Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.
The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."

Saw this on the register

[0xdeaddead]

Remember when stuff like this broke here?

Re:Saw this on the register

[pregister]

No.

Host Your Own. Cloud Experiment Is A Fail.

[zenlessyank]

Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

Re:Host Your Own. Cloud Experiment Is A Fail.

Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

Yes, and while we're at it everyone should throw out these newfangled "computer" thingies and go back to pen and paper. It's so much more secure.

Re:Host Your Own. Cloud Experiment Is A Fail.

[segedunum]

Indeed. Superficially going all cloud looks great to accountants when there's less of an upfront cost...and then the bills come in...every...single...month. The whole point in investing in infrastructure is that you're responsible for your own security and that investment pays off over time. I've lost count of the number of startups who've gone bust because they couldn't pay their AWS bill - and they still don't learn, or where the money is to be made. More high-profile outfits like Netflix will find that out as the investor cash is less forthcoming.

Re:Host Your Own. Cloud Experiment Is A Fail.

Really? Run your own LAMP stack or email server when you can spin one up on the cloud for half the cost? The only ones that prefer it in house are the IT folks that sit on their asses all day ignoring the phone. Cloud services tend to be kept up to date and patched better than the set it up and forget it in-house ones.

Re:Host Your Own. Cloud Experiment Is A Fail.

[segedunum]

As soon as you start running servers 24x7 the cloud gets very, very expensive....each and every month. When you have control over your own infrastructure that progressively gets cheaper. over time

I can also rent a server or a VPS from a decent service provider cheaper, get more performance out of it and have proper support as opposed to AWS's "You might get your EBS snapshots back in a couple of days".

The only ones that prefer it in house are the IT folks that sit on their asses all day ignoring the phone.

Get used to being ignored by your cloud provider. You were stupid enough to give your company to an external provider and they have your arse over a barrel. Also, don't get into any payment difficulties each month or it just won't be there. An external provider will ignore you because they know they can get away with it.

Cloud services tend to be kept up to date and patched better than the set it up and forget it in-house ones.

ROTFL. Fuck are they. *You* will be responsible for patching and maintaining your own servers in the cloud. If you want a provider to do that for you they will take a pound of flesh off you.......with no accountability. Good luck. I really don't know where people get the idea from that running to the cloud cuts down on system administration.

Re: Host Your Own. Cloud Experiment Is A Fail.

Just because you can't run your own infrastructure doesn't mean nobody else can. Cloud security, or lack of it, is grossly under reported because reporting on it might disrupt the trend, and keeping this latest management fantasy alive is buttering the bread of all kinds of purveyors of snake oil.

Re:Host Your Own. Cloud Experiment Is A Fail.

[poofmeisterp]

Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

This argument has been going on for a century (+?)

Some bend and try to correct dangerous methods/behaviors and do fairly well. The others like to just watch satellite news on their jet or post-landing on their island and laugh at "those morons".

Until there is no choice left, the choice is sense of entitlement / waste / fraud / lying^365 / laziness / unwillingness to be the first to adapt and look "weak" to the rest of the entitled.

It isn't going to change until the pipelines ($) are wiped out and people have to survive on skill and intelligence in the near-wild until recovery is possible (if it is). Lather, rinse, repeat. As long as the resources are available, there's "no need to change anything". That's just how the entitleds' minds operate. There was a movie in the 80s with Eddie Murphy & Dan Akroyd - Trading Places. Fairly good representation of the must-cutoff-to-change.

Re: Host Your Own. Cloud Experiment Is A Fail.

Goddamn you have your head so far up your arse. I can't even bother informing you of all the wrong in your post. Suffice it to say where I work we started with the cloud about 5 years ago, still have stuff in a bunch of dcs but every new system is built in the cloud. It does cost a bit more but you can do more. You need to build differently too. But yeah dumbarses can really screw it up if they still keep thinking In terms of tin

Re: Host Your Own. Cloud Experiment Is A Fail.

[segedunum]

Hilarious, but that response is not untypical as they thrash around trying to justify their own stupid decisions. You can't inform me of the 'wrong' in my post.....because you simply can't.

It does cost a bit more but you can do more.

Everything I did in AWS I could do elsewhere - and more flexibly too, and at an ever decreasing monthly cost.

But yeah dumbarses can really screw it up if they still keep thinking In terms of tin

Yer, tin has always been a problem for me!

I don't get it.

[krtek]

OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

Re:I don't get it.

[bokkepoot]

This is where the rowhammer vulnerability comes in.

Re:I don't get it.

RAM is dirt cheap. Can we get ECC support in desktop and mobile CPUs, please?

Re:I don't get it.

[TechyImmigrant]

What makes you think SECDED will protect against row hammer that can flip multiple bits and the linear compensation for the check digits can be computed?

Re:I don't get it.

[TechyImmigrant]

OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

Waiting for the cow moos guy to chime in.

Re:I don't get it.

[guruevi]

ECC does not always detect these issues. There are a number of other mitigating techniques with variable success. Whether or not this technique/exploit is useful at all in the wild is another thing.

Re:I don't get it.

Unless you flip all bits at the same time, an intermittent read access can cause an ECC error. When bits flip depends on manufacturing tolerances, so they won't all behave exactly the same. ECC RAM may not be able to prevent this attack, but it would make detection much more likely, simply by causing an unusual number of ECC errors.

Re:I don't get it.

[a_n_d_e_r_s]

Yes they use Copy on Write. But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

So its really an escalation of a hardwarebug. So it its not restricted to Linux. Should be able to affect any software running on a multiuser system - regardless of operating system.

Basically any insecure hardware system affected by Rawhammer are not safe to run multiuser software - since it can be used to manipulate the system.

Re:I don't get it.

[krtek]

This is where the rowhammer vulnerability comes in.

Ah, then it suddenly starts making sense. Thanks.

Re:I don't get it.

Want ECC in desktop? Buy AMD.

Re:I don't get it.

[jedidiah]

...or just be a little less of a cheapskate. Terms like "server" and "desktop" are entirely arbitrary.

Re:I don't get it.

[Intron]

This is not a practical vulnerability in the field. It depends on knowing when a page is de-duped, its physical address, and the DRAM layout. Any address space randomization will defeat it.

Re:I don't get it.

[Intron]

Q: Does Amazon EC2 use ECC memory?

In our experience, ECC memory is necessary for server infrastructure, and all the hardware underlying Amazon EC2 uses ECC memory.

Most cloud vendors would not be vulnerable to this hack.

Re:I don't get it.

DRAM layout information is needed, but since the page has been deduped you have access to it and can see what happened to the target process. Maybe difficult to exploit, but certainly not unviable.

Re:I don't get it.

Rawhammer? Is that when you pound her asshole with no lube?

Re:I don't get it.

I don't need remote administration and all the other hullabaloo that makes a server complicated and expensive. I don't think reliable RAM is too much to ask from a mass market computer even if it's not a server.

Re:I don't get it.

Rowhammer works on ECC memory.

Re:I don't get it.

There's also "workstations".

Re:I don't get it.

[Ungrounded+Lightning]

But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

ROWhammer - "hammering on" the adjacent rows of the memory in the chip - by reading them repeatedly - which causes charge leakage and occasional bit flips in the adjacent row.

Because the attacking process is only reading the beside-the-target rows, the OS doesn't think the memory is being changed and thus doesn't decombine the two processes' instance of the page.

I'm surprised that the system is doing page recombine across multiple VMs. While it makes sense from a total resource standpoint (why should each VM have its own instance of a page of mostly-unchanging RAM?) it also makes performance vary more due to activity in other VMs - as well as opening the rowhammer vulnerability to cross-VM exploit.

Re:I don't get it.

[skids]

This is where you get told to RTFA. It's a very good FA, including statistical analyses of success probabilities.
 

Re:I don't get it.

[Intron]

Bull. Try checking facts.
http://googleprojectzero.blogs...

Re: I don't get it.

Yeah, but Intel decided that this generation you can't put xeons into desktop chipsets anymore. So you'll have to buy a Xeon plus a Xeon board even if all you wanted is to use ecc memory.

Re:I don't get it.

[Intron]

I did. They say "it is unclear" meaning they don't know of any way to exploit this in the real world where ECC is used. Their chart gives probability of success AFTER assuming they can flip a bit in a specific key file.

Re: I don't get it.

Most people don't have rack space in their home offices. Nobody is ever going to drop a tower into a rack.

Servers and desktops are different, bro.

Re: I don't get it.

[bestweasel]

Except servers are often very noisy.

Re: I don't get it.

[ArmoredDragon]

I just bought a dell T20 for my home lab and it's even quieter than my desktop. It has all of the usual server features, including ECC.

Re:I don't get it.

If it's a single bit error, it detects it 100% of the time and corrects it 100% of the time. If it's two bit errors, it detects it 100% of the time. All other bit errors are detected anywhere from 99.6% of the time to 99.9999999767% of the time, depending on the technology and how many memory channels are involved. You are correct, not all errors will be detected.

Re: I don't get it.

[RavenLrD20k]

I can (and have) build a Xenon Server that's extremely quiet and awesomely powerful for about $2700-$2800. That's with Dual Xenon Hex-cores, 64 GB RAM with ECC, 128 GB SSD, and 12 TB of HDD space (before applying RAID). Off of that one physical server, I can easily run 10 separate virtual servers (2 of which I have mimicking a Mainframe through the use of Hercules for the High Volume Data churn that MVS can handle) allowing me to have in-house access to development, testing, and model environments before I publish anything to a cheap VPS for "production". If the VPS goes bust, I'll usually have a backup option set to go live at a moments notice...again, another cheap VPS instance. And when I say cheap VPS: AWS, Azure, and Google compute are all ripoffs for what I need a VPS for. I could get away with a simple hosting account except for the fact that I demand more control, and with a VPS I can have unlimited local *SQL databases provided I've enough space provisioned, where as with a Webhost I'm usually limited to 5 on average.

As far as the monthly cost of running that Server...my summer electric bill has risen $50 because of it. The winter bill has actually gone down $30 against the average since I don't have to heat the house as much. The VPS on the other hand, if the cost of running it increases above $15/mo I'm shopping around for cheaper rates. Over the long term it's cheaper to keep your high end compute in-house and only use an external VPS as a disposable public facing front-end.

Re: I don't get it.

[bestweasel]

It's clearly possible to design a quiet server but it's not usually a major criterion. I was thinking of someone who decides they want to buy one and ends up with something made for a data centre, where pulling air through it is the major concern and noise isn't a factor. Put one of those in an office or even a workshop and you'll soon wish you hadn't.

defective memory is defective

It is "just" a rowhammer based attack. It the RAM is defective, it should be replaced.

Re:defective memory is defective

[TechyImmigrant]

It is "just" a rowhammer based attack. It the RAM is defective, it should be replaced.

It's a how to guide for how to use the rowhammer attack to do real damage.

Re:defective memory is defective

[gweihir]

It is. But AFAIK rowhammer has only be demonstrated against laptops. Laptops often have slowed-down refresh cycles to conserve power. That is what makes rowhammer possible in the first place.

FFS

[TechyImmigrant]

FFS: I like these researchers. They know a good acronym when they see one.

Re:GPL: Intellectual Theft

Thank GOD your IT people researched this BEFORE the time was spent. Good thing I don't use the investment firm, or your services. Thank you for your time.

Re: GPL: Intellectual Theft

Enron, is that you!?

Re:GPL: Intellectual Theft

[segedunum]

That is probably the funniest thing I've ever read.

Re:GPL: Intellectual Theft

are you going to spam this on every /. article?

Re:GPL: Intellectual Theft

[jedidiah]

You only have to give source to those people you give the binaries to.

Unless you're giving your precious binaries to your competitors, you don't have to give them the source either.

As far as that bit about gcc goes, that's just pure bullshit and no self respecting lawyer attach his name to it.

fuuuuuuck this site

        cloud = hosting by 3rdparty (Score:?)
        by Anonymous Coward on Sunday August 14, 2016 @02:51PM

        wellllllll ...DO HOSTING YOURSELF

        have a nce fbi day.

        5 minute dleay eh , so mght as well type random bullshit while m here mispell as much as possible and basically go jack off then return type some more and hten go shower and eat and then ...then hit submit

        only site i know that does this...guess the fbi have limited resources

You failed to confirm you are a human. Please start from the beginning and try again. If you are a human, we apologize for the inconvenience.

Re: GPL: Intellectual Theft

Yes, otherwise it wouldn't be funny. See every other /. troll meme for reference. At least this one isn't racist, sexist or homophobic and actually is fairly funny, unlike the modern apping app appers guy. Or APK.

Re:GPL: Intellectual Theft

It's clearly a joke post, Admiral Aspergers. LOL @ replying seriously to trollbait.

Re:GPL: Intellectual Theft

Hmm, its a bit difficult to believe that no one figured out before the project what GPL meant, but as this was in the finance industry which gave us the recent banking crisis maybe its not, since not having a f*cking clue is subsidised by the taxpayer why would you need to understand what you are doing?.

ASLR

[Billly+Gates]

Windows 7/OpenBSD/MacOSX/Server 2008 R2 and later use virtual ram addresses that are scrambled to prevent this and injections. This is one of the oldest cracker techniques in the book after buffer overflows. Linux doesn't have this?

Re:ASLR

Linux doesn't have [ASLR]?

*cough*
https://en.wikipedia.org/wiki/Row_hammer
*cough*

1) Linux has ASLR.
2) ASLR can't do shit for this, not when it's hammering within an already-allocated block.

"The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability."

Randomization of accesses _within_ an allocated block would be next-level shit... stuff that would have a _large_ perf hit and that no widely-used OS does. It's still not clear that that would mitigate Rowhammer... just make it a bit more difficult.

Re:ASLR

You just fail to understand the problem that has nothing to do with ASLR. Please read about virtual machines and memory de-duplication.

Re:ASLR

[skids]

TLDR for those who think ASLR protects against this: de-duplication essentially makes all the shared VM RAM into a rather slow content-addressed storage. All you need to know is the content of the page you want to alter, not the address. The authors note that THPs are used to anchor multiple consecutive rows on the attacking VM to consecutive DRAM rows, and after finding a rowhammer bit flip template, fill the victim page with the known content, wait for dedupe, and then hammer the bit flip in gain. KSM will break up the THPs so individual pages can be targetted, not just THPs.

Another TLDR: buy better RAM.

Re:ASLR

[CRC'99]

You just fail to understand the problem that has nothing to do with ASLR. Please read about virtual machines and memory de-duplication.

... and is exactly why you don't deduplicate RAM when hosting VMs...

Re:ASLR

> ... and is exactly why you don't deduplicate RAM when hosting VMs..

If their servers were properly configured with ECC RAM that halted the system when it encountered an error, this would not be a security issue.

Re:ASLR

[daboochmeister]

> ... and is exactly why you don't deduplicate RAM when hosting VMs..

If their servers were properly configured with ECC RAM that halted the system when it encountered an error, this would not be a security issue.

Well ... except as a DoS attack, of course.

Re: Debian is FBI - FBI MURDERED IAN MURDOCK

Israel hacked your brain dude, get a replacement.

Re:GPL: Intellectual Theft

[Billly+Gates]

You forgot the $799 per core SCO licensing in your email

Has anybody demonstrated rowhammer in the wild?

[gweihir]

Except against laptops, that is often easy as they use too slow refresh-cycles to safe power. That makes rowhammer very easy.

But I have yet to find a credible example of it working _at_ _all_ against correctly refreshed memory.

Re:Has anybody demonstrated rowhammer in the wild?

It works, yes. To the point that the non-joke server vendors issued BIOS/UEFI updates that toggled a few chicken bits in the Intel memory controllers (don't know about AMD) to increase the refresh rate, and enabled ECC patrol scrub by default (ECC has high chances of undoing rowhammer damage, especially the better kinds of ECC you will find in non-cheap-o E7-based servers that go a lot further than SECDED).

Re:GPL: Intellectual Theft

Furthermore, after reviewing this GPL our lawyers advised us that any
products compiled with GPL'ed tools - such as gcc - would also have to
its source code released. This was simply unacceptable.

No, no, no! Only if you publish the new kernel that you made are you required
to provide the source and the changes you have made. If you keep it totally
in-house, there is no requirement to release _anything_.

Let's say you modify the kernel to work in some widget you're going to market and sell.
When you sell the widget that runs your enhanced kernel, the GPL requires you to
make your enhancements available in source form. But if your kernel enhancements
are used by the company coffee making machine *internally*, those changes are not
required to be "released." Of course, it's always good to contribute to the community,
but it's not a requirement under those circuimstances.

Sorry, but your lawyers did not understand what they read in the GPL.

CAP === 'hitter'

Linux FIRST to implement ASLR.

[tpgp]

OK, I know you're trolling, but in case anyone is stupid enough to believe you:

From Wikipedia's ASLR page:

History

The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001. It is seen as the most complete implementation, providing also kernel stack randomization since October 2002. Compared to other implementations, it is also seen to provide the best layout randomization.

how does this work

[samantha]

How does the attacker know what memory pages are what in the targets VM space? That seems like quite a trick. Or is Amazon sharing various pages among all machines that are known to the public somehow? I am not a cracker myself so I don't really get how the attacker has this information.

Re:how does this work

The system takes care of that for the attacker. Per the summary, attacker generates a page identical to one known to exist in another VM, such as excerpts from a common executable that's likely to be in the disk cache, or heap pages of a running daemon. At some point, the system deduplicates memory, such that both VMs now refer to the same piece of physical memory. Then, by attacking their own "copy" of the page using rowhammer or another hardware bug, the attacker can alter this memory across all VMs.

Re:how does this work

They somehow, magically, figure out the content of the page in the VM that holds the all important key. Then they make their own page containing the exact same thing and wait. After a while the two pages will be merged by the hypervisor to safe ram. Next they exploit the rowhammer hardware bug to change the physicall memory without accessing it (they only access other memory rows).

They do have to already know what the page looks like to attack it. All I can think of is that they have previous knowledge of the data in the page. Maybe the key is public and large enough to fill a page or the remaining content of the page is always the same.

Just because the article is about FFS ...

[daboochmeister]

... doesn't mean you have to try to elicit that response from us.

Old hat

Isn't that an old hat? I remember when row hammer came out there was a big warning about not using shared pages in VMs because it would allow exactly this kind of manipulation. Same goes for all manner of cache attacks that only work with shared pages.

So what exactly is new here? Did they just show that what everybody said is possible really is possible?