Using Memory Errors to Attack a Virtual Machine
gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"
If the air conditioner went out at midnight, most system administrators wouldn't know until the morning.
I used to be a narrator for bad mimes. (wright)
Just a guess, but I have sure had my share of EMI and radiation induced problems.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Page 7, Paragraph 3:
"To attack machines without physical access, the attacker can rely on natural memory errors."
This paper showed some means an attacker could physically cause a memory error, but it never said that such intervention was required to stage the attack. My guess is that this would be most useful with those "low load" ram chips that ran on slashdot a while back.
Didn't you notice that the talks/ directory serves a page which is:
"
HTML composed using mozilla 0.9.9 on a Redhat Linux 8.0 machine. Best viewed in any browser
"
So _obviously_ the guy's interested in making sure that _everyone_ can read his work. It's just a shame that he seemed to forget that when writing up all his work. Duh!
Anyway, the Powerpoint file viewer that I use under linux is called "strings". Amazingly it sometimes even works!
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
Um... no. The paper states that if a single-bit error can be induced, then the probability that this single-bit error will then allow the exploiting program to execute arbirary code (as opposed to causing the OS or the VM to crash, etc) is 70%.
So, keep in mind that there are two components to this exploit: 1) writing a program that takes advantage of single-bit errors to execute arbitrary code, and 2) wait for cosmic rays or direct some radiation yourself at the hardware to induce soft errors. The effectiveness depends largely on how quickly/reliably you can induce such errors w/out crashing the machine in the process.
Maybe the techniques for programming the exploit program described here are well known to more experienced programmers, but I found the article extremely interesting and enlightening. I've been taught for years about the superiority of Java's type system as a security measure, and I know that a lot of theoretical work and proofs have been done to show that Java's type system is secure, but this exploit manages to get around the type safety with such a simple trick that I'm kicking myself for not having seen it myself. It's almost elegant, the way they get it done.
"One commodore 64 demo program (just a few POKE statements)..."
h ackers /1/1505.html
You're not thinking of the Commodore PET "urban legend" are you?
C64 != PET. PET != C64. Don't let the big long "Commodore" word confuse you.
For more info on the blow-up-your-PET story, try:
http://www.softwolves.pp.se/misc/arkiv/cbm-
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
Sorry, I am used to seeing regular static memory chips marketed as being "smart cards", I did not realize that there was an actual secure version of the things. Buzzwords got to me. ^_^
Any encryption can still be broken through though brute force.
Hmm, from the first site you linked to;
----http://smartcard.nist.gov/faq.html
Yah, and we all know how secure those are! Yup, DSS security has never been bypassed once!
Need help treating your acne? Come here!
This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.
Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.
The key take away is to not disallow the possiblity.
Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.
I expect posters to not read the article (well, ppt), but even the submitter didn't read it?
The article does mention x-rays, saying "not enough energy to change a DRAM capacitor." Yet everyone talks about x-rays...
I found the phrase from the article "screw driver to remove hard drive" amusing when I first read it. Then I realized they meant "screwdriver". I thought initially they were referring to a DOS attack by corrupting the device driver!