Slashdot Mirror


Using Memory Errors to Attack a Virtual Machine

gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"

9 of 247 comments (clear)

  1. New nifty trick for a hacker book by bluelan · · Score: 3, Interesting
    You wouldn't necessarily need physical access to the machine itself. It might be possible to perform this exploit by gaining access to a machine's air conditioning unit and disabling it at an inconvenient time. That could raise heat enough to cause RAM performance to degrade and make the success of the exploit more likely.

    If the air conditioner went out at midnight, most system administrators wouldn't know until the morning.

    --

    I used to be a narrator for bad mimes. (wright)

  2. Re:This just in! by anubi · · Score: 4, Interesting
    "Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat."
    I would imagine that nasty EMI spikes you may couple to the inside of the box, or medical radioactive sources would work too.

    Just a guess, but I have sure had my share of EMI and radiation induced problems.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  3. Re:This just in! by lord+sibn · · Score: 5, Interesting

    Page 7, Paragraph 3:

    "To attack machines without physical access, the attacker can rely on natural memory errors."

    This paper showed some means an attacker could physically cause a memory error, but it never said that such intervention was required to stage the attack. My guess is that this would be most useful with those "low load" ram chips that ran on slashdot a while back.

  4. Re:This just in! by You're+All+Wrong · · Score: 3, Interesting

    Didn't you notice that the talks/ directory serves a page which is:
    "
    HTML composed using mozilla 0.9.9 on a Redhat Linux 8.0 machine. Best viewed in any browser
    "

    So _obviously_ the guy's interested in making sure that _everyone_ can read his work. It's just a shame that he seemed to forget that when writing up all his work. Duh!

    Anyway, the Powerpoint file viewer that I use under linux is called "strings". Amazingly it sometimes even works!

    YAW.

    --
    Your head of state is a corrupt weasel, I hope you're happy.
  5. Re:This attack doesn't look very effective by czarneki · · Score: 5, Interesting

    Um... no. The paper states that if a single-bit error can be induced, then the probability that this single-bit error will then allow the exploiting program to execute arbirary code (as opposed to causing the OS or the VM to crash, etc) is 70%.

    So, keep in mind that there are two components to this exploit: 1) writing a program that takes advantage of single-bit errors to execute arbitrary code, and 2) wait for cosmic rays or direct some radiation yourself at the hardware to induce soft errors. The effectiveness depends largely on how quickly/reliably you can induce such errors w/out crashing the machine in the process.

    Maybe the techniques for programming the exploit program described here are well known to more experienced programmers, but I found the article extremely interesting and enlightening. I've been taught for years about the superiority of Java's type system as a security measure, and I know that a lot of theoretical work and proofs have been done to show that Java's type system is secure, but this exploit manages to get around the type safety with such a simple trick that I'm kicking myself for not having seen it myself. It's almost elegant, the way they get it done.

  6. Re:This just in! by You're+All+Wrong · · Score: 3, Interesting

    "One commodore 64 demo program (just a few POKE statements)..."

    You're not thinking of the Commodore PET "urban legend" are you?
    C64 != PET. PET != C64. Don't let the big long "Commodore" word confuse you.

    For more info on the blow-up-your-PET story, try:
    http://www.softwolves.pp.se/misc/arkiv/cbm-h ackers /1/1505.html

    YAW.

    --
    Your head of state is a corrupt weasel, I hope you're happy.
  7. Re:This just in! by Com2Kid · · Score: 3, Interesting
    • Get a clue. The whole point of a smart card is to keep the data safe even in the event of physical tampering. For this purpose, the processor of a smart card is enclosed in a black box which will chemically self-destruct if you try to tamper with it. Much research on smart cards goes into ensuring that security can not be broken in spite of physical access.


    Sorry, I am used to seeing regular static memory chips marketed as being "smart cards", I did not realize that there was an actual secure version of the things. Buzzwords got to me. ^_^

    Any encryption can still be broken through though brute force.

    Hmm, from the first site you linked to;

    • Entertainment: Most DSS dishes in the U.S. have smart cards.

    ----http://smartcard.nist.gov/faq.html

    Yah, and we all know how secure those are! Yup, DSS security has never been bypassed once! ;)
  8. In the lab today, in the wild tomorrow... by donert · · Score: 4, Interesting

    This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.

    Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.

    The key take away is to not disallow the possiblity.

    Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.

  9. Even submitters don't read the article by dmadole · · Score: 3, Interesting

    I expect posters to not read the article (well, ppt), but even the submitter didn't read it?

    The article does mention x-rays, saying "not enough energy to change a DRAM capacitor." Yet everyone talks about x-rays...

    I found the phrase from the article "screw driver to remove hard drive" amusing when I first read it. Then I realized they meant "screwdriver". I thought initially they were referring to a DOS attack by corrupting the device driver!