Slashdot Mirror
Using Memory Errors to Attack a Virtual Machine
gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"
Reports are sketchy at present, but we're being led to believe that it's easy to compromise a machine to which you have physical access!
Film at 11.
Send lawyers, guns, and money!
The pie chart in the article suggests that the exploit can only take place about 30% of the time the attack is used. It is more likely that the memory error will go undetected by the hack. If the attack can be tried again, and again, and again, I suppose it would work.
Saskboy's blog is good. 9 out of 10 dentists agree.
Funny to see this here -- I (and Sun) know all too well about this phenomenon, but I am bound to relative secrecy by NDA.
./!
So, I can't share my team's research results that clearly show that this is a bigger problem than most raders probably realize. Nor can I share the steps (advanced ECC, logic-BIST, etc) we're taking to prevent this before it gets well-known enough to be a problem.
But I can say: this is indeed a scoop, way to go
everything in moderation
Now when I benchmark my computer using the punch-the-monkey java applet using a 50 watt spotlight, I'll have to be more careful!
If we have physical access or full system access why not just change the JVM code letting us do whatever we want? and if u just wanna stop it and you have full privildges why not just shut the system down? and if we got physical access why not just pull the power plug? This would be usefull if it didn't need full access or physical access.
Just overclock your tamper-resistant machine to the bleeding edge of running at maximum MHz you can get. Tweak the speed to the point that the body heat emitted by regular users will not overheat the CPU, but anyone approaching the machine with a 50 Watt bulb would fry the machine before gaining access to data.
:-)
However, now you get a denial of service attack, but hey, it's better than information disclosure or arbitrary code execution.
The code also assumes that it's difficult to misspell "a" or "b". :-)
Larry Wall in <199710221731.KAA24396@wall.org>
Oh God suck me you mallards. Oh ducks, oh quack, jesus, please do me with your beak, oh quack, let me rub those feathers, oh please.
Ahhh....... Power Point How I Hate it.....
Open office did a decent job on it though
--meh--
Oh great, it must be the Apocolypse or something. They actually posted a *link* to a *PowerPoint* document in a Slashdot article! Worse yet, no one seems concerned.
Furry cows moo and decompress.
If the air conditioner went out at midnight, most system administrators wouldn't know until the morning.
I used to be a narrator for bad mimes. (wright)
looks like it was written in crayon (well the titles at least)!
(There are some things you just never forget from your high school physics lab)
It's any process that can be running when menory erros happen. they happen all the time, relativly, so all you need to do is make an applet that runs in the background of somone's box for a few days, thier example was seti@home, java version, but you could be original and say, hmm, a free porn viewer or something. Eventually there will be a memory error OR a virtual memory error due to disk corruption, and presto, you got in. With .NET it might be even easier, since eventually people won't even have a "extra" VM that has to be loaded and run for programs, it will be the default. So at that poing ALL programs become questionable.
It turns out that if you have physical access to a system, you can perform a pretty effective denial of service attack using a rather devious little bit of technology called a 'baseball bat'.
Fortunately for the attacker, few users are surprised these days when applications use hundreds of megabytes to accomplish trivial tasks.
Java: the COBOL of the new millenium.
Anybody remember the User Mode Linux VM escape exploit?
Seems more elegant than nuking your machine.
At DefCon X, Gobbles announced a simmiler vulnerability in vmware, though no exploit or advisory has been released so far. For anyone that assumes they're just fear mongering, They also announced the zero day apache bug there, which I'm sure you all remember.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
It requires physical access. Ho hum. Quick, apply derision, maximum force!
Well, Palladium and "Trusted Computing" control boxes that you have physical access to.
That sound is the light bulb clicking on over your head.
Fucking insecure closeminded slashdot wannabees...
If you can manage to sneak an Xray thing in your keychain. If you know where a slot machine's memory is.
God spoke to me
we just ask the little monkeys inside the memory chip who are in charge of steering the data to guide our thermal rays to just the right CMOS gates used by the JVM process so as not to crash the computer... Real practical exploit NOT.
Not only can they hack my computer, but they can give me cancer as well now! When will those bastards ever stop???
Defender of Microsoft and Communism!!!
Surely the solution is obvious: make the posession of clip on lamps an offence under the DMCA, I cannot see why someone would want to posess such equipement unless it was to break into a computer and steal the latest music CDs....
"Because the attack requires very large amounts of memory to operate efficiently, the application in which it's hidden would itself have to be a memory hog. Fortunately for the attacker, few users are surprised these days when applications use hundreds of megabytes to accomplish trivial tasks."
Then, when doing the test/comparison, if there is not consensus in the bits (they should be all 1 or all 0), you know some memory error has occurred. The confidence level in the boolean test could be made arbitrarily high by storing increasing numbers of redundant bits.
This would slow things down considerably but it seems cheaper than lead cases.
This countermeasure is obviously not foolproof because most branches ultimately come down to a single register test but perhaps it's an improvement? Comments?
There are no karma whores, only moderation johns
Yes, breaking a machine to which you have access was proven a long time ago. As E.E. "Doc" Smith wrote: "What science can create, science can duplicate."
Using bit errors to flake out machines, where there is no parity or other error checking, is very far removed from "secret tinfoil hat" stuff. Why do you think chips are packed in black epoxy?
At first I thought "why don't you just fire a gun instead of expensive x-rays". But once X-ray emitting devices becomes small enough, this could be a new spy gadget. Walk up to the metal detector in the airport. Point your pencil (with built in X-rays) to the scanner and zap it. Then walk right in.
Or, it can be used for lesser evil stuff as well. In the office. Find the cubicle with the guy that just hates computers. Every time you walk by him to get a cup of coffee, zap his computer with your device. Try to time it so he loses maximum amount of work. Then sit back and watch him go postal.
"New LEAD cases from lian li to protect your system from intuders" Just another thing to worry about when it comes to security.
How many websites would have an article that begins:
"A very cool scientific paper..."
Oh dear, we really are geeks, aren't we.
Read reviews of shopping cart software
I Believe I could be mistaken but the guy who made up the finite state machine for ECC had a mental break down. Making something like that is very complex I wonder how long parity checks which offer no correction where thought to be state of the art.
One time on holiday with my cousins, we got the electric gas lighter for the cooker (makes a spark to light the gas, hand held) and brought it to the local arcade.
:)
By removing the top off it we would zap all the screws on the machines until something happened.
Battlezone seemed to give us loads of free games
This reminds me of "attacks" with electronic lighters on some old poker machines. You would use the lighter on the coin slot for about half a min. Then on the double or nothing game you would get 1,2,3,4,5 spades (4x + the staight flush bonus). The problem is that operators that knew about this might check the game statistics and if you use this trick one of them shows a weird symbol instead of a number. Oh well, it was good while it lasted.
shit, now I really have a reason to upgrade to ECC RAM
clipping a lamp to heat up your memory so that your program will work and cause problems on the system.
Does someone have way too much time on their hands or what? I've not seen so much effort put into making a small bit of code work for such a useless result since I tried to run a dos game on my W2k box.
I guess that whole Toaster-PC(now with browning control and convenient half-hight panel toast-ejector!) idea is scrapped now.
This (excellent) paper alludes to the usual situation that cheaper machines tend not to use ECC in memory modules and in other parts of their architecture in order to save on manufacturing costs.
:-)
Note however that this common perception is not strictly speaking entirely accurate or necessary, because if a system is designed to meet a given level of reliability then a machine with ECC may end up being cheaper than one without ECC, because the error detection and correction can make up for reduced reliability in the rest of the hardware.
As an example, some components may be run closer to their operating limits, possibly partially overclocked, or power supplies may be less well regulated and hence electronic noise margins may be slightly compromised, or the system may be designed with substandard cooling, and so on. ECC could help mitigate some of the effects of such presumably cheaper designs, while still maintaining the reliability of better implementions.
So, there's slightly more to the "ECC only found in better systems" argument than at first meets the eye. As usual, caveat emptor.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
You must be German. Everyone in Germany is into that.
If you're that close why not just steal the whole damn computer? Or unplug it. Or just shoot the guy with the smart card. Tazor gun anyone? These guys got way to much time in there hands. I'm sure if you pressed a charged capacator against it you would give it brain damage to. Maybe the'll give me some cash to do a study?
Like can you electorcute the owner of the card and still withdraw cash from it after you pry it out of his smoldering hands?
Sorry. My browser does not render powerpoint.
This is the last step I needed in my Java trojan I've been writing. Now all I need to do is go to everyone's house with my x-ray machine, and I'm in like Flint!
This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.
Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.
The key take away is to not disallow the possiblity.
Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.
The article says that if you can get close enough to zap a box with xrays and simultaneously get the box to let your Java code use 60% of the memory and if the machine does not hang then you have a 70% chance of getting root. And the RAM has to be non ECC RAM.
Looks like all xSeries servers from IBM and Dell(Power Edges) and HP ship only with ECC RAM , and ECC errors are actually logged by software.
So forget walking into Las Vegas Casinos with a Xray machine.
.ACMD setaloiv siht gnidaeR
Administrators know. The minute the temperature rises in any of my machine rooms, I receive an instant message. All sensors and monitoring systems are doubled and doing constant cross checks. (I get an alarm also if monitoring fails.)
Most likely I am there five minutes before the maintenance company, as they have their monitoring systems also.
You know - when cooling fails, temperature will race up rather fast, therefore you want to know right then when it begins. This is the situation with every company which has machine rooms, and as far as I know, they have also addressed this problem.
I expect posters to not read the article (well, ppt), but even the submitter didn't read it?
The article does mention x-rays, saying "not enough energy to change a DRAM capacitor." Yet everyone talks about x-rays...
I found the phrase from the article "screw driver to remove hard drive" amusing when I first read it. Then I realized they meant "screwdriver". I thought initially they were referring to a DOS attack by corrupting the device driver!
And any literary work can be obtained with an infinite number of monkeys sitting at an infinite number of typewriters for an infinitely long period of time.
Most serious ciphers attacked using brute force with contemporary technology will probably hold out until the universe's heat death. Not to mention the fact that some experts claim that there simply is not enough energy in the universe to cycle a 128 bit counter through all its states, let alone perform any computations.
Pathman, Free (as in GPL) 3D Pac Man
One use for this sort of thing might be to get a palladium system to do something it's not supposed to. In that case you'd have access to your own machine.
Palladium is just a specialized VM that runs on tamper proof hardware, that's designed to let other people trust the results of some computations performed on your machine.
Let me conclude from reading the article:
-Memory errors can allow a system running a virtual machine to be compromised/corrupted
-Such memory errors are most likely to occur when an attacker has physical access to the machine
-One way to make it less likely, is to use error correction (ECC) on the memory.
Rewritten:
-If a computer's memory is not 100% reliable, you can't fully trust software running on it, to perform as expected
-Physical access to a machine gives an attacker more chance of compromising it
-Having error correction enabled, would make a system more reliable.
So what's new here? Nothing.
I have to give the researchers credit though, for the nice way they worked out how to exploit such hardware errors.
Good. Maybe all those kids with neon lights in their cases will have the same problem. I'm sure case modding was fun for awhile, but when every mod has to include the basic package of lights, fans, etc., it becomes too stock. Just like every '89 Civic I see with cut springs & an F1 wing. Yes, I am grumpy when I wake up.
It probably also shies away from garlic, runs away from crosses, and won't go away until you drive a stake through it's heart.
Yea, doing this from remote would be a little harder.....
RING RING, "Hi, um my name is 'Bob', Im from 'The Internet Company'. We think there is a problem and we need you to help us here. Um, we need you to set your computer next to your microwave for a minute. Oh, no can do?...ok, um, you got like a 50 watt lamp you can stick next to your computer case? Ok, good, yea, do that. Oh yea, and go to this java web site.....yea, I can wait..."
I GUESS you could do some social engineering to get someone to comply. Seems like it would easier to sent out a couple hundred "I make this game, its my first. Hope you like." emails with BO in them to get one to bite.
Tequila: It's not just for breakfast anymore!
The fact that most desktop/laptop and some server computers shipping today have no type of memory error detection or correction.
Back in the older days _all_ computers shipped with at least parity memory. Today you get no checking unless you buy a workstation or server class machine.
Did you ever notice that when you build an IBM system on-line that they make it very clear that the system uses non-parity memory where other companies never mention this? I think they know that someday someone will bring forth litigation on this subject and they want to make sure everything was clearly stated.
Did you ever wonder how much data is corrupted my bad memory chips? Remember that memory sizes are increasing all the time so one would think that the probability for an error is higher.
Did you ever wonder why Apple didn't use ECC memory in their xserve rack mount server?
For those who don't do PPT or PDF.. I threw this through google http://216.239.39.100/search?q=cache:YV5cbDGeKscC: www.cs.princeton.edu/~sudhakar/papers/memerr.pdf&h l=en&ie=UTF-8 I think that is the same presentation. It renders like crap, but you can atleast read it...
-- AcquaCow
up 12 days, 22:30, 2 users, load averages: 993.20, 994.21, 994.56
*makes note to limit user processes...
This explains everything! On the back of most PC's (store-bought ones anyway), there is a little FCC sticker that says something along the lines that "This device cannot cause interference (that makes sense), and this device must ACCEPT ALL interference including interference that may cause undesired operation. (WHY?)" This is what they have been using to take over our PCs. In fact, they have specialized EMF guns that they can target from the van sitting across the street of your house right now. Flowers By Irene my ass.
So, peel off that sticker from your pc, take out your aluminum foil and start making a hat for your PC. While you're at it, make one for your pets too; how many times have they watched you type your password while you work. Leave no stone unturned. Of course, I'm assuming like me you already have a hat for yourself...
But how would you get the bullet items to fly in from the right and dissolve out from a white to gray using plain text? It's just not possible!
People who can communicate without PowerPoint? Hah! Next thing, you'll be telling me that people can talk from all over the world using nothing but text!
You are in a maze of twisty little relative jumps, all alike.
It is often questioned on this site as to why spacecraft do not use the latest/greatest computing equipment available. It is because the flight-capable designs have proven themselves tolerant of harsh environments, including alpha/beta/X radiation. (And other things, like low power consumption, heat generation, etc.)
It would be nice to know that a smart card with all of my personal information could survive the places my wallet has been. I need quad redundancy and forward error correction in my pocket!
I saw someone do this, and lo and behold...IT WORKED.
He tried it again and again after that...but never could get it to work.
I dunno...go figure. After that, he just went back to a taped dollar bill that he'd pull out of the machine once it "registered".
The article uses OOP examples that tell how to hack around by having flipped bits change object pointers that allow you to "see" objects or object portions that you are not supposed to see. The simple solution is to not use OOP. I told you OOP was dangerous :-)
Table-ized A.I.
What he's done is described a method to make it almost 70% likely that a soft memory error would lead to a situation a hacker can exploit. It involves a very ingenious use of addressing schemes and pointer arithmetic.
Next time, please think twice before accusing a respected Computer scientist like Andrew Appel of redundancy.
I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
To
attack a computer to which he has no physical access, he
can convince it to run the program and then wait for a
cosmic ray (or other natural source) to induce a memory
error.
Cosmic Rays... are they like country singers in space or something?
anyone know the possibilities of using this kind of attack on the xbox to allow arbitrary code?
hmm neoproject, operation xbox? anyone?
I've always thought that the JVM security model was the moral equivalent of eliminating the FDA in favour of tamper resistant pill bottles.
Tamper resistant packaging is a darn good idea. But it's not a good idea to be so impressed by the packaging that we forget that how easily well intentioned people can create combinations of carbon, hydrogen, and oxygen and a few choice flavour additives that kill.
Bottom line: no matter how much rocket science you pour into the packaging, you still have to ask hard questions before ingesting the contents into your body.
Unless you believe that large software companies have entirely different profit motives than large pharmaceuticals.
I will sue the bulb and flashlight manufactures under the DCMA. They are producing circunvention devices...
Hrm, and how exactly do you incorporate a true one time pad and "smartcard" technology?
Every time some security concern gets posted that even remotely concerns crypto, this old horse just gets flayed alive. C'mon people...
Ahhh, now that brings back memories! Core Wars... a game in which computer programs are purposely designed to destroy one another. Also, unsurprisingly, a lot of the earliest core wars "servers" were just havens for a LOT of the earliest generations of virus writers.
Too bad the trend started to eventually become "crack a computer somewhere and play Core on it, cause it's easier than setting up and securing your own box every time." Whoever was able to infect the target to the greatest effect (without fatally crashing it) "won".
There were even a few (usually pretty lame) attempts at playing on internal networks using network oriented exploit and breeder packages. However, two or three of the somewhat nastier (but really obvious and easy to eradicate) unix virii strains came from those sessions, iirc...
A system made with junk hardware, for example all defective components that failed QA tests, but sufficient redundancy and error correction to run normally. Mass storage that can *maybe* store a terabyte on a CD-size disk, with astronomical error rate and error-correction software that gets 100G in reliably. Processors that run overclocked by design and have extra circuits to correct occasional failures. Any takers?
To my understanding, everyone eats feces. I hear that after sex, common everyday girls/women want the man to shit on them. I know this one guy and he said after fucking his woman in the ass: she wanted him to shit on her chest. I say, "WTF?" and he says, "NO FUCKING SHIT, DUDE! I'VE DISPENSED 'NOUGH ALREADY AND SHE CAN GET HER OWN SHIT I SAYS!"
That's some freaky fucking shit, eh? I hope the females don't start disliking penis; choosing solidified shit in the shape of a dong instead of a good ol' man's dick. *crieing* DAMN YOU HILARY ROSEN!
SO THAT's why the LOUISVILLE-KENTUCKY bat factory is secretly located in ... INDIANA.
THE COMMUNISTS HAVE INVADED! AHHH!
WOW! Im going to write a scientific paper. Its going to be about how you can crash a Java VM or a Citrix terminal session by repeated blows, via sledgehammer, to the server creating said VM or session.
Manipulate the moderator system! Mod someone as "overrated" today.
Hm, you could just look at a weather map to see when a particular area is having violent thunderstorms. I'd suspect that might just raise the odds of a memeory error from a power spike or EM noise.
It was a pleasant surprise to see my paper on /. this morning. Now pdf slides are available here . My comments on the views shared here are also available .
Sudhakar .
In my own experiments at home. I have found I have been able to reprogram the memory on the servers in the room simply by turning on and off the lights. As you can imagine it's takes an incredibly long to time to program the memory bit by bit. My first attempt resulted in a picture of the latest playboy centerfold to appear on the screen of the server!!!
LOL
Ever wonder how many naturally occuring computer viri are out there. With all these cosmic rays, overheated hardware, flakey harddrives and software bugs it would be amazing we haven't run into a little 512 byte virus, yet. Eventually, computers will become self aware :^)
One of the systems I worked on had checksums on the data ever point in the system. It was checked in hardware every time it crossed a bus or was stored. This improved the reliability considerably.
-Happy
But technically this isn't an attack on all sand-box virtual machines, just the early-binding ones like the JVM, which assume a program is safe to run after a single check at compile/link time. Late-bound (or dynamically typed) VM-based languages such as Smalltalk and Lisp aren't as vulnereable to this - only the memory allocation and other atomic system functions that are assumed "safe" are vulnereable, and typically there are only a couple of dozen of these (and a random cooking of which is very likely to crash the VM or the machine by their nature). Of course, randomly messing with the memory will cause program errors and undesired results, and compilers that do a lot of inlining and type assumption optimizations increase the risk.
In the great CONS chain of life, you can either be the CAR or be in the CDR.
Yes you are rite, but not rite. The program makes no use of types at runtime. I mean, there are no typecasts in the program. Hence, the typesafety of the applet can be verified at link time. My guess is that if type safety can be verified at link time, a virtual-machine will try to do it at link time. Finally, a lot depends on the exact implementation details of the VM. I have not looked at Smalltalk and Lisp. So I cant say much about them. However, my instinct tells me that some attack can be launched in those cases. Please let me know if you have some ideas! I am still undecided about what happens with dynamic checking. All depends on what exactly I mean by dynamic checking. Sudhakar.
Finally, yes I bothered to read the paper. I might have read it some 100 times. After all I wrote it. :-)
Sudhakar.
The article states that if you manage to induce a single-bit-flip error *anywhere* in the program you are running on the virtual machine, then there is a 70% chance that the error can be exploited and used to run untrusted code. Now, there's this little thing called MTBW (mean time between failure) which is a measure of how long your chip will last under normal operating conditions before something fails due to "natural causes". A failure might be, say, a bit-flip error (or any nubmer of other related errors which will work equally well). Chip manufacturers try to ensure that the MTBF for their chips is generally around a few years at least. However, you can increase the failure rate by taking the chip *out of* its normal range of operation. You can do this by, say, heating it up, or irradiating it. (Cosmic rays are a naturally-occuring hazard that cause "soft errors" in operating computer equipment. Any chip that is sent into space must be designed to have a much higher MTBF on earth, because when it is in orbit, it will get hit by a lot more radiation.)
When I was talking about late-bound VMs, it was largely the ideal case VM, in which all the functions and data are nicely boxed and type-checking is done at every reference. This is of course not the case, especially for Common Lisp (but from what I know of the original Smalltalk VMs and Squeak they come pretty close to the ideal - if you know someone who knows Smalltalk, it would be interesting to see how well this attack will work against the latter).
Strictly speaking, there is really no Common Lisp implementation entirely contained inside a VM (mostly for speed reasons, but Clisp does come close - it's memory footprint is less than 2mb, and I think it also makes a good candidate to see how well this exploit works against late-bound VMs). Most implementations are native-code compilers - so this exploit certainly applies here, especially since the compilers inline heavily and will make use of optional type specifiers and inference.
Besides the reliance on native code by the VM and the inlining, I think there are two areas where this exploit might work. First is the way dynamic type information is encoded. I don't think anyone uses a whole extra word for that anymore. There are two popular strategies, one being the BIBOP (Big Bag of Pages) scheme, where certain pages are reserved for specific types, and the other is to encode the type information in the upper bits of a word (Clisp does this), and I've heard that the two are used in together in some combination. Second, conservative GCs make passes fairly often - I suspect there may be a small chance to exploit the garbage collector.
So it is entirely possible to exploit late-binding VMs with your method of attack, but I am guessing the success rate will be much lower. This may depend on how much external code is used and other factors (it would be interesting to see how well Python stands up compared to the JVM). This is really starting to pique my curiosity. Maybe if I have some time this summer I will perform a similar experiment on one of the CL systems.
In the great CONS chain of life, you can either be the CAR or be in the CDR.
Anyone who has done more than trivial work with a standard pc, knows that heat will cause things to fuck up. So they are surprised when they point a heat lamp at a bank of ram, and it fails?
I've heard that academia can have their heads in the clouds, but this is taking it to a new level.
Why were we wasting all our time on buffer overflows and cryptography, when the real threat all along has been...
COSMIC RAYS!!
It's 10 PM. Do you know if you're un-American?
I watched the power-point, because I was really curious how to provide this exploit. Looking at his example, I was really curious when I saw his Java code contained the line "for each pointer p of type A"... Pointer? You don't have direct access to pointers. What is he doing?
Watch further and it all makes sense. He said that Java is vulnerable to these memory errors, and that you can prove it by adding some non-Java code. Well, no S*&t! Has anyone ever doubted that you can do whatever the hell you want from C or ASM?
If you are really worried about it, disable JNI. Not only is it an optional package, but you can force it to always be disabled in the Security Manager.
As a side comment, if you are going to post a nice exploit of Java, please write it in Java.
Malachi
http://www.google.com/profiles/malachid
I agree with your sentiments. 1)If typechecking is done at every reference, then for each field in the program, the machine shud keep track of its type. So if i have 100M fields(pointers) in my machine, then it means that I need to keep track of 100M types. And this is way too much overhead. 2) It does not matter whether or not the implementation is entirely conrained inside a VM. all i need to do is to turn off the security mangaer, which can be done from inside the virtual machine. 3) I agree that compiler optimisations help my attack. btw, i dunno if you checked my comments on the comments posted here. you can get my comments here Do email me about the results of your experiments. --Sudhakar.
A long time ago, when I worked at a restaurant as a teenager, I saw an employee that was screwing around with an ion ray gun accidentally open a secure time-lock safe. He simply pointed it at the safe from a few inches away and the safe's electronic display started blinking and it just opened.
Why not generate a OTP, encrypt the message with it and then send both the OTP and the OTP-encrypted message encrypted with a conventional symmetric cipher? Makes known-plaintext attacks a little more difficult.
sources like "zero point energy?"
Also, is this the mimimum energy to set an electron or something more fundamental?
No, you can't break any encryption through brute force. There just isn't enough energy in the universe to do it, even positing thermodynamically-perfect computers operating at 3.2K.
While this is true for irreversible computers, it is not true of reversible computers.
A particular class of reversible computers are quantum computers (to the extent that they are operating error free, errors require some irreversible operations like bit reseting). Particularly, Grover's Algorithm reversibly finds the solution to the NP-complete SAT problem in sqrt(n) steps rather than n steps required by a classical computer.
Putting it all together, an error free (or sufficiently low error) quantum computer could brute force a 256 bit key in 2^128 (sqrt(2^256)) steps and not be bound to the Landauer bound (which you quoted) on thermodynamic cost of erasing bits.
PS: here is a nice link for those who don't know anything about thermodynamics of computation.jabber: johnynek@jabber.org
...with the infinite monkeys scenario will be resistance from PETA.