Announcing FACEMASK for Floating Amazon Cloud Environment

Security for Amazon AWS FACE

I’m proud to announce the results of a recent security collaboration with Amazon AWS.

As Jeff Barr announced on the AWS blog today:

Early this morning we launched a brand new cloud computing service. This revolutionary new technology will change the way you think about the cloud.

For a while the cloud was simply a metaphor meaning “a bunch of computers somewhere else.” Until now, somewhere else meant good old terra firma, the Earth itself. After extensive customer research we found that this rigid, antiquated way of thinking just won’t cut it in today’s post-capitalist world. They need locational flexibility, the ability to literally instantiate a cloud where they need it, when they need it.

To solve this problem, we have designed and are now introducing the Floating Amazon Cloud Environment, or FACE for short. Using the latest in airship technology, we’ve created a cloud that can come to you.”

If you’ve been watching Amazons SEC filings, you’ll know they invested heavily in nano. FACE is the first realisation of that investment.

Jeff continues on to implementation details:

The FACE uses durable, unmanned helium-filled blimps with a capacity of 65,536 small EC2 instances, or a proportionate number of larger instances. The top of each blimp is coated in polycrystalline solar cells which supply approximately 40% of the power needed by the servers and the on-board navigation, communication, and defense systems. The remainder of the power is produced by clean, efficient solid oxide fuel cells. There’s enough fuel onboard to last about a month under normal operating conditions. Waste heat from the fuel cells and from the servers is used to generate additional lift.

This is a big win energy wise but presents some interesting communication and security issues.

There are two options for ground communication, WiMAX and laser. The WiMAX option provides low latency and respectable bandwidth. If you have the ground facility and the line of sight access needed to support it, lasers are the way to go. The on-board laser doubles as a defense facility, keeping each FACE safe from harm. Using automated target detectors with human confirmation via the Mechanical Turk, competitors won’t have a chance.

I can now spill the beans on the security aspects of the solution (subject to NDA).

FACE Security

Since FACE is an untethered environment, ensuring cross airspace data transfer compliance was a non-negotiable. It was therefore essential to implement a data privacy ‘hints’ system, whereby the on-board GPS system could be programmed to correlate GPS co-ordinates with terrain specific data privacy laws and issue AMQP style ‘nudge’ messages to the navigation system to counteract potential jurisdictional data drift. The neat thing about this approach was that different FACEs could be deployed to satisfy customers in different regions (much like EC2). Furthermore, should two FACEs need to converage for cross-FACE data transmission, one FACE could draw energy from the other FACE’s solar cells. This turned out to be very useful for availability, particularly for the UK FACE where low cumulus made solar cell charging difficult (thanks to the Portugal team!)

Another security concern was the laser. Amazon legal was naturally concerned about potential liability issues should an attacker compromise a FACE and launch a reverse protocol attack to commandeer ground facilities. If an attacker were able to take over the lasers this would not only be a physical security risk but a PR disaster for Amazon. This led to the development of a novel security protection we nicknamed FACEMASK (original huh?). The idea behind FACEMASK is really simple: treat rapid changes in the solid oxide fuel cells as a potential breach indicator. How so? It turns out that both stack and heap buffer overflow attacks result in a fluctuation of the normally highly stable oxide full cells powering FACE. This isn’t special in itself, however the fingerprint of the energy draw *is*. We developed a catalogue of fingerprints and in testing were able to detect 91% of attacks reliability. No security is perfect and we’ll continue to refine the coverage, however compared to existing signature based defenses, this is orders of magnitude better.

Anyway, I promised I wouldn’t say more, but I hope this gives you a taste of the unique challenges and solutions and how “off our box” thinking can be applied to Cloud Security.

As Jeff hinted in his blog post, this is a limited offer - the doors are likely to close tomorrow. For more information, click here.

Written on April 01, 2009 by Craig Balding
Stay up to date! Subscribe by RSS or email