Poking Holes in the Cloud

The latest revolution in the Information Age is “cloud computing.” The data-crunching power and storage capacity of multiple computers are pooled in an offsite virtual “cloud,” creating a shared resource for users. One example: Instagram, a photo-sharing service.

Cloud computing also allows for complex functions to be processed with lightning speed. It’s especially useful for mobile devices such as smartphones, which have limited power.

And it’s vulnerable to attack by UO undergraduates Ryan Snyder and Hannah Pruse (right).

Both seniors in computer and information science, they’ve become adept at poking holes in the “cloud,” so to speak.

In November, UO researchers announced that, in a joint effort with North Carolina State University, they had found a way to exploit cloud-based web browsers, using them to perform large-scale computing tasks without official access. They showed that third parties could potentially take the free computing power of cloud browsers and use it to crack passwords, thereby gaining stealth access to cloud resources—a finding sure to make industry sit up and take note.

Snyder was a coauthor of the accompanying paper, “Abusing Cloud-Based Browsers for Fun and Profit.” He is skilled at “reverse engineering,” which is the process of discovering the technological principles of a system through analysis of its operation.

Snyder was at a campus job-recruitment event last year when he met Joe Pletcher, a UO graduate teaching fellow involved in the cloud-browser project; Pletcher quickly put Snyder to work unlocking the ways that the browsers under review by the research team talked to each other.

Snyder recalled “a lot of late nights” in Deschutes Hall over a five-month period, laboring to write programs giving him access to the browsers and staring at screens of data incomprehensible even to most computer experts. But it was worth it.

“With regular course work, I feel like it’s jumping through the hoops that everyone has jumped through before you,” he said. “With research, you’re contributing something new, something that hasn’t been done before.”

Pruse had a similar reaction after her first taste of research. After excelling at a classroom project in assistant professor Kevin Butler’s operating systems class in 2011, she was invited by Butler to join his lab, the Oregon Systems Infrastructure Research and Information Security Laboratory.

That fall, Pruse began looking at the potential for sensitive data to be compromised through the sharing of computers that is fundamental to cloud computing. Under a concept called “coresidency,” an untrusted party can be an undetected “resident” on information channels; Pruse orchestrated a number of attacks illustrating that this problem is not isolated but rather “a real threat in the cloud computing model,” as she stated in a paper presented at the 2012 Cloud Computing Security Workshop in Raleigh.

“I’m surprised I could be a part of solving real problems,” Pruse said. “I really enjoyed putting my knowledge to work to benefit the future of information security.”

Computer science and security is a great area for students to explore, Butler said, as industry increasingly focuses on sales and product development while relying on universities for research.

The Oregon CIS department includes three courses that offer academic credit for undergraduate research and numerous professors fund undergraduate work from their research grants. Ten undergraduates have worked in the Network Security Research Laboratory, for example, and at one point the lab even included a student from South Eugene High School who analyzed computer traffic for a year.

Undergraduate research is “almost essential” for students seeking entry to top graduate schools, Butler said. And for talented students such as Snyder and Pruse, the career impact can be even more immediate.

“The company in question on Ryan’s project responded very positively to the study,” Pletcher said. “They said, ‘we’d love to hire you."

—Matt Cooper

photo: Jack Liu