Using Memory Errors to Attack a Virtual Machine

gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"

This just in!

[G-funk]

Reports are sketchy at present, but we're being led to believe that it's easy to compromise a machine to which you have physical access!

Film at 11.

Re:This just in!

[smallpaul]

Reports are sketchy at present, but we're being led to believe that it's easy to compromise a machine to which you have physical access!

Bet you didn't even read the abstract. Here's the relevant bit:

Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat.

Re:This just in!

[Com2Kid]

If I can drag in a machine capable of producing sufficient x-rays to within range of the computer.

Well fuck it, I can just get a screw driver and OPEN the mofo.

It has ALREADY been proven that no matter how hard something is protected / encrypted / etc, given enough time (and resources!) it will ALWAYS be possible to break though whatever protection measures are in the way. The ONLY 100% secure computing environment is a

Well heck, actualy there ISN'T one, because even a keyboard going into a big grey locked steel box can have its wires taped so when an authorized user DOES use it the applicable passwords can be captured.

Basicaly we are all fucked. The good news is that the orgy WILL be broadcast on the playboy channel for only 39.95.

Re:This just in!

[Com2Kid]

• Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat.

If somebody intent on breaking through the smart card's security has access to the smart card, then sooner or later the security WILL be broken. Encrypting data is NOT a foolproof way to keep things safe, though having the security measures last a dozen or so years IS a rather safe second bet. :)

Re:This just in!

What this could lead to, if it works and ends up working well, is running other processes in a machine that do end up causing memory errors. far fetched? probably, but all exploits involve a range of small weaknesses (except Windows ones, as Windows is one large weakness).

Take a look at core memory. Memory access there, when random, was fine. Go looking continually at one row of cores and bam - your wire heats up. Go continually looking at the one single core (read or write) and it was possible to effectively destroy your memory plane.

One commodore 64 demo program (just a few POKE statements) would lock up a machine after being run, and the computer would only turn on again after sitting without power for hours. A small bug in a chip is all that took. It may not be an exploit but perhaps one of the consumer-computing worlds first 'denial of service' hacks.

This just looks harmless when taken on its own. You can't know what other ways to exploit hardware will appear in the future, if the problems here aren't addressed.

Re:This just in!

[afidel]

There's nothing stopping you from accessing smartcards if you are determined enough and don't care about the physical state of the chip afterwards, just look at the guy who broke MS's xbox code, one of the steps he used was to etch away the chip covering to get at the actual chip. Now this attack may work better if you are a spy who wants to steal an access card, get the data off and return the card, but for most attacks the brute force method works almost as well.

Re:This just in!

[anubi]

"Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat."

I would imagine that nasty EMI spikes you may couple to the inside of the box, or medical radioactive sources would work too.

Just a guess, but I have sure had my share of EMI and radiation induced problems.

Re:This just in!

[lord+sibn]

Page 7, Paragraph 3:

"To attack machines without physical access, the attacker can rely on natural memory errors."

This paper showed some means an attacker could physically cause a memory error, but it never said that such intervention was required to stage the attack. My guess is that this would be most useful with those "low load" ram chips that ran on slashdot a while back.

Re:This just in!

[You're+All+Wrong]

Didn't you notice that the talks/ directory serves a page which is:
"
HTML composed using mozilla 0.9.9 on a Redhat Linux 8.0 machine. Best viewed in any browser
"

So _obviously_ the guy's interested in making sure that _everyone_ can read his work. It's just a shame that he seemed to forget that when writing up all his work. Duh!

Anyway, the Powerpoint file viewer that I use under linux is called "strings". Amazingly it sometimes even works!

YAW.

Re:This just in!

[mentin]

Well, there are already many error-induction attacks agains smart cards (some references in the article), that don't involve JVM running untrusted code.

So if I can break smart card event if is does not run any my [untrusted] code, who cares about attack to smart card that allows to run untrusted code? Besides, I've never seen any smartcard that actually does this stupid thing.

A better target for attack may be a server at a nuclear reactor facility that has natural high rate of memory failures :)

Re:This just in!

[arvindn]

If somebody intent on breaking through the smart card's security has access to the smart card, then sooner or later the security WILL be broken.

Get a clue. The whole point of a smart card is to keep the data safe even in the event of physical tampering. For this purpose, the processor of a smart card is enclosed in a black box which will chemically self-destruct if you try to tamper with it. Much research on smart cards goes into ensuring that security can not be broken in spite of physical access.

Some pointers:

• Smart card FAQ
• Design principles for tamper resistant smart card processors
• Low cost attacks on tamper resistant smart card devices

Re:This just in!

[You're+All+Wrong]

"One commodore 64 demo program (just a few POKE statements)..."

You're not thinking of the Commodore PET "urban legend" are you?
C64 != PET. PET != C64. Don't let the big long "Commodore" word confuse you.

For more info on the blow-up-your-PET story, try:
http://www.softwolves.pp.se/misc/arkiv/cbm-h ackers /1/1505.html

YAW.

Re:This just in!

[Com2Kid]

• Get a clue. The whole point of a smart card is to keep the data safe even in the event of physical tampering. For this purpose, the processor of a smart card is enclosed in a black box which will chemically self-destruct if you try to tamper with it. Much research on smart cards goes into ensuring that security can not be broken in spite of physical access.

Sorry, I am used to seeing regular static memory chips marketed as being "smart cards", I did not realize that there was an actual secure version of the things. Buzzwords got to me. ^_^

Any encryption can still be broken through though brute force.

Hmm, from the first site you linked to;

• Entertainment: Most DSS dishes in the U.S. have smart cards.

----http://smartcard.nist.gov/faq.html

Yah, and we all know how secure those are! Yup, DSS security has never been bypassed once! ;)

Re:This just in!

[Large+Green+Mallard]

Smart Cards will protect themselves to some extent, but the oft quoted voltage draw analysys is something they can't protect against..

What you really need for a physically secure device is an IBM 4758 CryptoCard.. of course, for it to be useful, you need it protected against key recovery attacks.

Re:This just in!

[SmackCrackandPot]

If you wait long enough, then some day a cosmic ray will strike a computer system at exactly the same time as your are entering the root password. The result ionization will cause the compare function to return a match, and you will gain access!

Re:This just in!

[shepd]

>What you really need for a physically secure device is an IBM 4758 CryptoCard.. of course, for it to be useful, you need it protected against key recovery attacks.

That card still isn't invulnerable against being picked apart by electron scannining micrographs and other handy (expensive) physical analysis.

You might consider this impractical, but this is exactly how certain digital TV services in Europe has competed, by hacking each other's cards at any expense.

The only true way to have a secure system is to make it two way, or use a one time pad. That way they need to break into the uplink facility as well as into a consumer receiver...

Re:This just in!

[br0ck]

If that doesn't work, Adobe has an online converter you can use to view the pdf as html.

Re:This just in!

[omnirealm]

Any encryption can still be broken through though brute force.

This is simply not true. One-time pads are 100% unbreakable, and they will always be unbreakable (at least mathematically speaking), no matter how sophisticated technology gets in the future. For those who are unfamiliar with the concept, a one-time pad is a cryptographically random string of 1's and 0's, which is at least of the same length of the message itself. Two parties have a secure channel in which to exchange these pads; for example, if Alice and Bob wish to use one-time pads, Alice can generate a list of 10,000 cryptographically random strings, put them in a suitcase that is handcuffed to her wrist, and deliver them to Bob in person. Bob and Alice then have a set of one-time pads that they can use for all future communication. Each time they encrypt a message with one of the pads, they discard the pad and never use it again. Because the pad is at least the length of any messages they might pass back and forth, there is no way to analyze the encrypted message for patterns. It is mathematically impossible. You could easily come up strings of 1's and 0's that would ``decrypt'' the message into anything, be it passages from the Bible, or Ogg Vorbis encoded music. You would have no idea which set of 1's and 0's produced the actual original message. This is truly unbreakable encryption on a mathematical level.

Most companies claiming that their encryption is ``unbreakable'' are using one-time pads; the problem is reduced to finding a secure channel of communications in which to transmit those pads. This is usually not a feasible assumption, which is why we all prefer using, for example, Diffie-Hellman key exchange, which depends on the difficulty of math involving discrete logarithms. The encryption we now use is breakable, but it is hard enough to break that it is generally considered secure.

Re:This just in!

[exp(pi*sqrt(163))]

Sure you can protect yourself from differential power analysis, or whatever it's called. You can design logic gates that draw the same power whatever. Or you can add extra logic that masks other activity. You can design algorithms that draw power in exactly the same power whatever the input, possibly performing unnecessary dummy steps. There are lots of defenses.

Re:This just in!

[rjh]

Any encryption can still be broken through though brute force

<sigh> You know, I answered just this same question yesterday... </sigh>

As a thermodynamic minimum it takes 4.4 * 10**-26 joules to set a bit. (Well, it takes that much to erase one bit of information. But that's quibbling.) So multiply that by 256, for the number of bits in an AES key, and you get 1.1 * 10**-23 joules to store a key.

Now multiply this by 2**255, which is the number of AES keys you'd have to try to break it by brute force (on average). You get 6.4 * 10**53 joules of energy needed.

The total annual energy output of the Sun is on the order of 10**34 joules. Multiply that by 10**10 to compute the total energy release over the Sun's entire lifespan (yes, this is a nasty kludge of an estimate, I know the Sun's energy output varies) and you get 10**44 joules of energy.

Which means you've only exhausted one billionth of the damn keyspace.

No, you can't break any encryption through brute force. There just isn't enough energy in the universe to do it, even positing thermodynamically-perfect computers operating at 3.2K.

Re:This just in!

[Chester+K]

Two parties have a secure channel in which to exchange these pads.

OTP is mathematically 100% secure, but not practically.

• The whole point of encryption is to make secure an otherwise unsecure channel of communication. If you have a secure channel in the first place (which you need to exchange pads with OTP), then why not just send the data you want to communicate through that channel and do away with encryption altogether?
  
• Someone can intercept your pads and you'd never know. OTP is extremely vulnerable to a man-in-the-middle attack.
  
• Your pads themselves may be attackable. In the extreme case, a pad comprised entirely of NULs can be XORed against your sourcetext to produce cyphertext, and that's OTP, but that doesn't mean it's secured. Any pad generated in a reproducable manner is susceptable to crypto analysis.
  
• Empirical evidence suggests that the end points of a communication are just as vulnerable to compromise as the communication channel. If your message is decrypted and displayed on a non TEMPEST compliant display, then all your security was for naught.

A couple of these problems are constant no matter what type of cypher you use, but some of them are solved by other forms of encryption; but they fit the opposite criteria: they are not mathmatically 100% secure, but they can be practically secure.

Re:This just in!

[xiitone]

>Most companies claiming that their encryption is >``unbreakable'' are using one-time pads;
and most of these snake oil salesman are using algorithmic "random" number generation. There's two delicate parts of one time pads-distributing the pad , and your pad generation.

Re:This just in!

[rjh]

at least you did not do the Power/ENergy thing this time

Make one little mistake, they never let you forget it. :)

Just an interesting question: That number you used to indicate the minimum amount of energy to flip (or reset) a bit. Any references on that?

Sure. The Boltzmann Constant, 1.38 * 10**-23 joules per Kelvin, is the fundamental relationship between temperature and energy. You can think of it as, "this is a quanta of energy at a given temperature". (It's not, and physics majors the world over are now marching on my house with pitchforks and torches. But I don't have time to explain fully.) So if you're running your computer at 3.2K, the ambient temperature of the universe, you can think of the minimum energy as being 4.4 * 10**-23 J. (I may have listed it earlier as 4.4 * 10**-26 J; if I did, I was misremembering the Boltzmann constant.)

So your chips require a certain amount of energy to set each bit (really, to erase information in each bit--but that's splitting hairs at this point), and that energy can't be below 4.4 * 10**-23 joules.

(Yes, you could drop the temperature of the computer to a few nanokelvins, and thus drop the energy required to set the bits... but then you'd have to supply extra energy to run the heat pump, bringing the total cost back up.)

what is your opinion on the security of AES, in particular of Rijndael in comparison to Blowfish and Serpent?

First, my cryptanalysis is rusty: I know enough to follow the papers, but I'm absolutely not on the cutting-edge of research. That said, I'm not especially fond of any of the AES candidates, not at this point in time. AES/Rijndael looks good, but it doesn't have much safety margin in it. Already we're seeing cryptanalytic results against it--I'm not going to say attacks, but ... there's some interesting research coming out. Nobody knows if it'll lead to an attack.

I don't know enough about Serpent to make an informed statement about the cryptanalytic results against it. I stopped following Serpent after Rijndael was selected for AES. I vaguely recall some of the latest AES research also applies to Serpent, but... check that one before you rely on it.

Re: Blowfish... I'm damn fond of the fish. It's been out for just a little under a decade, with no significant cryptanalytic results to it. With just a few equivocations, I'd actually recommend it above 3DES. 3DES has a much longer history of turning brilliant cryptanalysts into burned-out alcoholic wrecks, but... DES is a very complex algorithm. It's so complex that it's damnably hard to implement DES right. (I know; I've had to code 3DES on multiple occasions. I've put coworkers on notice that I refuse to do it again.) But Blowfish is extremely sexy, so much so that it can be succinctly described in about 50 lines of LISP. So on the grounds that Blowfish has an impressive cryptanalytic record, and is far simpler to implement correctly... I'd actually recommend Blowfish as my favorite cipher today.

the implications!!

[kaworu-sama]

Now when I benchmark my computer using the punch-the-monkey java applet using a 50 watt spotlight, I'll have to be more careful!

A quick workaround...

[AnriL]

Just overclock your tamper-resistant machine to the bleeding edge of running at maximum MHz you can get. Tweak the speed to the point that the body heat emitted by regular users will not overheat the CPU, but anyone approaching the machine with a 50 Watt bulb would fry the machine before gaining access to data.

However, now you get a denial of service attack, but hey, it's better than information disclosure or arbitrary code execution. :-)

End of Slashdot

[MegaFur]

Oh great, it must be the Apocolypse or something. They actually posted a *link* to a *PowerPoint* document in a Slashdot article! Worse yet, no one seems concerned.

Re:End of Slashdot

[error0x100]

They actually posted a *link* to a *PowerPoint* document in a Slashdot article! Worse yet, no one seems concerned.

Noone reads the articles, so they probably didn't even notice. OK, *I* didn't notice.

Re:End of Slashdot

[zulux]

Just to infoome people who may not know:

The file loads just fine in OpenOffice.

OpenOffice is available free (beer and speech) at OpenOffice.org for Windows, Linux, MAC OS X, FreeBSD and Solaris.

I'm sure Apple's Keynote works as well.

New nifty trick for a hacker book

[bluelan]

You wouldn't necessarily need physical access to the machine itself. It might be possible to perform this exploit by gaining access to a machine's air conditioning unit and disabling it at an inconvenient time. That could raise heat enough to cause RAM performance to degrade and make the success of the exploit more likely.

If the air conditioner went out at midnight, most system administrators wouldn't know until the morning.

I'm reminded of Knuth's quote

[arvindn]

"Beware of bugs in the above code; I have only proved it correct, not tried it."

Apparently, the security of the JVM type system has been subject to machine-checked proofs. Yet, a single bit error in memory can be exploited with 70% probability.

This just in...

[scubacuda]

...you can fuck up a monitor with a big ass magnet!

(There are some things you just never forget from your high school physics lab)

Re:This just in...

[BusterB]

In a color TV, there are three types of phosphors, red, green and blue. The electron guns (or gun in a trinitron) must be aligned so that they hit the correct phosphors. Otherwise, the colors look off. The guns are typically aligned with an appeture mask or grille, which snaps the electron streams into place above their respective phosphors.

A black-and-white TV has only one type of phosphor, so it is not as important that the electron streams hit the correct, absolute position on the screen. The screen is uniformly coated, and I don't believe there is an appeture screen on these types of screens.

So, what happens when you hold a magnet to the screen? For one, you deflect the electron streams, so you get a temporarily distorted image, and the colors are off because the electron streams are pointing to the wrong phosphors. With B/W, it just doesn't matter; a phosphor is a phosphor.

Additionally, a powerful magnet can permanently distort or magnetize the metal appeture mask/grille, causing permanent damage the the screen's ability to align electron streams to the appropriate phosphors.

And that's it. I may have misspelled appeture. Oh well.

In other news.

[MisterFancypants]

It turns out that if you have physical access to a system, you can perform a pretty effective denial of service attack using a rather devious little bit of technology called a 'baseball bat'.

Re:In other news.

[Tablizer]

It turns out that if you have physical access to a system, you can perform a pretty effective denial of service attack using a rather devious little bit of technology called a 'baseball bat'.

No no no, that is a management tool.

best line from the article

[zatz]

Fortunately for the attacker, few users are surprised these days when applications use hundreds of megabytes to accomplish trivial tasks.

Re:best line from the article

[scubacuda]

Whoops...forgot the

delete [] bigAssArray;

line from my code...

More elegant way to break a VM

[irc.goatse.cx+troll]

Anybody remember the User Mode Linux VM escape exploit?
Seems more elegant than nuking your machine.
At DefCon X, Gobbles announced a simmiler vulnerability in vmware, though no exploit or advisory has been released so far. For anyone that assumes they're just fear mongering, They also announced the zero day apache bug there, which I'm sure you all remember.

Re:seriously

Holy crap he signed an NDA! Mod him up more! He has more nothings to say!

viva las vegas

[CrazyJim0]

If you can manage to sneak an Xray thing in your keychain. If you know where a slot machine's memory is.

Make clip on lamps illegal

[Alain+Williams]

Surely the solution is obvious: make the posession of clip on lamps an offence under the DMCA, I cannot see why someone would want to posess such equipement unless it was to break into a computer and steal the latest music CDs....

Simple countermeasure?

[The+Clockwork+Troll]

Whenever your code has occasion to store a boolean value (for later test/comparison), store multiple copies of it at predictable but "geographically" disparate locations in RAM.

Then, when doing the test/comparison, if there is not consensus in the bits (they should be all 1 or all 0), you know some memory error has occurred. The confidence level in the boolean test could be made arbitrarily high by storing increasing numbers of redundant bits.

This would slow things down considerably but it seems cheaper than lead cases.

This countermeasure is obviously not foolproof because most branches ultimately come down to a single register test but perhaps it's an improvement? Comments?

Secrecy my arse.

[Gordonjcp]

It's been known for a *very, very* long time that semiconductors are light sensitive. It's been known for a reasonably long time that the tiny capacitors that make up dynamic RAM are very sensitive to light. In fact, there was a project in Byte magazine in the late 1970s that used a 4116 DRAM chip with the top cut off as a black-and-white CCD camera. It worked remarkably well.

Using bit errors to flake out machines, where there is no parity or other error checking, is very far removed from "secret tinfoil hat" stuff. Why do you think chips are packed in black epoxy?

Next Spy Gadget?

[broothal]

At first I thought "why don't you just fire a gun instead of expensive x-rays". But once X-ray emitting devices becomes small enough, this could be a new spy gadget. Walk up to the metal detector in the airport. Point your pencil (with built in X-rays) to the scanner and zap it. Then walk right in.

Or, it can be used for lesser evil stuff as well. In the office. Find the cubicle with the guy that just hates computers. Every time you walk by him to get a cup of coffee, zap his computer with your device. Try to time it so he loses maximum amount of work. Then sit back and watch him go postal.

New Computer Cases

[ExEleven]

"New LEAD cases from lian li to protect your system from intuders" Just another thing to worry about when it comes to security.

Re:*.ppt

[metlin]

A non-animated PDF version here.

Link is valid for 7 days :-)

Alex descends into hell for a bottle of milk

[m00nun1t]

How many websites would have an article that begins:
"A very cool scientific paper..."

Oh dear, we really are geeks, aren't we.

a side note about developement of ecc

[bloodbob]

I Believe I could be mistaken but the guy who made up the finite state machine for ECC had a mental break down. Making something like that is very complex I wonder how long parity checks which offer no correction where thought to be state of the art.

Re:This attack doesn't look very effective

[czarneki]

Um... no. The paper states that if a single-bit error can be induced, then the probability that this single-bit error will then allow the exploiting program to execute arbirary code (as opposed to causing the OS or the VM to crash, etc) is 70%.

So, keep in mind that there are two components to this exploit: 1) writing a program that takes advantage of single-bit errors to execute arbitrary code, and 2) wait for cosmic rays or direct some radiation yourself at the hardware to induce soft errors. The effectiveness depends largely on how quickly/reliably you can induce such errors w/out crashing the machine in the process.

Maybe the techniques for programming the exploit program described here are well known to more experienced programmers, but I found the article extremely interesting and enlightening. I've been taught for years about the superiority of Java's type system as a security measure, and I know that a lot of theoretical work and proofs have been done to show that Java's type system is secure, but this exploit manages to get around the type safety with such a simple trick that I'm kicking myself for not having seen it myself. It's almost elegant, the way they get it done.

Re:*.ppt

I loaded the .ppt into my java port of Power point.

Then as soon as I turned on my 50 watt reading lamp to set the atmosphere, It all crashed ?

ECC for making machines .... **cheaper** !

[Morgaine]

This (excellent) paper alludes to the usual situation that cheaper machines tend not to use ECC in memory modules and in other parts of their architecture in order to save on manufacturing costs.

Note however that this common perception is not strictly speaking entirely accurate or necessary, because if a system is designed to meet a given level of reliability then a machine with ECC may end up being cheaper than one without ECC, because the error detection and correction can make up for reduced reliability in the rest of the hardware.

As an example, some components may be run closer to their operating limits, possibly partially overclocked, or power supplies may be less well regulated and hence electronic noise margins may be slightly compromised, or the system may be designed with substandard cooling, and so on. ECC could help mitigate some of the effects of such presumably cheaper designs, while still maintaining the reliability of better implementions.

So, there's slightly more to the "ECC only found in better systems" argument than at first meets the eye. As usual, caveat emptor. :-)

Excellent Smithers!!!

[Pedrito]

This is the last step I needed in my Java trojan I've been writing. Now all I need to do is go to everyone's house with my x-ray machine, and I'm in like Flint!

In the lab today, in the wild tomorrow...

[donert]

This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.

Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.

The key take away is to not disallow the possiblity.

Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.

Even submitters don't read the article

[dmadole]

I expect posters to not read the article (well, ppt), but even the submitter didn't read it?

The article does mention x-rays, saying "not enough energy to change a DRAM capacitor." Yet everyone talks about x-rays...

I found the phrase from the article "screw driver to remove hard drive" amusing when I first read it. Then I realized they meant "screwdriver". I thought initially they were referring to a DOS attack by corrupting the device driver!

Brute force

[Xner]

Any encryption can still be broken through though brute force.

And any literary work can be obtained with an infinite number of monkeys sitting at an infinite number of typewriters for an infinitely long period of time.

Most serious ciphers attacked using brute force with contemporary technology will probably hold out until the universe's heat death. Not to mention the fact that some experts claim that there simply is not enough energy in the universe to cycle a 128 bit counter through all its states, let alone perform any computations.

Re:Brute force

Actually, Schneier points out that if you built a Dyson sphere around the sun to trap all its energy, it MIGHT be enough to cycle a counter through all (2**128) states before it implodes, if your high and low voltages were just barely distinguishable and you can do it fast enough.

Not that it's terribly useful. A 256-bit key would require that you perform the same feat (2**128) times-- which I doubt will happen.

palladium

[astrashe]

One use for this sort of thing might be to get a palladium system to do something it's not supposed to. In that case you'd have access to your own machine.

Palladium is just a specialized VM that runs on tamper proof hardware, that's designed to let other people trust the results of some computations performed on your machine.

Neons

[hansroy]

Good. Maybe all those kids with neon lights in their cases will have the same problem. I'm sure case modding was fun for awhile, but when every mod has to include the basic package of lights, fans, etc., it becomes too stock. Just like every '89 Civic I see with cut springs & an F1 wing. Yes, I am grumpy when I wake up.

Hi, its the Internet calling.

[Pharmboy]

Yea, doing this from remote would be a little harder.....

RING RING, "Hi, um my name is 'Bob', Im from 'The Internet Company'. We think there is a problem and we need you to help us here. Um, we need you to set your computer next to your microwave for a minute. Oh, no can do?...ok, um, you got like a 50 watt lamp you can stick next to your computer case? Ok, good, yea, do that. Oh yea, and go to this java web site.....yea, I can wait..."

I GUESS you could do some social engineering to get someone to comply. Seems like it would easier to sent out a couple hundred "I make this game, its my first. Hope you like." emails with BO in them to get one to bite.

Know what is really scary?

[origin2k]

The fact that most desktop/laptop and some server computers shipping today have no type of memory error detection or correction.

Back in the older days _all_ computers shipped with at least parity memory. Today you get no checking unless you buy a workstation or server class machine.

Did you ever notice that when you build an IBM system on-line that they make it very clear that the system uses non-parity memory where other companies never mention this? I think they know that someday someone will bring forth litigation on this subject and they want to make sure everything was clearly stated.

Did you ever wonder how much data is corrupted my bad memory chips? Remember that memory sizes are increasing all the time so one would think that the probability for an error is higher.

Did you ever wonder why Apple didn't use ECC memory in their xserve rack mount server?

NASA has been researching this for a long time

[ishmalius]

Aerospace researchers have been investigating the effects of different types of radiation on computers and other electronics for decades. Why would a virtual machine be any different, whether on a PC board, or on a smart card?

It is often questioned on this site as to why spacecraft do not use the latest/greatest computing equipment available. It is because the flight-capable designs have proven themselves tolerant of harsh environments, including alpha/beta/X radiation. (And other things, like low power consumption, heat generation, etc.)

It would be nice to know that a smart card with all of my personal information could survive the places my wallet has been. I need quad redundancy and forward error correction in my pocket!

Author responds + PDF slides available

[sudhakarprinceton]

It was a pleasant surprise to see my paper on /. this morning. Now pdf slides are available here . My comments on the views shared here are also available . Sudhakar .

I don't know if anyone bothered to read the paper,

[voodoo1man]

But technically this isn't an attack on all sand-box virtual machines, just the early-binding ones like the JVM, which assume a program is safe to run after a single check at compile/link time. Late-bound (or dynamically typed) VM-based languages such as Smalltalk and Lisp aren't as vulnereable to this - only the memory allocation and other atomic system functions that are assumed "safe" are vulnereable, and typically there are only a couple of dozen of these (and a random cooking of which is very likely to crash the VM or the machine by their nature). Of course, randomly messing with the memory will cause program errors and undesired results, and compilers that do a lot of inlining and type assumption optimizations increase the risk.