Slashdot Mirror


Using Memory Errors to Attack a Virtual Machine

gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"

4 of 247 comments (clear)

  1. Re:This just in! by anubi · · Score: 4, Interesting
    "Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat."
    I would imagine that nasty EMI spikes you may couple to the inside of the box, or medical radioactive sources would work too.

    Just a guess, but I have sure had my share of EMI and radiation induced problems.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  2. Re:This just in! by lord+sibn · · Score: 5, Interesting

    Page 7, Paragraph 3:

    "To attack machines without physical access, the attacker can rely on natural memory errors."

    This paper showed some means an attacker could physically cause a memory error, but it never said that such intervention was required to stage the attack. My guess is that this would be most useful with those "low load" ram chips that ran on slashdot a while back.

  3. Re:This attack doesn't look very effective by czarneki · · Score: 5, Interesting

    Um... no. The paper states that if a single-bit error can be induced, then the probability that this single-bit error will then allow the exploiting program to execute arbirary code (as opposed to causing the OS or the VM to crash, etc) is 70%.

    So, keep in mind that there are two components to this exploit: 1) writing a program that takes advantage of single-bit errors to execute arbitrary code, and 2) wait for cosmic rays or direct some radiation yourself at the hardware to induce soft errors. The effectiveness depends largely on how quickly/reliably you can induce such errors w/out crashing the machine in the process.

    Maybe the techniques for programming the exploit program described here are well known to more experienced programmers, but I found the article extremely interesting and enlightening. I've been taught for years about the superiority of Java's type system as a security measure, and I know that a lot of theoretical work and proofs have been done to show that Java's type system is secure, but this exploit manages to get around the type safety with such a simple trick that I'm kicking myself for not having seen it myself. It's almost elegant, the way they get it done.

  4. In the lab today, in the wild tomorrow... by donert · · Score: 4, Interesting

    This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.

    Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.

    The key take away is to not disallow the possiblity.

    Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.