Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.
The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."

Re:I don't get it.

[a_n_d_e_r_s]

Yes they use Copy on Write. But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

So its really an escalation of a hardwarebug. So it its not restricted to Linux. Should be able to affect any software running on a multiuser system - regardless of operating system.

Basically any insecure hardware system affected by Rawhammer are not safe to run multiuser software - since it can be used to manipulate the system.

Re:ASLR

Linux doesn't have [ASLR]?

*cough*
https://en.wikipedia.org/wiki/Row_hammer
*cough*

1) Linux has ASLR.
2) ASLR can't do shit for this, not when it's hammering within an already-allocated block.

"The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability."

Randomization of accesses _within_ an allocated block would be next-level shit... stuff that would have a _large_ perf hit and that no widely-used OS does. It's still not clear that that would mitigate Rowhammer... just make it a bit more difficult.

Re:I don't get it.

[Ungrounded+Lightning]

But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

ROWhammer - "hammering on" the adjacent rows of the memory in the chip - by reading them repeatedly - which causes charge leakage and occasional bit flips in the adjacent row.

Because the attacking process is only reading the beside-the-target rows, the OS doesn't think the memory is being changed and thus doesn't decombine the two processes' instance of the page.

I'm surprised that the system is doing page recombine across multiple VMs. While it makes sense from a total resource standpoint (why should each VM have its own instance of a page of mostly-unchanging RAM?) it also makes performance vary more due to activity in other VMs - as well as opening the rowhammer vulnerability to cross-VM exploit.