 OCP Regional Summit in Lisbon, I was joined by my colleague Alfredo Pironti, Director of Services at IOActive, to present a deep dive into the security of cloud infrastructures, the threats facing the crucial hardware that supports them, and how organizations can prevent being compromised by adopting new threat modeling techniques and security frameworks.

IOActive has monitored the state and health of hardware security for decades. We are now observing the changes in cybercriminal tactics, threats, and vulnerabilities that could compromise key components in digital supply chains and services.

When attackers target the hardware level, they can potentially exploit the entire stack. Once granted access to the hardware foundation, cybercriminals could potentially compromise physical infrastructure, data storage, applications, developer environments, code bases, and entire systems.

If vulnerable hardware is utilized in cloud services, this could even pose threats to national security as so many CSPs are now the backbone of critical infrastructure.

Hardware and computational components have evolved to meet the needs of increasingly complex cloud infrastructures and services. However, each new, enhanced capability may also create a new avenue for attack.

Take NVMe-based SSD disks and SR-IOV-enabled cards, for example. As we discussed during our presentation, historically, board problems, design flaws, or some implementation errors posed the most risk. Now, logical access bugs, data theft, arbitrary and remote code execution vulnerabilities, side-channel attacks, denial-of-service, and supply chain attacks must also be addressed.

IOActive has uncovered a wide range of risks to today’s cloud infrastructure through hands-on experience. Many hardware-based vulnerabilities stem from incorrect implementation, such as integer flaws, out-of-bounds memory issues, and race conditions.

During testing, we observed various security problems caused by component design and operational processes. A critical insight gleaned from our research is that 25% of vulnerabilities found were introduced in the design stage, showing a need for testing services early in the process.

In our presentation, we proposed an archetypal threat model that addresses the disconnect between developers, hardware manufacturers, and service providers regarding security. A core component of our model explores the divergence between the threats that cloud service providers face, and those faced by cloud hardware providers.

As addressed by the OCP S.A.F.E. framework, achieving robust security standards throughout the entire digital supply chain can assist hardware suppliers and service providers alike in tackling today’s cybersecurity challenges.

You can find a recording of our presentation here to share our knowledge and insights on cloud security and how frameworks, including OCP S.A.F.E., benefit organizations today.

– IOActive Senior Security Consultant and Researcher, Sean Rivera