Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Memory Errors to Attack a Virtual Machine

Posted by michael on from the no-one-is-safe dept.

gillus writes "A very cool scientific paper from Appel and Govindavajhala that explains how virtual machines like java or .Net can be exploited. How? Quite simple, bomb your DRAM chip with X-rays... or more simply with 50-watt spotlight, as the authors demonstrate. Definitively worth a read!"

25 of 247 comments (clear)

  1. This just in! by G-funk · · Score: 4, Funny

    Reports are sketchy at present, but we're being led to believe that it's easy to compromise a machine to which you have physical access!

    Film at 11.

    --
    Send lawyers, guns, and money!
    1. Re:This just in! by smallpaul · · Score: 5, Informative

      Reports are sketchy at present, but we're being led to believe that it's easy to compromise a machine to which you have physical access!

      Bet you didn't even read the abstract. Here's the relevant bit:

      Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat.

    2. Re:This just in! by anubi · · Score: 4, Interesting
      "Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat."
      I would imagine that nasty EMI spikes you may couple to the inside of the box, or medical radioactive sources would work too.

      Just a guess, but I have sure had my share of EMI and radiation induced problems.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

    3. Re:This just in! by lord+sibn · · Score: 5, Interesting

      Page 7, Paragraph 3:

      "To attack machines without physical access, the attacker can rely on natural memory errors."

      This paper showed some means an attacker could physically cause a memory error, but it never said that such intervention was required to stage the attack. My guess is that this would be most useful with those "low load" ram chips that ran on slashdot a while back.

    4. Re:This just in! by arvindn · · Score: 4, Informative
      If somebody intent on breaking through the smart card's security has access to the smart card, then sooner or later the security WILL be broken.
      Get a clue. The whole point of a smart card is to keep the data safe even in the event of physical tampering. For this purpose, the processor of a smart card is enclosed in a black box which will chemically self-destruct if you try to tamper with it. Much research on smart cards goes into ensuring that security can not be broken in spite of physical access.

      Some pointers:

    5. Re:This just in! by omnirealm · · Score: 5, Insightful

      Any encryption can still be broken through though brute force.

      This is simply not true. One-time pads are 100% unbreakable, and they will always be unbreakable (at least mathematically speaking), no matter how sophisticated technology gets in the future. For those who are unfamiliar with the concept, a one-time pad is a cryptographically random string of 1's and 0's, which is at least of the same length of the message itself. Two parties have a secure channel in which to exchange these pads; for example, if Alice and Bob wish to use one-time pads, Alice can generate a list of 10,000 cryptographically random strings, put them in a suitcase that is handcuffed to her wrist, and deliver them to Bob in person. Bob and Alice then have a set of one-time pads that they can use for all future communication. Each time they encrypt a message with one of the pads, they discard the pad and never use it again. Because the pad is at least the length of any messages they might pass back and forth, there is no way to analyze the encrypted message for patterns. It is mathematically impossible. You could easily come up strings of 1's and 0's that would ``decrypt'' the message into anything, be it passages from the Bible, or Ogg Vorbis encoded music. You would have no idea which set of 1's and 0's produced the actual original message. This is truly unbreakable encryption on a mathematical level.

      Most companies claiming that their encryption is ``unbreakable'' are using one-time pads; the problem is reduced to finding a secure channel of communications in which to transmit those pads. This is usually not a feasible assumption, which is why we all prefer using, for example, Diffie-Hellman key exchange, which depends on the difficulty of math involving discrete logarithms. The encryption we now use is breakable, but it is hard enough to break that it is generally considered secure.

      --
      An unjust law is no law at all. - St. Augustine
    6. Re:This just in! by rjh · · Score: 4, Informative

      Any encryption can still be broken through though brute force

      <sigh> You know, I answered just this same question yesterday... </sigh>

      As a thermodynamic minimum it takes 4.4 * 10**-26 joules to set a bit. (Well, it takes that much to erase one bit of information. But that's quibbling.) So multiply that by 256, for the number of bits in an AES key, and you get 1.1 * 10**-23 joules to store a key.

      Now multiply this by 2**255, which is the number of AES keys you'd have to try to break it by brute force (on average). You get 6.4 * 10**53 joules of energy needed.

      The total annual energy output of the Sun is on the order of 10**34 joules. Multiply that by 10**10 to compute the total energy release over the Sun's entire lifespan (yes, this is a nasty kludge of an estimate, I know the Sun's energy output varies) and you get 10**44 joules of energy.

      Which means you've only exhausted one billionth of the damn keyspace.

      No, you can't break any encryption through brute force. There just isn't enough energy in the universe to do it, even positing thermodynamically-perfect computers operating at 3.2K.

  2. the implications!! by kaworu-sama · · Score: 5, Funny

    Now when I benchmark my computer using the punch-the-monkey java applet using a 50 watt spotlight, I'll have to be more careful!

  3. A quick workaround... by AnriL · · Score: 5, Funny

    Just overclock your tamper-resistant machine to the bleeding edge of running at maximum MHz you can get. Tweak the speed to the point that the body heat emitted by regular users will not overheat the CPU, but anyone approaching the machine with a 50 Watt bulb would fry the machine before gaining access to data.

    However, now you get a denial of service attack, but hey, it's better than information disclosure or arbitrary code execution. :-)

  4. End of Slashdot by MegaFur · · Score: 5, Funny

    Oh great, it must be the Apocolypse or something. They actually posted a *link* to a *PowerPoint* document in a Slashdot article! Worse yet, no one seems concerned.

    --
    Furry cows moo and decompress.
    1. Re:End of Slashdot by error0x100 · · Score: 5, Funny

      They actually posted a *link* to a *PowerPoint* document in a Slashdot article! Worse yet, no one seems concerned.

      Noone reads the articles, so they probably didn't even notice. OK, *I* didn't notice.

  5. I'm reminded of Knuth's quote by arvindn · · Score: 4, Insightful
    "Beware of bugs in the above code; I have only proved it correct, not tried it."
    Apparently, the security of the JVM type system has been subject to machine-checked proofs. Yet, a single bit error in memory can be exploited with 70% probability.
  6. This just in... by scubacuda · · Score: 4, Funny
    ...you can fuck up a monitor with a big ass magnet!

    (There are some things you just never forget from your high school physics lab)

  7. In other news. by MisterFancypants · · Score: 5, Funny

    It turns out that if you have physical access to a system, you can perform a pretty effective denial of service attack using a rather devious little bit of technology called a 'baseball bat'.

  8. best line from the article by zatz · · Score: 5, Funny

    Fortunately for the attacker, few users are surprised these days when applications use hundreds of megabytes to accomplish trivial tasks.

    --

    Java: the COBOL of the new millenium.
  9. Make clip on lamps illegal by Alain+Williams · · Score: 4, Funny

    Surely the solution is obvious: make the posession of clip on lamps an offence under the DMCA, I cannot see why someone would want to posess such equipement unless it was to break into a computer and steal the latest music CDs....

  10. Secrecy my arse. by Gordonjcp · · Score: 4, Informative
    It's been known for a *very, very* long time that semiconductors are light sensitive. It's been known for a reasonably long time that the tiny capacitors that make up dynamic RAM are very sensitive to light. In fact, there was a project in Byte magazine in the late 1970s that used a 4116 DRAM chip with the top cut off as a black-and-white CCD camera. It worked remarkably well.


    Using bit errors to flake out machines, where there is no parity or other error checking, is very far removed from "secret tinfoil hat" stuff. Why do you think chips are packed in black epoxy?

  11. New Computer Cases by ExEleven · · Score: 5, Funny

    "New LEAD cases from lian li to protect your system from intuders" Just another thing to worry about when it comes to security.

  12. Re:*.ppt by metlin · · Score: 4, Informative

    A non-animated PDF version here.

    Link is valid for 7 days :-)

  13. Alex descends into hell for a bottle of milk by m00nun1t · · Score: 5, Funny

    How many websites would have an article that begins:
    "A very cool scientific paper..."

    Oh dear, we really are geeks, aren't we.

    --
    Read reviews of shopping cart software
  14. Re:This attack doesn't look very effective by czarneki · · Score: 5, Interesting

    Um... no. The paper states that if a single-bit error can be induced, then the probability that this single-bit error will then allow the exploiting program to execute arbirary code (as opposed to causing the OS or the VM to crash, etc) is 70%.

    So, keep in mind that there are two components to this exploit: 1) writing a program that takes advantage of single-bit errors to execute arbitrary code, and 2) wait for cosmic rays or direct some radiation yourself at the hardware to induce soft errors. The effectiveness depends largely on how quickly/reliably you can induce such errors w/out crashing the machine in the process.

    Maybe the techniques for programming the exploit program described here are well known to more experienced programmers, but I found the article extremely interesting and enlightening. I've been taught for years about the superiority of Java's type system as a security measure, and I know that a lot of theoretical work and proofs have been done to show that Java's type system is secure, but this exploit manages to get around the type safety with such a simple trick that I'm kicking myself for not having seen it myself. It's almost elegant, the way they get it done.

  15. ECC for making machines .... **cheaper** ! by Morgaine · · Score: 4, Insightful

    This (excellent) paper alludes to the usual situation that cheaper machines tend not to use ECC in memory modules and in other parts of their architecture in order to save on manufacturing costs.

    Note however that this common perception is not strictly speaking entirely accurate or necessary, because if a system is designed to meet a given level of reliability then a machine with ECC may end up being cheaper than one without ECC, because the error detection and correction can make up for reduced reliability in the rest of the hardware.

    As an example, some components may be run closer to their operating limits, possibly partially overclocked, or power supplies may be less well regulated and hence electronic noise margins may be slightly compromised, or the system may be designed with substandard cooling, and so on. ECC could help mitigate some of the effects of such presumably cheaper designs, while still maintaining the reliability of better implementions.

    So, there's slightly more to the "ECC only found in better systems" argument than at first meets the eye. As usual, caveat emptor. :-)

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  16. In the lab today, in the wild tomorrow... by donert · · Score: 4, Interesting

    This is good stuff. Although the experiment used physical access to stress the memory, the theory could be used as an exploit in real situations in ways that the narrow of mind (like me) cannot conceive.

    Perhaps this is not a method of practical attack on a machine. But it may be just a matter of creative thinking.

    The key take away is to not disallow the possiblity.

    Threats you discard as harmless is a logical place for an attacker to begin. Remeber the Maginot line.

  17. Brute force by Xner · · Score: 4, Insightful
    Any encryption can still be broken through though brute force.

    And any literary work can be obtained with an infinite number of monkeys sitting at an infinite number of typewriters for an infinitely long period of time.

    Most serious ciphers attacked using brute force with contemporary technology will probably hold out until the universe's heat death. Not to mention the fact that some experts claim that there simply is not enough energy in the universe to cycle a 128 bit counter through all its states, let alone perform any computations.

    --
    Pathman, Free (as in GPL) 3D Pac Man
  18. palladium by astrashe · · Score: 4, Insightful

    One use for this sort of thing might be to get a palladium system to do something it's not supposed to. In that case you'd have access to your own machine.

    Palladium is just a specialized VM that runs on tamper proof hardware, that's designed to let other people trust the results of some computations performed on your machine.